EUVD-2026-3144

The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blackemail' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it...

CVE-2025-13725

The Gutenberg Thim Blocks – Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. This make...

WordPress Plugin RegistrationMagic has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin CM E-Mail Blacklist – Simple email filtering for safer registrations. Cross-site scripting vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

CVE-2012-10064

Omni Secure Files plugin versions prior to 0.1.14 contain an arbitrary file upload vulnerability in the bundled plupload example endpoint. The /wp-content/plugins/omni-secure-files/plupload/examples/upload.php handler allows unauthenticated uploads without enforcing safe file type restrictions,...

WordPress Frontend File Manager plugin <= 23.5 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Mdr in WordPress Plugin Frontend File Manager versions = 23.5...

WordPress Peach Payments Gateway plugin <= 3.3.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Peach Payments Gateway versions = 3.3.6...

WordPress Syntax Highlighter Compress plugin <= 3.0.83.3 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by 0xVenus in WordPress Plugin Syntax Highlighter Compress versions = 3.0.83.3...

CVE-2026-0913

CVE-2026-0913 affects the WordPress plugin User Submitted Posts – Enable Users to Submit Posts from the Front End. It enables Stored Cross-Site Scripting via the usp_access shortcode due to insufficient input sanitization/output escaping on user-supplied attributes. Valid for all versions up to a...

CVE-2026-1004 Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Information Exposure

The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eaelproductquickviewpopup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for...

WordPress Membership Plugin - Restrict Content plugin <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability

WordPress Membership Plugin - Restrict Content plugin = 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure vulnerability discovered by andrea bocchetti in WordPress Plugin Restrict Content versions = 3.2.16...

CVE-2025-14384

CVE-2025-14384 affects the All in One SEO – Powerful SEO Plugin for WordPress (versions ≤ 4.9.2). It arises from a missing capability check on the REST route /aioseo/v1/ai/credits, allowing authenticated users with Contributor-level access and above to disclose the global AI access token. Wordfen...

PT-2026-3215

The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible...

EUVD-2026-2734

solspace/craft-freeform Has a DoS Vulnerability...

WordPress NextMove Lite plugin <= 2.23.0 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by PPzzAArr in WordPress Plugin NextMove Lite versions = 2.23.0...

WordPress plugin “Drag and Drop Multiple File Upload for Contact Form” has security vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

WordPress Penci Review plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Penci Review versions = 3.5...

CVE-2025-15513 Float Payment Gateway <= 1.1.9 - Improper Authorization to Unauthenticated Order Status Manipulation

The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as...

CVE-2025-14770

CVE-2025-14770 concerns the WordPress plugin Shipping Rate By Cities. Connected sources confirm an SQL Injection vulnerability introduced by insufficient escaping and underpreparation of the city parameter, affecting versions up to and including 2.0.0. The flaw allows unauthenticated attackers to...

CVE-2025-15283 Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'namedirectoryname' and 'namedirectorydescription' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for...