WordPress Fancy Testimonials plugin <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Fancy Testimonials versions = 1.0...

CVE-2026-1291 Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...

WordPress Enable Media Replace plugin <= 4.1.8 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by tjoffe in WordPress Plugin Enable Media Replace versions = 4.1.8...

CVE-2026-4852

The CVE-2026-4852 entry concerns the Image Source Control Lite – Show Image Credits and Captions WordPress plugin. Affected component: the Image Source attachment field. Root cause: insufficient input sanitization and output escaping. Impact: Stored Cross-Site Scripting that can be triggered when...

CVE-2026-28228 OpenOLAT: Server-Side Template Injection (SSTI) in Velocity templates allows Remote Code Execution

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed...

CVE-2026-28228

OpenOlat is an open source web-based e-learning platform for teaching, learning, assessment and communication. Prior to versions 19.1.31, 20.1.18, and 20.2.5, an authenticated user with the Author role can inject Velocity directives into a reminder email template. When the reminder is processed...

CVE-2026-4335 ShortPixel Image Optimizer <= 6.4.3 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title

The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment posttitle in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup function and its corresponding media-popup.php template...

WordPress GetGenie plugin <= 4.3.2 - Insecure Direct Object Reference to Authenticated (Author+) Stored Cross-Site Scripting via REST API vulnerability

Insecure Direct Object Reference to Authenticated Author+ Stored Cross-Site Scripting via REST API vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin GetGenie versions = 4.3.2...

CVE-2026-27759 Featured Image from Content < 1.7 Authenticated SSRF via save_post

Featured Image from Content featured-image-from-content WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations ...

CVE-2026-1565

The CVE-2026-1565 entry describes a vulnerability in the WordPress plugin WP User Frontend (AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration) up to version 4.2.8. Root cause: incorrect file-type validation in WPUF_Admin_Settings::check_filetype_and_ext and Admi...

CVE-2026-1985

CVE-2026-1985 pertains to the WordPress Press3D plugin up to version 1.0.2, where a vulnerability in the 3D Model Gutenberg block allows Stored Cross-Site Scripting via the link URL parameter. The root cause is inadequate sanitization/validation of the URL scheme when storing model block URLs, en...

WordPress Payment Page | Payment Form for Stripe plugin <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter vulnerability

Authenticated Author+ Stored Cross-Site Scripting via 'pricingplanselecttextfontfamily' Parameter vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Payment Page versions = 1.4.6...

CVE-2026-1755 Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting

The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpattachmentimagealt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-14610

CVE-2025-14610 : The WordPress plugin TableMaster for Elementor (versions up to and including 1.3.6) is vulnerable to authenticated SSRF via the csv_url parameter in the Data Table widget. An attacker with Author-level access or higher can trigger web requests to arbitrary locations (including lo...

WordPress Document Embedder plugin <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Document Library Entry Deletion vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Document Embedder versions = 2.0.4...

CVE-2025-14797

CVE-2025-14797 is a Stored Cross-Site Scripting (Stored XSS) vulnerability in the WordPress plugin “Same Category Posts” (

CVE-2025-14893 IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and...

CVE-2025-14893

CVE-2025-14893 : The IndieWeb WordPress plugin is vulnerable to a stored XSS via the Telephone parameter in all versions up to 4.0.5, with exploitation limited to authenticated attackers holding at least author-level access. The vulnerability allows injection of arbitrary scripts that run when us...

WordPress IndieWeb plugin <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter vulnerability

Authenticated Author+ Stored Cross-Site Scripting via 'Telephone' Parameter vulnerability discovered by Tharadol Suksamran in WordPress Plugin IndieWeb versions = 4.0.5...

WordPress Gutenverse Form plugin <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by andrea bocchetti in WordPress Plugin Gutenverse Form versions = 2.3.2...