WordPress Advanced Custom Fields: Extended plugin <= 0.9.2.3 - Unauthenticated Arbitrary Shortcode Execution vulnerability

Unauthenticated Arbitrary Shortcode Execution vulnerability discovered by Kishan Vyas in WordPress Plugin ACF Extended versions = 0.9.2.3...

WordPress The Ultimate WordPress Toolkit - WP Extended plugin <= 3.2.4 - Authenticated (Subscriber+) Privilege Escalation via Menu Editor Module vulnerability

WordPress The Ultimate WordPress Toolkit - WP Extended plugin = 3.2.4 - Authenticated Subscriber+ Privilege Escalation via Menu Editor Module vulnerability discovered by Hung Nguyen yoriss - VN in WordPress Plugin The Ultimate WordPress Toolkit – WP Extended versions = 3.2.4...

CVE-2025-14533 Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insertuser' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to...

PT-2026-3548

Advanced Custom Fields: Extended Plugin Advanced Custom Fields: Extended versions up to and including 0.9.2.1 Description The Advanced Custom Fields: Extended plugin for WordPress has a flaw that allows unauthenticated attackers to gain administrator access. This is due to insufficient restrictio...

Exploit for CVE-2025-13486

CVE-2025-13486 The Advanced Custom...

Exploit for CVE-2025-13486

CVE-2025-13486 Proof of Concept A Proof of Concept PoC expl...

CVE-2025-13486 Advanced Custom Fields: Extended 0.9.0.5 - 0.9.1.1 - Unauthenticated Remote Code Execution in prepare_form

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

CVE-2025-13486

The CVE-2025-13486 vulnerability affects the Advanced Custom Fields: Extended (ACFE) WordPress plugin, versions 0.9.0.5–0.9.1.1. It arises from the prepare_form() function, where user-supplied data is forwarded to call_user_func_array() without proper validation, enabling unauthenticated remote c...

VulnCheck KEV: CVE-2025-13486

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepareform function. This is due to the function accepting user input and then passing that through calluserfuncarray. This makes it possible for...

EUVD-2024-33744

Malicious code in bioql PyPI...

CVE-2025-4963

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...

CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...

CVE-2025-4963 WP Extended <= 3.0.15 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The WP Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 3.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, t...

CVE-2025-4963

The CVE-2025-4963 entry describes a Stored Cross-Site Scripting (XS S) vulnerability in the WordPress WP Extended plugin. Affected software: WP Extended plugin for WordPress (versions up to and including 3.0.15). Root cause: insufficient input sanitization and output escaping for SVG file uploads...

CVE-2024-11119

The BNE Gallery Extended plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gallery' shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-31784 WordPress Embed Extended – Embed Maps, Videos, Websites, Source Codes, and more Plugin <= 1.4.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Rudy Susanto Embed Extended embed-extended allows Cross Site Request Forgery.This issue affects Embed Extended: from n/a through = 1.4.0...

CVE-2025-31784

Technical details for CVE-2025-31784 are not publicly available in the provided documents. Monitor for updates from the vendor/authorities for affected versions, impact, and remediation.

CVE-2025-30796 WordPress The Ultimate WordPress Toolkit – WP Extended plugin <= 3.0.14 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended wpextended allows Reflected XSS.This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through = 3.0.14...

CVE-2025-30796

CVE-2025-30796 in The Ultimate WordPress Toolkit – WP Extended (up to 3.0.14) is a reflected XSS vulnerability caused by improper neutralization of input during web page generation. The CVSS‑3.1 base score is 7.1 (HIGH) with NETWORK attack vector, LOW confidentiality/integrity/availability impact...

CVE-2025-30796 WordPress The Ultimate WordPress Toolkit – WP Extended plugin <= 3.0.14 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WP Extended The Ultimate WordPress Toolkit – WP Extended wpextended allows Reflected XSS.This issue affects The Ultimate WordPress Toolkit – WP Extended: from n/a through = 3.0.14...