EUVD-2026-37605

Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...

CVE-2026-6962

CVE-2026-6962 affects the WordPress plugin “Cost of Goods: Product Cost & Profit Calculator for WooCommerce.” Vulnerable component: the shortcodes alg_wc_cog_product_cost and alg_wc_cog_product_profit in all versions up to 4.1.0. Root cause: insufficient input sanitization and output escaping on ...

WordPress Forms Rb plugin <= 1.1.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary Modification vulnerability discovered by ? in WordPress Plugin Forms Rb versions = 1.1.9...

WordPress iVysilani Shortcode plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'width' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'width' Shortcode Attribute vulnerability discovered by zakaria in WordPress Plugin iVysilani Shortcode versions = 3.0...

WordPress WP NG Weather plugin <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP NG Weather versions = 1.0.9...

WordPress Gutena Forms plugin < 1.6.1 - Contributor+ Arbitrary Limited Options Update vulnerability

Contributor+ Arbitrary Limited Options Update vulnerability discovered by yiğit ibrahim sağlam in WordPress Plugin Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder versions 1.6.1...

WordPress UpMenu plugin <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin UpMenu versions = 3.1...

WordPress Relevanssi Premium plugin < 2.29.0 - Contributor+ SQLi vulnerability

Contributor+ SQLi vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Relevanssi Premium versions 2.29.0...

Insertion of Sensitive Information Into Sent Data

Overview johnpbloch/wordpress-core is a web software you can use to create a website or blog. Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data. An attacker can access sensitive information by leveraging contributor-level privileges to retrieve...

CVE-2023-23728

Auth. contributor+ Cross-Site Scripting XSS vulnerability in Winwar Media WP Flipclock plugin = 1.7.4 versions...

CVE-2023-1905

The WP Popups WordPress plugin before 2.1.5.1 does not properly escape the href attribute of its spu-facebook-page shortcode before outputting it back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2023-27612

Auth. contributor+ Stored Cross-Site Scripting XSS vulnerability in Paul Ryley Site Reviews plugin = 6.5.1 versions...

CVE-2024-11267 JSP Store Locator <= 1.0 - Contributor+ SQL Injection

The JSP Store Locator WordPress plugin through 1.0 does not sanitize and escape a parameter before using it in a SQL statement, allowing user with Contributor to perform SQL injection attacks...

WordPress Typer Core plugin <= 1.9.6 - Authenticated (Contributor+) Post Disclosure vulnerability

Authenticated Contributor+ Post Disclosure vulnerability discovered by Francesco Carlucci in WordPress Plugin Typer Core versions = 1.9.6...

WordPress SIP Reviews Shortcode for WooCommerce plugin <= 1.2.3 - Authenticated (Contributor+) Cross-Site Scripting vulnerability

Authenticated Contributor+ Cross-Site Scripting vulnerability discovered by WordFence in WordPress Plugin SIP Reviews Shortcode for WooCommerce versions = 1.2.3...

WordPress Elementor Addon Elements plugin <= 1.13.8 - Authenticated (Contributor+) Sensitive Information Exposure via table_saved_sections vulnerability

Authenticated Contributor+ Sensitive Information Exposure via tablesavedsections vulnerability discovered by Ankit Patel in WordPress Plugin Elementor Addon Elements versions = 1.13.8...

WordPress Happy Addons for Elementor plugin <= 3.12.2 - Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by Ankit Patel in WordPress Plugin Happy Addons for Elementor versions = 3.12.2...

WordPress Slider by 10Web plugin <= 1.2.57 - Authenticated (Contributor+) SQL Injection via id Parameter vulnerability

Authenticated Contributor+ SQL Injection via id Parameter vulnerability discovered by Arkadiusz Hydzik in WordPress Plugin Slider by 10Web versions = 1.2.57...

WordPress Spectra Pro plugin <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block IDs vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Block IDs vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin Spectra Pro versions = 1.1.4...

WordPress Paid Memberships Pro - Member Directory Add On plugin < 1.2.6 - Contributor+ Sensitive Information Disclosure and SQLi vulnerability

WordPress Paid Memberships Pro - Member Directory Add On plugin 1.2.6 - Contributor+ Sensitive Information Disclosure and SQLi vulnerability discovered by Scott Kingsley Clark in WordPress Plugin Paid Memberships Pro - Member Directory Add On versions 1.2.6...