CVE-2026-2420 LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...

WordPress LotekMedia Popup Form plugin <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Hieus in WordPress Plugin LotekMedia Popup Form versions = 1.0.6...

WordPress Carta Online plugin <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Carta Online versions = 2.13.0...

WordPress Winston AI plugin <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin HUMN-1 AI Website Scanner & Human Certification by Winston AI versions = 0.0.3...

WordPress Disable Admin Notices - Hide Dashboard Notifications plugin <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

WordPress Disable Admin Notices - Hide Dashboard Notifications plugin = 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by lucsob in WordPress Plugin Disable Admin Notices individually versions = 1.4.2...

CVE-2025-14799

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison == instead of strict comparison === when validating the installation ID in the...

CVE-2026-1072

The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification...

CVE-2026-1043 PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pmaapikey and pmasenderaddress parameters. This makes it...

CVE-2026-1043 PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pmaapikey and pmasenderaddress parameters. This makes it...

CVE-2026-1043

CVE-2026-1043 affects the PostmarkApp Email Integrator plugin for WordPress, vulnerable in versions up to and including 2.4. The issue is a Stored XSS in plugin settings due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address fields. An authenticated a...

WordPress plugin Country Blocker for AdSense 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-20575

Name of the Vulnerable Software and Affected Versions GDPR Cookie Consent plugin for WordPress versions up to and including 4.1.2 Description The plugin is susceptible to unauthorized data access because of a missing capability check on the /gdpr/v1/settings API endpoint. This allows...

CVE-2026-2230

The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handleajaxsave function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-2230

The CVE-2026-2230 entry concerns the WordPress Booking Calendar plugin (versions

WordPress plugin MDirector Newsletter 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress Popup Builder <= 4.1.11 - Cross-Site Request Forgery

Sygnoos Popup Builder plugin = 4.1.11 for WordPress contains a cross-site request forgery caused by lack of CSRF protection in plugin settings update, letting attackers change settings without authorization, exploit requires victim to visit malicious site or click malicious link. id: CVE-2022-294...

CVE-2019-25314 Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting

Yoast Duplicate-Post WordPress Plugin 3.2.3 contains a persistent cross-site scripting vulnerability in plugin settings parameters. Attackers can inject malicious scripts into title prefix, suffix, menu order, and blacklist fields to execute arbitrary JavaScript in admin interfaces...

CVE-2026-1786 Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update

The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dgtwoptions' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including...

CVE-2026-1215 MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update

The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the mmacalltrackingmenu admin page. This makes it possible for unauthenticated attackers...

CVE-2026-1215

CVE-2026-1215 : The MMA Call Tracking WordPress plugin is vulnerable to Cross-Site Request Forgery up to and including version 2.3.15 due to missing nonce validation on the mma_call_tracking_menu admin page. Unauthenticated attackers could modify configuration by tricking an admin into forging a ...