PT-2026-26871

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie option page function combined with insufficient input sanitization and output...

WordPress WooCommerce Support Ticket System plugin < 18.5 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO in WordPress Plugin WooCommerce Support Ticket System versions 18.5...

WordPress Green Downloads plugin <= 2.08 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Phat RiO in WordPress Plugin Green Downloads versions = 2.08...

WordPress plugin Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress Ultimate Post Kit plugin <= 4.0.21 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Ultimate Post Kit versions = 4.0.21...

WordPress Thim Kit for Elementor plugin <= 1.3.7 - Missing Authorization to Unauthenticated Private Course Disclosure vulnerability

Missing Authorization to Unauthenticated Private Course Disclosure vulnerability discovered by Youssef Elouaer in WordPress Plugin Thim Elementor Kit versions = 1.3.7...

CVE-2026-25369 WordPress Flexmls® IDX plugin <= 3.15.9 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in flexmls Flexmls® IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through = 3.15.9...

WordPress Curly Core plugin <= 2.1.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Curly Core versions = 2.1.6...

PT-2026-25843

The Google Cloud Storage for Craft CMS plugin provides a Google Cloud Storage integration for Craft CMS. In versions on the 2.x branch prior to 2.2.1, the DefaultController-actionLoadBucketData endpoint allows unauthenticated users with a valid CSRF token to view a list of buckets that the plugin...

CVE-2026-32456 WordPress Admin Menu Editor plugin <= 1.14.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Janis Elsts Admin Menu Editor admin-menu-editor allows Cross Site Request Forgery.This issue affects Admin Menu Editor: from n/a through = 1.14.1...

CVE-2026-31917 WordPress WP ERP plugin <= 1.16.10 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in weDevs WP ERP erp allows SQL Injection.This issue affects WP ERP: from n/a through = 1.16.10...

WordPress plugin WPC Smart Wishlist for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

WordPress Booktics plugin <= 1.0.16 - Missing Authorization to Get Items via REST API endpoints vulnerability

Missing Authorization to Get Items via REST API endpoints vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin Booktics versions = 1.0.16...

WordPress Themify Event Post plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by zaim in WordPress Plugin Themify Event Post versions = 1.3.4...

WordPress Elementor Website Builder plugin <= 3.35.5 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by davidfdzmorilla in WordPress Plugin Elementor Website Builder versions = 3.35.5...

CVE-2026-28133

CVE-2026-28133 describes an Unrestricted Upload of a File with a Dangerous Type vulnerability in the WP Chill Filr filr-protection plugin, enabling an attacker to upload a Web Shell to the server. Affected product/component: Filr (filr-protection) versions up to and including 1.2.14. The CVSS v3....

CVE-2026-28114

CVE-2026-28114 is a vulnerability in the WordPress plugin WooCommerce License Manager (fs-license-manager) affecting versions up to and including 7.0.6. It is an Arbitrary File Upload (Unrestricted Upload of File with Dangerous Type) that can enable a Web Shell upload to the web server. Attack re...

CVE-2026-27373

CVE-2026-27373 : WordPress Tablesome plugin (Tablesome) &lt;= 1.2.3 has an SQL Injection vulnerability due to improper neutralization of special elements, enabling Blind SQL Injection. Affected product/version: Tablesome specified as &lt;= 1.2.3; root cause: improper sanitization of SQL queries; ...

CVE-2025-69340

CVE-2025-69340 is a Missing Authorization vulnerability in the WordPress plugin WeDesignTech Ultimate Booking Addon (versions up to 1.0.3). The issue enables improper access control (broken/unauthorized access) with a CVSS v3.1 base score of 7.5 (HIGH) and network attack vector with no user inter...

CVE-2025-68515 WordPress WP Booking System plugin <= 2.0.19.12 - Sensitive Data Exposure vulnerability

Insertion of Sensitive Information Into Sent Data vulnerability in Roland Murg WP Booking System wp-booking-system allows Retrieve Embedded Sensitive Data.This issue affects WP Booking System: from n/a through = 2.0.19.12...