Extensive VC Addons for WPBakery page builder < 1.9.1 - Unauthenticated RCE

The plugin does not validate a parameter passed to the php extract function when loading templates, allowing an unauthenticated attacker to override the template path to read arbitrary files from the hosts file system. This may be escalated to RCE using PHP filter chains. id: CVE-2023-0159 info:...

Everest Forms Pro <= 1.9.12 - Unauthenticated RCE via Calculation Formula Injection

The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's processfilter function concatenating user-submitted form field values into a PHP code string without proper...

Ultimate Addons for Elementor <= 1.24.1 - Registration Bypass

An issue was discovered in the "Ultimate Addons for Elementor" plugin before 1.24.2 for WordPress, as exploited in the wild in May 2020 in conjunction with CVE-2020-13126. Unauthenticated attackers can create users with the Subscriber role even if registration is disabled. id: CVE-2020-13125 info...

WordPress Product Addons & Fields for WooCommerce < 32.0.7 - Cross-Site Scripting

The Product Addons & Fields for WooCommerce WordPress plugin before version 32.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape some URL parameters in the admin panel, which could allow attackers to execute arbitrary JavaScript code in ...

EUVD-2026-37647

Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...

Important: Red Hat Security Advisory: Custom Metrics Autoscaler Operator for Red Hat OpenShift 2.19.0-1 Update

Custom Metrics Autoscaler Operator for Red Hat OpenShift updates. The following updates for the Custom Metric Autoscaler operator for Red Hat OpenShift are now available: custom-metrics-autoscaler-adapter-container custom-metrics-autoscaler-admission-webhooks-container...

CVE-2026-9690

Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...

CVE-2026-39597

This CVE covers an unauthenticated, reflected Cross Site Scripting (XSS) in the WordPress WPZOOM Addons for Elementor plugin (versions

CVE-2026-9690

CVE-2026-9690 concerns the WordPress WP Media folder Addon plugin (versions &lt;= 4.0.1). The vulnerability is an unauthenticated arbitrary file download, enabling an attacker to download arbitrary files from the affected site without authentication. The issue is associated with the WP Media fold...

CVE-2026-9690 WordPress WP Media folder Addon plugin <= 4.0.1 - Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...

PT-2026-50363

Name of the Vulnerable Software and Affected Versions WP Media folder Addon versions prior to 4.0.2 Description An unauthenticated arbitrary file download issue exists in the software, allowing an attacker to download files without providing credentials. Recommendations Update to version 4.0.2 or...

CVE-2026-52694 WordPress Signature Add-On for WooCommerce plugin <= 2.0 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce = 2.0 versions...

CVE-2026-39499 WordPress Advanced Product Fields (Product Addons) for WooCommerce plugin <= 1.6.19 - PHP Object Injection vulnerability

Shop manager PHP Object Injection in Advanced Product Fields Product Addons for WooCommerce = 1.6.19 versions...

CVE-2025-8444

The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. Th...

MAL-2026-5566 Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

CVE-2026-10024

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-8444 Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters

The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. Th...

PT-2026-48392

The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-10024

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...