CVE-2026-7249

The CVE-2026-7249 entry pertains to the WordPress Location Weather plugin (versions up to 3.0.2). It lacks capability checks in splw_update_block_options() and lwp_clean_weather_transients(), allowing authenticated contributors+ to disable all weather blocks and purge weather cache transients. Th...

CVE-2026-5371 MonsterInsights <= 10.1.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure And Plugin Integration Reset

The MonsterInsights – Google Analytics Dashboard for WordPress Website Stats Made Easy plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the getadsaccesstoken and resetexperience functions in all versions up to, and including,...

WordPress Avada (Fusion) Builder plugin <= 3.15.1 - Authenticated (Subscriber+) Sensitive Information Exposure via Insecure Direct Object Reference vulnerability

Authenticated Subscriber+ Sensitive Information Exposure via Insecure Direct Object Reference vulnerability discovered by Webbernaut in WordPress Plugin Fusion Builder versions = 3.15.1...

CVE-2026-22183

wpDiscuz before 7.6.47 contains a stored cross-site scripting vulnerability in the inline comment preview functionality that allows authenticated users to inject malicious scripts by submitting comments with unescaped content. Attackers with unfilteredhtml capabilities can inject JavaScript...

CVE-2026-3058

The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the seraphaccelapi AJAX action with fn=GetData. This is due to the OnAdminApiGetData function not performing any capability checks. This makes it...

CVE-2024-54222

CVE-2024-54222 affects the WordPress Seraphinite Accelerator plugin (seraphinite-accelerator) with versions up to 2.22.15. The Red Hat and NVD entries confirm a Missing Authorization vulnerability that permits retrieval of embedded sensitive data from the Seraphinite Accelerator component. The ri...

CVE-2025-62720

LinkAce is a self-hosted archive to collect website links. Versions 2.3.1 and below allow any authenticated user to export the entire database of links from all users in the system, including private links that should only be accessible to their owners. The HTML and CSV export functions in the...

VulnCheck KEV: CVE-2025-34141

A reflected cross-site scripting XSS vulnerability exists in ETQ Reliance CG legacy platform within the SQLConverterServlet component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The...

CVE-2023-4686

The WP Customer Reviews plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 3.6.6 via the ajaxenabledposts function. This can allow authenticated attackers to extract sensitive data such as post titles and slugs, including those of protected and...

WordPress Seraphinite Accelerator (Full, premium) plugin <= 2.21.13 - Authenticated Sensitive Data Exposure vulnerability

Authenticated Sensitive Data Exposure vulnerability discovered by Dave Jong Patchstack in WordPress Plugin Seraphinite Accelerator Full, premium versions = 2.21.13...

WordPress Sky Addons for Elementor plugin <= 2.6.1 - Authenticated (Contributor+) Sensitive Information Exposure via Content Switcher Widget Elementor Template vulnerability

Authenticated Contributor+ Sensitive Information Exposure via Content Switcher Widget Elementor Template vulnerability discovered by Nishiv in WordPress Plugin Sky Addons for Elementor versions = 2.6.1...

WordPress Magical Addons For Elementor plugin <= 1.2.4 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Template vulnerability

Authenticated Contributor+ Sensitive Information Exposure via Elementor Template vulnerability discovered by Ankit Patel in WordPress Plugin Magical Addons For Elementor versions = 1.2.4...

Drupal File Entity (fieldable files) module < 7.x-2.39 - Authenticated Sensitive Data Exposure vulnerability

Authenticated Sensitive Data Exposure vulnerability discovered by Devin Zuczek in WordPress Module File Entity fieldable files versions 7.x-2.39...