PT-2026-47634

Name of the Vulnerable Software and Affected Versions Enable Media Replace versions prior to 4.1.9 Description Insufficient input sanitization and output escaping in the Enable Media Replace plugin for WordPress allow authenticated attackers with Author-level access or higher to perform Stored...

CVE-2026-9281

The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlmacustomjs' Page Setting Custom JS Extension in all versions up to, and including, 3.1.0 due to insufficient input...

CVE-2026-5428

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the renderpostthumbnail function, where wpksespost is...

EUVD-2025-150410

The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.5 via the pagelayerreplacepage function due to missing validation on a user controlled key. This makes it possible for...

EUVD-2025-37426

The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingestimage function in versions 1.1.0 to 1.5.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary file...

CVE-2024-10222 SVG Support <= 2.5.10 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The SVG Support plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...