CVE-2026-8853

The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above,...

WordPress MW WP Form plugin <= 5.1.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin MW WP Form versions = 5.1.3...

CVE-2026-9673

CVE-2026-9673 affects json-2-csv versions 3.15.0 and earlier up to 5.5.11, vulnerable to CSV Injection via the preventCsvInjection option, which can be bypassed. An attacker can inject formulas into CSV files that execute when opened in spreadsheet apps. The SNYK entry describes a PoC and recomme...

CVE-2026-6960

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpressvalidatesubmittedbookingformfunc' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary...

WordPress InfusedWoo Pro plugin <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation vulnerability

Authenticated Subscriber+ Missing Authorization to Privilege Escalation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...

EUVD-2026-29954

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pminviteuser function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers, with Subscriber-level...

WordPress WP fail2ban – Advanced Security plugin <= 5.3.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP fail2ban versions = 5.3.4...

CVE-2026-42652 WordPress User Registration plugin <= 5.1.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through = 5.1.5...

CVE-2026-39647

Server-Side Request Forgery SSRF vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through = 5.11...

EUVD-2026-20309

Server-Side Request Forgery SSRF vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through = 5.11...

CVE-2026-39701 WordPress ShopWP plugin <= 5.2.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in Andrew ShopWP wpshopify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ShopWP: from n/a through = 5.2.4...

CVE-2026-39682 WordPress linkPizza-Manager plugin <= 5.5.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arjan Pronk linkPizza-Manager linkpizza-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects linkPizza-Manager: from n/a through = 5.5.5...

CVE-2026-39647 WordPress MP3 Audio Player for Music, Radio & Podcast by Sonaar plugin <= 5.11 - Server Side Request Forgery (SSRF) vulnerability

Server-Side Request Forgery SSRF vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through = 5.11...

PT-2026-31274

Name of the Vulnerable Software and Affected Versions tagDiv Composer versions through 5.4.3 Description An Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS issue exists in tagDiv Composer td-composer, allowing Code Injection. This allows for potential code execution...

WordPress iControlWP plugin <= 5.5.3 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin iControlWP versions = 5.5.3...

CVE-2026-22484

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through = 1.5.0...

CVE-2026-25029

CVE-2026-25029 concerns the WordPress KIDZ theme (KIDZ) with versions up to 5.24. The issue is a Deserialization of Untrusted Data vulnerability that enables PHP Object Injection in the KIDZ component. Root cause: untrusted data deserialization allowing object injection, potentially enabling mali...

CVE-2026-3079 LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter

The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filtersorderbyorder' parameter in the 'learndashpropaneltemplate' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack o...

CVE-2026-1487 LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers...

WordPress Ebook Store plugin <= 5.8001 - Reflected Cross-Site Scripting via 'step' vulnerability

Reflected Cross-Site Scripting via 'step' vulnerability discovered by nvthien in WordPress Plugin Ebook Store versions = 5.8001...