CVE-2026-6703

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...

WordPress Livemesh Addons by Elementor plugin <= 9.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Livemesh Addons for Elementor versions = 9.0...

CVE-2026-1572

CVE-2026-1572 affects Livemesh Addons for Elementor (WordPress). All versions up to 9.0 are vulnerable due to missing authorization checks on AJAX handler lae_admin_ajax() and insufficient output escaping across multiple checkbox settings fields. This enables authenticated users with Subscriber-l...

WordPress WholeSale Products Dynamic Pricing Management WooCommerce plugin <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin WholeSale Products Dynamic Pricing Management WooCommerce versions = 1.2...

CVE-2026-4479 WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

WordPress Aruba HiSpeed Cache plugin <= 3.0.4 - Cross-Site Request Forgery to Plugin Settings Reset vulnerability

Cross-Site Request Forgery to Plugin Settings Reset vulnerability discovered by Legion Hunter in WordPress Plugin Aruba HiSpeed Cache versions = 3.0.4...

CVE-2026-3574 Experto Dashboard for WooCommerce <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Navigation Font Size' Setting

The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight' in all versions...

CVE-2026-3646

The CVE concerns the WordPress plugin LTL Freight Quotes – R+L Carriers Edition (versions up to and including 3.3.13). A standalone PHP webhook handler processes GET parameters without proper authentication, authorization, or nonce verification, allowing unauthenticated attackers to modify subscr...

CVE-2026-34394

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

CVE-2026-3191

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minifyhtmlmenuoptions' function. This makes it possible for unauthenticated attackers to update plugin settin...

CVE-2026-1710

The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'saveupeappearanceajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to...

WordPress Minify HTML plugin <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Minify HTML versions = 2.1.12...

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

CVE-2026-34394

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

CVE-2026-3191

The CVE-2026-3191 entry describes a CSRF vulnerability in the WordPress Minify HTML plugin up to version 2.1.12, caused by missing or incorrect nonce validation in minify_html_menu_options. This allows unauthenticated attackers to update plugin settings via forged requests if a site administrator...

CVE-2026-1710

CVE-2026-1710 affects the WooPayments: Integrated WooCommerce Payments plugin for WordPress. A missing capability check in the save_upe_appearance_ajax function allows unauthenticated attackers to modify plugin settings on all versions up to and including 10.5.1. Impact is unauthenticated data mo...

PT-2026-29191

The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save upe appearance ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers ...

PT-2026-29352

Name of the Vulnerable Software and Affected Versions AVideo versions 26.0 and prior Description AVideo’s admin plugin configuration endpoint admin/save.json.php is susceptible to cross-site request forgery CSRF attacks due to the absence of CSRF token validation. The application's configuration...

CVE-2026-3332

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...

WordPress Survey plugin <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Survey versions = 1.1...