CVE-2026-4090

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

CVE-2026-1845

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

CVE-2026-1379

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

CVE-2026-4138

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...

CVE-2026-6294 Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page

The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplayoption function, which handles the plugin settings page. The settings form does not include a wpnoncefield, and...

CVE-2026-4119 Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers adminpost action hooks for creating tables adminpostaddtable and deleting tables adminpostdeletedbtable without implementing any capability checks via...

CVE-2026-4119

CVE-2026-4119 affects the WordPress plugin Create DB Tables (versions up to and including 1.2.1). The vulnerability arises from missing capability checks and nonce verification in admin_post hooks for creating and deleting tables, allowing any authenticated user (including Subscribers) to execute...

CVE-2026-4119 Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php

The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers adminpost action hooks for creating tables adminpostaddtable and deleting tables adminpostdeletedbtable without implementing any capability checks via...

CVE-2026-4117

CVE-2026-4117 affects the WordPress CalJ plugin (≤ v1.5). The vulnerability is caused by a missing authorization check in the CalJSettingsPage constructor that processes the POST operation 'save-obtained-key' without verifying the user’s capability or nonce, allowing authenticated users (Subscrib...

CVE-2026-4117 CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

CVE-2026-4121

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

CVE-2026-2719

The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-4090

Technical details beyond the CVE entry are not provided in the connected documents. Monitor for updates on affected plugin versions and remediation status.

CVE-2026-6235

The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manageadminrequests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

CVE-2026-6235

Vulnerability overview: The Sendmachine for WordPress plugin (WordPress) is affected by an authorization bypass in the manage_admin_requests path for all versions up to 1.0.20, enabling unauthenticated attackers to overwrite the SMTP configuration and potentially intercept all outbound emails (in...

CVE-2026-4090

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

CVE-2026-4090 Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

CVE-2026-3362 Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting

The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization no sanitize callback on registersetting and missing output escaping no escattr ...

CVE-2026-4133

The TextP2P Texting Widget WordPress plugin (versions ≤ 1.7) is vulnerable to Cross-Site Request Forgery due to missing nonce validation in imTextP2POptionPage(). The settings form (line 314) lacks wp_nonce_field(), and the POST handler (line 7) does not call check_admin_referer() or wp_verify_no...

CVE-2026-1845

CVE-2026-1845 concerns the WordPress plugin Real Estate Pro (