WordPress Core <6.5.2 - Cross-Site Scripting

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...

CVE-2026-12119

The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and...

CVE-2026-12119

The CVE concerns the Simple File List WordPress plugin (≤6.3.7). A missing authorization check on the frontmanage shortcode attribute allows authenticated users with contributor-level access or higher to perform arbitrary file operations (delete, move, folder creation, download). The vulnerabilit...

CVE-2026-12119 Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute

The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and...

EUVD-2026-37986

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wprgetcsvhandle helper introduced in version 1.7.1058 as part of the patch for CVE-2026-6229 falling back to...

EUVD-2026-37983

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogorestcreateposttranslation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt,...

WordPress BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Craniums in WordPress Plugin BetterDocs versions = 4.5.3...

CVE-2026-8039

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2026-2021

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible...

CVE-2026-2021

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible...

CVE-2026-12111

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

CVE-2026-12136

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

EUVD-2026-37867

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2026-12111 Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

EUVD-2026-37864

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

CVE-2026-12111

The CVE describes a vulnerability in WordPress plugin Appointment Booking Calendar (

EUVD-2026-37859

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

CVE-2026-12136 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

CVE-2026-11402

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-11357

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editorassetsvariables. This makes it possible for authenticated attackers, with contributor-level access and abov...