CVE-2026-2599 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'downloadcsv' function. This makes it possible for unauthenticated attackers to inject a P...

CVE-2026-2599 Database for Contact Form 7, WPforms, Elementor forms <= 1.4.7 - Unauthenticated PHP Object Injection via 'download_csv'

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'downloadcsv' function. This makes it possible for unauthenticated attackers to inject a P...

WordPress Morning Records theme <= 1.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Morning Records versions = 1.2...

WordPress Product Feed for WooCommerce plugin <= 2.3.3 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Mrreee in WordPress Plugin Product Feed for WooCommerce versions = 2.3.3...

WordPress Bus Ticket Booking with Seat Reservation plugin <= 5.6.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin Bus Ticket Booking with Seat Reservation versions = 5.6.0...

CVE-2026-27437

CVE-2026-27437 is a PHP Object Injection vulnerability in the ThemeREX Tennis Club WordPress theme (tennis-sportclub), arising from deserialization of untrusted data that enables object injection. Public records in NVD, Red Hat, CVE listings, and PatchStack describe it as deserialization-based, a...

CVE-2026-27379

CVE-2026-27379 concerns the WordPress plugin NextScripts: Social Networks Auto-Poster (v

CVE-2026-22501 WordPress Mounthood theme <= 1.3.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through = 1.3.2...

CVE-2026-23798 WordPress PowerPress Podcasting plugin <= 11.15.10 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through = 11.15.10...

CVE-2026-22501 WordPress Mounthood theme <= 1.3.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes Mounthood mounthood allows Object Injection.This issue affects Mounthood: from n/a through = 1.3.2...

CVE-2026-22497 WordPress Jardi theme <= 1.7.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through = 1.7.2...

CVE-2026-22474 WordPress Equestrian Centre theme <= 1.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Equestrian Centre equestrian-centre allows Object Injection.This issue affects Equestrian Centre: from n/a through = 1.5...

CVE-2026-22471 WordPress Secudeal Payments for Ecommerce plugin <= 1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce allows Object Injection.This issue affects Secudeal Payments for Ecommerce: from n/a through = 1.1...

CVE-2026-22473 WordPress Dental Clinic theme <= 3.7 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Dental Clinic dental allows Object Injection.This issue affects Dental Clinic: from n/a through = 3.7...

CVE-2026-22475

CVE-2026-22475 describes a deserialization of untrusted data vulnerability in the WordPress theme Estate (vulnerable from n/a to 1.3.4). The root cause is unauthenticated PHP Object Injection due to deserializing untrusted input, enabling potential manipulation of objects within Estate. The CVSSv...

CVE-2026-22453

CVE-2026-22453 is a deserialization-based PHP Object Injection vulnerability in the ThemeREX Pets Club WordPress theme (Pets Club) affecting versions up to 2.3. The issue arises from deserializing untrusted data, enabling object injection. The vulnerability is rated critical (CVSS 3.1 9.8) with n...

CVE-2026-22453 WordPress Pets Club theme <= 2.3 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through = 2.3...

CVE-2026-22451

CVE-2026-22451: WordPress Handyman theme Handyman (handyman-services) is affected by a Deserialization of Untrusted Data vulnerability enabling PHP Object Injection. The vulnerability affects Handyman versions up to 1.4.7 and is described as unauthenticated, with a CVSS v3.1 base score of 9.8 (CR...

CVE-2026-22451 WordPress Handyman theme <= 1.4.7 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in AncoraThemes Handyman handyman-services allows Object Injection.This issue affects Handyman: from n/a through = 1.4.7...

CVE-2026-22417

CVE-2026-22417 describes a deserialization of untrusted data vulnerability in the WordPress theme Grand Wedding (versions through 3.1.0). The issue enables unauthenticated PHP Object Injection via deserialization, with a CVSS v3.1 score of 9.8 (CRITICAL) and NETWORK attack vector, as reported by ...