CVE-2026-24365

CVE-2026-24365 is a CSRF vulnerability in storeapps Stock Manager for WooCommerce (woocommerce-stock-manager). Affected versions are

CVE-2026-22470

The CVE-2026-22470 entry concerns the FireStorm Real Estate Plugin for WordPress (FireStorm Professional Real Estate) and describes an authenticated SQL Injection affecting the plugin version range from n/a up to and including 2.7.11. Multiple sources (NVD, Red Hat, CIRCL, and CVE list) corrobora...

CVE-2026-22463 WordPress Form to Chat App plugin <= 1.2.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS.This issue affects Form to Chat App: from n/a through = 1.2.5...

CVE-2026-22445 WordPress Apimo Connector plugin <= 2.6.5.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apimo Connector: from n/a through = 2.6.5.2...

CVE-2026-22360

CVE-2026-22360 is a CSRF vulnerability in the WordPress plugin SearchAzon (AA-Team/SearchAzon) affecting versions from n/a through 1.4. Descriptions from NVD/Red Hat/NVD list Cross-Site Request Forgery as the issue; exploitation status is not indicated in the provided documents. The available sou...

CVE-2026-22388 WordPress Owl Carousel WP plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS.This issue affects Owl Carousel WP: from n/a through = 2.2.2...

CVE-2026-22355

CVE-2026-22355 describes a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin Simple XML Sitemap (alias: simple-xml-sitemap) that allows a Stored XSS. The affected product is listed as Simple XML Sitemap with versionsfrom n/a through

CVE-2025-69101 WordPress Workreap Core plugin <= 3.4.1 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreapcore allows Authentication Abuse.This issue affects Workreap Core: from n/a through = 3.4.1...

CVE-2025-69098 WordPress Hide My WP plugin <= 6.2.12 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpWave Hide My WP hidemywp allows Reflected XSS.This issue affects Hide My WP: from n/a through = 6.2.12...

CVE-2025-69097 WordPress WPLMS plugin <= 1.9.9.5.4 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in VibeThemes WPLMS wplmsplugin allows Path Traversal.This issue affects WPLMS: from n/a through = 1.9.9.5.4...

CVE-2025-69055 WordPress BM Content Builder plugin < 3.16.3.3 - Arbitrary File Download vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal.This issue affects BM Content Builder: from n/a through 3.16.3.3...

CVE-2025-69053

CVE-2025-69053 describes a Reflected XSS in the Universal Video Player WordPress plugin (universal-video-player) affecting version(s) up to 3.8.4. The issue is caused by improper input neutralization during web page generation. Public sources in the provided documents confirm the vulnerability an...

CVE-2025-69036 WordPress Tech Life CPT plugin <= 16.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection.This issue affects Tech Life CPT: from n/a through = 16.4...

CVE-2025-69035

Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection.This issue affects Dental Care CPT: from n/a through = 20.2...

CVE-2025-68999 WordPress Happy Addons for Elementor plugin <= 3.20.4 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection.This issue affects Happy Addons for Elementor: from n/a through = 3.20.4...

CVE-2025-68905 WordPress JNews - Pay Writer plugin <= 11.0.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in jegtheme JNews - Pay Writer jnews-pay-writer allows PHP Local File Inclusion.This issue affects JNews - Pay Writer: from n/a through = 11.0.0...

CVE-2025-68869 WordPress LazyTasks plugin <= 1.2.37 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation.This issue affects LazyTasks: from n/a through = 1.2.37...

CVE-2025-68864 WordPress Infility Global plugin <= 2.15.11 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through = 2.15.11...

CVE-2025-68849 WordPress Quote Master plugin <= 7.1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS.This issue affects Quote Master: from n/a through = 7.1.1...

CVE-2025-68857 WordPress Paid Downloads plugin <= 3.15 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection.This issue affects Paid Downloads: from n/a through = 3.15...