CVE-2026-6696

The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...

CVE-2026-22495

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through = 1.3.2...

WordPress myLinksDump plugin <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters vulnerability

Authenticated Administrator+ SQL Injection via 'sortby' and 'sortorder' Parameters vulnerability discovered by san6051 - PWC in WordPress Plugin myLinksDump versions = 1.6...

CVE-2026-28104 WordPress Site Suggest plugin <= 1.3.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through = 1.3.9...

CVE-2026-27326 WordPress AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme theme <= 1.2.5 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air...

CVE-2026-2956 qinming99 dst-admin restore revertBackup command injection

A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be...

WordPress WP Quick Contact Us plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin WP Quick Contact Us versions = 1.0...

CVE-2026-0743

CVE-2026-0743 (WP Content Permission plugin for WordPress) is a Stored Cross-Site Scripting vulnerability affecting versions up to 1.2. The flaw arises from insufficient input sanitization and output escaping in the ohmem-message parameter, enabling an authenticated attacker with Administrator-le...

CVE-2025-69052

Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registration & Login with Mobile Phone Number for...

CVE-2026-0813

The CVE-2026-0813 entry concerns the WordPress Short Link plugin. A Stored Cross-Site Scripting (XSS) vulnerability exists in all versions up to and including 1.0 due to insufficient input sanitization and output escaping of the short_link_post_title and short_link_page_title parameters. This all...

CVE-2025-12178

The CVE-2025-12178 entry covers a Stored Cross-Site Scripting vulnerability in the WordPress plugin SpiceForms Form Builder (versions

CVE-2025-13892

The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-63004 WordPress All in One Accessibility plugin <= 1.14 - Broken Access Control vulnerability

Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through 1.14...

CVE-2025-68981 WordPress HomeFix Elementor Portfolio plugin <= 1.0.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through = 1.0.1...

CVE-2025-68978

CVE-2025-68978 is a DOM-based XSS flaw in DesignThemes Core (DesignThemes Core) that can be triggered through improper input handling during web page generation. Affected up to version 1.6, the issue is classified as an authenticated (Contributor+) Stored Cross-Site Scripting vulnerability in the...

CVE-2025-68897 WordPress IF AS Shortcode plugin <= 1.2 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through = 1.2...

CVE-2025-59132

CVE-2025-59132 is a CSRF vulnerability in the WordPress plugin Duplicate Content Cure (versions

CVE-2025-13656 Cute News Ticker <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'color' Shortcode Attribute

The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

CVE-2025-12754 Geopost <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Geopost plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter of the 'geopost' shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-62922 WordPress Export Categories plugin <= 1.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in Shambhu Patnaik Export Categories export-categories allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Export Categories: from n/a through = 1.0...