WordPress Citations tools plugin <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'code' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Citations tools versions = 0.3.2...

WordPress FastDup - Fastest WordPress Migration & Duplicator plugin <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download vulnerability

WordPress FastDup - Fastest WordPress Migration & Duplicator plugin = 2.7.1 - Missing Authorization to Authenticated Contributor+ Backup Creation and Download vulnerability discovered by WordFence in WordPress Plugin FastDup versions = 2.7.1...

WordPress plugin Activity Log for WordPress 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

CVE-2026-1748

The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access...

WordPress Custom Block Builder - Lazy Blocks plugin <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution vulnerability

WordPress Custom Block Builder - Lazy Blocks plugin = 4.2.0 - Authenticated Contributor+ Remote Code Execution vulnerability discovered by Youssef Elouaer - ISET ZAGHOUAN in WordPress Plugin Lazy Blocks versions = 4.2.0...

CVE-2026-0815

The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and...

CVE-2026-1786

The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dgtwoptions' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including...

CVE-2026-1821

The CVE concerns the WordPress Microtango plugin (versions

WordPress Twitter posts to Blog plugin <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settings Update vulnerability

Missing Authorization to Unauthenticated Plugin Settings Update vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Twitter posts to Blog versions = 1.11.25...

WordPress plugin Twitter posts to Blog 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Version...

WordPress plugin Server Log Viewer 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-2214

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made availabl...

WordPress Miraculous Elementor plugin <= 2.0.7 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Miraculous Elementor versions = 2.0.7...

WordPress The Events Calendar Shortcode & Block plugin <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin The Events Calendar Shortcode & Block versions = 3.1.2...

CVE-2026-2214

A weakness has been identified in code-projects for Plugin 1.0. This affects an unknown part of the file /Administrator/PHP/AdminAddAlbum.php. This manipulation of the argument txtalbum causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made availabl...

CVE-2026-1611 Wikiloops Track Player <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wikiloops shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1570

The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's verse shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress plugin Bold Page Builder 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress TITLE ANIMATOR plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin TITLE ANIMATOR versions = 1.0...

CVE-2026-1654

The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...