CVE-2026-2571

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2026-2121

The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'addclass' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2026-4766

The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes ...

CVE-2026-3045

The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: 1 a non-user-bound publicnonce is exposed to unauthenticated users...

WordPress Seriously Simple Podcasting plugin <= 3.14.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by hivesec in WordPress Plugin Seriously Simple Podcasting versions = 3.14.2...

WordPress plugin Shared Files 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-32567

CVE-2026-32567 affects the WordPress plugin WordPress YML for Yandex Market (

CVE-2026-32573 WordPress Nelio AB Testing plugin <= 8.2.7 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through = 8.2.7...

CVE-2026-32567 WordPress YML for Yandex Market plugin < 5.3.0 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through 5.3.0...

CVE-2026-32530 WordPress Creator LMS plugin <= 1.1.18 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through = 1.1.18...

CVE-2026-32525

JetFormBuilder WordPress plugin versions

CVE-2026-32524 WordPress Photo Engine plugin <= 6.4.9 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through = 6.4.9...

CVE-2026-32525 WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through = 3.5.6.1...

CVE-2026-32521 WordPress WP Custom Admin Interface plugin <= 7.42 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows DOM-Based XSS.This issue affects WP Custom Admin Interface: from n/a through = 7.42...

CVE-2026-32523 WordPress WPJAM Basic plugin <= 6.9.2 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM Basic wpjam-basic allows Using Malicious Files.This issue affects WPJAM Basic: from n/a through = 6.9.2...

CVE-2026-32499

CVE-2026-32499 is an unauthenticated SQL injection in the WordPress WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin (WPBot) up to version 7.7.9. Root cause is improper neutralization of input in the plugin’s SQL queries, allowing blind SQL injection. Public details in con...

CVE-2026-32496

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in NYSL Spam Protect for Contact Form 7 wp-contact-form-7-spam-blocker allows Path Traversal.This issue affects Spam Protect for Contact Form 7: from n/a through = 1.2.9...

CVE-2026-32491 WordPress WP Review Slider plugin <= 13.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through = 13.9...

CVE-2026-27071 WordPress WPCafe plugin <= 3.0.7 - Broken Access Control vulnerability

Missing Authorization vulnerability in Arraytics WPCafe wp-cafe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCafe: from n/a through = 3.0.7...

CVE-2026-27049

CVE-2026-27049 affects Jobica Core (WordPress plugin) up to version 1.4.2. The Wordfence report corroborates an authentication bypass via missing authorization (Authentication Bypass Using an Alternate Path or Channel), implying an authentication abuse vector. The initial description cites a 9.8 ...