15573 matches found
PT-2026-55522
Name of the Vulnerable Software and Affected Versions RTMKit versions prior to 2.0.8 Description The RTMKit rometheme-for-elementor plugin for WordPress contains a Local File Inclusion flaw. This occurs because the render templates AJAX endpoint does not properly validate the template parameter...
PT-2026-55514
Name of the Vulnerable Software and Affected Versions Ad Inserter – Ad Manager & AdSense Ads versions prior to 2.8.17 Description An Insecure Direct Object Reference exists via the data attribute of the adinserter shortcode. The replace ai tags function processes a reusable-block-N tag pattern th...
PT-2026-55442
Name of the Vulnerable Software and Affected Versions weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot versions prior to 2.3.1 Description Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access and above to perform...
PT-2026-55517
Name of the Vulnerable Software and Affected Versions Zakra versions prior to 4.2.1 Description The Zakra theme for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the theme registers three post meta fields—zakra menu item color, zakra menu item hover color, and zakra...
PT-2026-55509
Name of the Vulnerable Software and Affected Versions Quiz and Survey Master QSM – Easy Quiz and Survey Maker versions prior to 11.1.5 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Authenticated attacker...
WordPress Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin <= 11.1.4 - Missing Authorization to Authenticated (Contributor+) Arbitrary Quiz Modification and Email Reroute vulnerability
Missing Authorization to Authenticated Contributor+ Arbitrary Quiz Modification and Email Reroute vulnerability discovered by Kirasec in WordPress Plugin Quiz And Survey Master versions = 11.1.4...
WordPress RTMKit plugin <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by theviper17y in WordPress Plugin RTMKit versions = 2.0.7...
CVE-2026-57765
Contributor SQL Injection in WP EasyCart = 5.9.0 versions...
WordPress weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin <= 2.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by PRISM in WordPress Plugin weDocs versions = 2.3.0...
CVE-2026-57765
Contributor SQL Injection in WP EasyCart = 5.9.0 versions...
CVE-2026-57756
Contributor SQL Injection in nicen-localize-image = 1.4.9 versions...
CVE-2026-13252
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. Th...
CVE-2026-13252
The CVE-2026-13252 entry concerns the WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator. Affected: the plugin’s handling of the aspectRatio attribute allows Stored Cross-Site Scripting due to insufficient input sanitization and output es...
CVE-2026-11781
The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...
CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX
The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...
CVE-2026-11781
The CVE-2026-11781 entry affects the Adminify WordPress plugin prior to version 4.2.10. The vulnerability arises because the plugin does not perform per-user read-capability checks on results returned by an administration search feature. As a result, users with a low-privilege role (Contributor) ...
CVE-2026-11592 Email Subscribers & Newsletters <= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification via ig_es_handle_request AJAX Action
The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perfor...
PT-2026-55043
Name of the Vulnerable Software and Affected Versions Mosaic Gallery – Advanced Gallery versions prior to 1.2.1 Description A Cross Site Scripting XSS issue exists that allows users with Contributor privileges to execute malicious scripts. XSS is a type of security flaw where an attacker injects...
PT-2026-55037
Name of the Vulnerable Software and Affected Versions SportsPress Pro versions 2.7.29 and earlier Description A Local File Inclusion LFI issue exists where users with Contributor privileges can read local files on the server. Local File Inclusion is a vulnerability that allows an attacker to indu...
WordPress Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin <= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification vulnerability
Missing Authorization to Authenticated Contributor+ Settings Modification vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Email Subscribers & Newsletters versions = 5.9.27...