1348 matches found
EUVD-2026-31407
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...
PT-2026-42722
Name of the Vulnerable Software and Affected Versions FastX theme for WordPress versions prior to 1.0.3 Description The FastX theme for WordPress allows authenticated attackers with Subscriber-level access or higher to install and activate the PostX plugin. This is caused by missing capability...
WordPress plugin FastX theme 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...
WordPress plugin Vedrixa Forms 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
PT-2026-42723
Name of the Vulnerable Software and Affected Versions WP Blockade versions prior to 0.9.15 Description The plugin is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing attackers to execute scripts in the...
CVE-2026-1881 Broadstreet <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure via get_sponsored_meta
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the getsponsoredmeta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2026-6566
CVE-2026-6566 affects WordPress plugin NextGEN Gallery (Photo Gallery, Sliders, Proofing and Themes) up to version 4.2.0. The vulnerability is an Insecure Direct Object Reference in the image deletion REST flow: DELETE /imagely/v1/images/{id} only enforces NextGEN Manage gallery permission and do...
CVE-2026-7522 Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template'
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .ph...
CVE-2026-7522
The CVE-2026-7522 issue affects the WordPress plugin The Advanced Database Cleaner – Premium, vulnerable in versions up to 4.1.0. The root cause is Local File Inclusion via the template parameter, allowing authenticated users with Subscriber-level access and above to include and execute arbitrary...
CVE-2026-7522 Advanced Database Cleaner – Premium <= 4.1.0 - Authenticated (Subscriber+) Local File Inclusion via 'template'
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .ph...
CVE-2026-8685 Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter
The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...
CVE-2026-1631 Feeds for YouTube < 2.6.4 - Subscriber+ License Data Deletion
The Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4 is vulnerable to unauthorized modification of the Feeds for YouTube YouTube video, channel, and gallery plugin WordPress plugin before 2.6.4's license key due to a missing capability check on the...
CVE-2026-7563
The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it...
CVE-2026-6415 Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via JSON Field
The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON field values and unsafe client-side HTML construction in the updatepreview JavaScript function. Th...
PT-2026-41278
The Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 5.3.10. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it...
CVE-2026-6225 Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter
The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'projectsearch' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of...
CVE-2026-4608 ProfileGrid <= 5.9.8.4 - Authenticated (Subscriber+) SQL Injection via 'rid' Parameter
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...
CVE-2025-9988
CVE-2025-9988 affects the WordPress Broadstreet plugin (versions
CVE-2026-4301
The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsrreview AJAX handler lacks both capability checks and nonce verification. The only access control is an isuserloggedin check...
WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection vulnerability
Authenticated Subscriber+ PHP Object Injection vulnerability discovered by d.v4ns3c in WordPress Plugin WP User Frontend versions = 4.3.1...