CVE-2026-49052

CVE-2026-49052 affects the WordPress ElementsKit Elementor addons Lite plugin up to version 3.9.6. The issue is described as a Missing Authorization/Broken Access Control vulnerability, caused by incorrectly configured access control security levels that potentially allow unauthorized actions wit...

WordPress The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by daroo in WordPress Plugin The Plus Addons for Elementor Page Builder Lite versions = 6.4.11...

WordPress WP Business Intelligence Lite plugin <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation vulnerability

Authenticated Subscriber+ Missing Authorization to Privilege Escalation vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Business Intelligence Lite versions = 3.2.0...

CVE-2026-32427

WordPress VW Education Lite plugin (vw-education-lite) versions up to 2.2.0 are affected by a Missing Authorization vulnerability (Broken Access Control) due to incorrectly configured access control levels. The issue impacts VW Education Lite as described; the exact impacted components are the pl...

CVE-2026-1000 MailerLite - WooCommerce integration <= 3.1.3 - Missing Authorization to Data Deletion

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration function. This makes it possible for authenticated attackers, wi...

PT-2025-53101

Name of the Vulnerable Software and Affected Versions WP Shuffle Subscribe to Unlock Lite versions through 1.3.0 Description The software contains a flaw related to improper control of filename for include/require statements, specifically a PHP Local File Inclusion issue. This allows for the...

CVE-2025-14734 Amazon affiliate lite Plugin <= 1.0.0 - Cross-Site Request Forgery to Plugin Settings Update

The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADALsettingspage' function. This makes it possible for unauthenticated attackers to update...

PT-2025-52545

Name of the Vulnerable Software and Affected Versions Amazon affiliate lite Plugin versions prior to 1.0.1 Description The “Amazon affiliate lite Plugin” for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. Insufficient input sanitization and output escaping allow...

CVE-2025-13993

The MailerLite – Signup forms official plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formdescription' and 'successmessage' parameters in versions up to, and including, 1.7.16 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-10938

The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uipprocessblockquery' AJAX function. This makes it possible for authenticated attackers, with subscriber-level acces...

CVE-2025-10938 UiPress lite <= 3.5.08 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

The UiPress lite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.5.08. This is due to missing capability checks in the 'uipprocessblockquery' AJAX function. This makes it possible for authenticated attackers, with subscriber-level acces...

WordPress Affiliate AI Lite plugin <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Affiliate AI Lite versions = 1.0.1...

CVE-2025-11427

The WP Migrate Lite – WordPress Migration Made Easy plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.7.6 via the wpmdbflush AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations...

CVE-2025-11886 CTL Arcade Lite <= 1.0 - Cross-Site Request Forgery to Plugin Activation and Deactivation

The CTL Arcade Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'ctlarcadelitepagemanagegames' page. This makes it possible for unauthenticated attackers to deactivate and...

WordPress plugin CTL Arcade Lite 跨站请求伪造漏洞

WordPress CTL Arcade Lite plugin is a WordPress plugin for creating professional-grade arcade game websites with support for ad management, social sharing, leaderboards and more. The WordPress CTL Arcade Lite plugin suffers from a cross-site request forgery vulnerability, which originates from a...

PT-2025-45179

Name of the Vulnerable Software and Affected Versions Hubbub Lite versions up to and including 1.36.0 Description The Hubbub Lite – Fast, free social sharing and follow buttons plugin for WordPress is susceptible to Reflected Cross-Site Scripting due to inadequate input sanitization and output...

CVE-2025-62940

CVE-2025-62940 is a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Blox Lite plugin (versions up to and including 1.2.8). The issue arises from improper input neutralization during web page generation, enabling stored XSS via Blox Lite’s stored content. All connected sources des...

CVE-2025-62940 WordPress Blox Lite plugin <= 1.2.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Nick Diego Blox Lite blox-lite allows Stored XSS.This issue affects Blox Lite: from n/a through = 1.2.8...

CVE-2025-52736 WordPress Finale Lite Plugin <= 2.20.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Daman Jeet Finale Lite finale-woocommerce-sales-countdown-timer-discount allows Reflected XSS.This issue affects Finale Lite: from n/a through = 2.20.0...

CVE-2025-52735 WordPress NextMove Lite plugin <= 2.24.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Reflected XSS.This issue affects NextMove Lite: from n/a through = 2.24.0...