WordPress BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Craniums in WordPress Plugin BetterDocs versions = 4.5.3...

CVE-2026-12111

The CVE describes a vulnerability in WordPress plugin Appointment Booking Calendar (

WordPress Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by se1en in WordPress Plugin Gutenberg Blocks by Kadence Blocks versions = 3.7.5...

CVE-2026-10024

CVE-2026-10024 affects the TinyMCE shortcode Addon for WordPress (versions

PT-2026-47723

Name of the Vulnerable Software and Affected Versions Blocksy versions prior to 2.1.36 Description Insufficient input sanitization in the blocksy sanitize post meta options function allows authenticated attackers with contributor-level access or higher to store serialized PHP object strings in po...

WordPress Extra Settings for RocketChat plugin <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Extra Settings for RocketChat versions = 0.1...

WordPress Plugin Name: ePaperFlip Publisher plugin <= 1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Plugin Name: ePaperFlip Publisher versions = 1...

CVE-2026-9829 Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compactalbumorderby' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2026-7654 Admin Columns <= 7.0.18 - Authenticated (Contributor+) PHP Object Injection to Remote Code Execution via Custom Field Meta Value

The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of unserialize without an allowedclasses restriction in the IdsToCollection::getidsfromstring function, which processes...

WordPress EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by UKO - Korea univ. in WordPress Plugin EmbedPress versions = 4.5.3...

WordPress Slider Revolution plugin 6.0.0-6.7.55, 7.0.0-7.0.14 - Missing Authorization to Authenticated (Contributor+) Arbitrary plugin Deactivation vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary plugin Deactivation vulnerability discovered by Nguyen Ngoc Duc duc193 in WordPress Plugin Slider Revolution versions 6.0.0-6.7.55...

CVE-2026-9243

The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carouseldirection' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render function, where the...

CVE-2026-6427

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the filtervideos method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the...

CVE-2026-6427 a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Video Element

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the filtervideos method that breaks HTML attribute quoting when processing crafted elements, combined with unescaped output in the...

CVE-2025-0898

The CVE-2025-0898 affects the WordPress plugin Xpro Elementor Addons - Pro (versions up to 1.4.7). The vulnerability, exposed via the Draw SVG widget, allows an authenticated attacker with Contributor-level access (or higher) to perform Arbitrary File Reading on the server, exposing sensitive fil...

CVE-2026-8842

The CVE-2026-8842 vulnerability affects the WordPress plugin Google+ Link Name (versions

CVE-2025-14481

The CVE concerns the WordPress Yoast SEO plugin (versions up to and including 26.5). The root cause is insufficient authorization checks in the Meta Search REST API endpoint, which fails to verify post ownership. This allows authenticated attackers with Contributor-level access or higher to read ...

WordPress Animate Your Content plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Animate Your Content versions = 1.0.0...

WordPress Auto Thumbnails plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Auto Thumbnails versions = 1.0...

WordPress jQuery googleslides plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin jQuery googleslides versions = 1.3...