EUVD-2025-210140

Contributor Cross Site Scripting XSS in Elizaibots = 1.0.2 versions...

PT-2026-49240

Contributor Cross Site Scripting XSS in Elizaibots = 1.0.2 versions...

CVE-2026-3642 e-shot <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Form Settings Modification via AJAX

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

CVE-2026-39664

Missing Authorization vulnerability in leadrebel Leadrebel leadrebel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadrebel: from n/a through = 1.0.2...

CVE-2026-39657

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through = 1.0.2...

CVE-2026-39650 WordPress UnitechPay plugin <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Unitech Web UnitechPay unitechpay-paiements-mobile-money allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnitechPay: from n/a through = 1.0.2...

CVE-2026-27339

CVE-2026-27339 describes an Unauthenticated Local File Inclusion in the Buzz Stone WordPress Theme (AncoraThemes Buzz Stone) up to version 1.0.2, caused by improper control of filenames in include/require statements. Public sources (NVD/Red Hat/PatchStack/Wordfence) confirm the issue and classify...

CVE-2026-3049

A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horillagenerics/globalsearch.py of the component Query Parameter Handler. The manipulation of the argument prevurl results in open redirect. The attack can be executed remotely...

CVE-2026-22368 WordPress Redy theme <= 1.0.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through = 1.0.2...

CVE-2026-22368 WordPress Redy theme <= 1.0.2 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through = 1.0.2...

CVE-2026-22364

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes SevenTrees seventrees allows PHP Local File Inclusion.This issue affects SevenTrees: from n/a through =1.0.2...

WordPress Remove Post Type Slug plugin <= 1.0.2 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Remove Post Type Slug versions = 1.0.2...

CVE-2026-1905

The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'showsphereimage' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-13973 StickEasy Protected Contact Form <= 1.0.1 - Unauthenticated Information Disclosure

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location...

CVE-2025-13973

CVE-2025-13973 affects StickEasy Protected Contact Form for WordPress. Wordfence and Red Hat/CVEs indicate an unauthenticated Sensitive Information Disclosure in all versions up to 1.0.2, where spam-detection logs are stored at wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt and ...

WordPress Press3D plugin <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block vulnerability discovered by WordFence in WordPress Plugin Press3D versions = 1.0.2...

CVE-2026-1893 Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btn_label' Shortcode Attribute

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnlabel' parameter in the 'orbisiusrandomnamegenerator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-1294 All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web...

CVE-2025-66136

Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Carter for Elementor: from n/a through = 1.0.2...

PT-2026-4239

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection.This issue affects DeepDigital: from n/a through = 1.0.2...