CVE-2026-8681 Essential Chat Support <= 1.0.1 - Missing Authorization to Unauthenticated Settings Reset via 'ecs_reset_settings' Parameter

The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to reset all...

WordPress myCred plugin <= 3.0.4 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by thevietronin in WordPress Plugin myCred versions = 3.0.4...

CVE-2026-4094

The FOX – Currency Switcher Professional for WooCommerce WordPress plugin (versions up to and including 1.4.5) is affected by an unauthorized data-loss vulnerability due to a missing capability check on the admin_head function, enabling authenticated attackers with Contributor-level access (and s...

WordPress Classified Listing – AI-Powered Classified ads & Business Directory Plugin plugin <= 5.3.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Modification vulnerability discovered by momopon1415 in WordPress Plugin Classified Listing versions = 5.3.10...

WordPress Notify Odoo plugin <= 1.0.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Legion Hunter in WordPress Plugin Notify Odoo versions = 1.0.1...

CVE-2026-41937

Vvveb before 1.0.8.3 contains an unrestricted file upload vulnerability in the plugin upload endpoint that allows superadmin users to execute arbitrary PHP code by uploading a malicious plugin ZIP file. Attackers can craft a ZIP containing a plugin.php with a valid Slug header and a...

CVE-2026-4030

The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup...

WordPress ManageWP Worker plugin <= 4.9.31 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by timomangcut in WordPress Plugin ManageWP Worker versions = 4.9.31...

CVE-2026-6504 Royal Addons for Elementor <= 1.7.1058 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Parameter

The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titletag' parameter in all versions up to, and including, 1.7.1058 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

EUVD-2026-30248

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 6.5.13. This is due to insufficient role validation in the 'registeruser' function, which only blocks the 'administrator' rol...

WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin WP Directory Kit versions = 1.5.1...

Strapi 代码问题漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.33.3 had code vulnerabilities. These vulnerabilities stemmed from a flaw in the Content API endpoint of the Upload plugin, which did not enforce the MIME type...

Strapi 安全漏洞

Strapi is an open-source content management system CMS developed by the Strapi community in France. Versions of Strapi prior to 5.45.0 contained security vulnerabilities. These vulnerabilities stemmed from a rate-limiting mechanism in the users-permissions plugin, which derived rate-limiting keys...

PT-2026-41013

Name of the Vulnerable Software and Affected Versions GStreamer gst-plugins-good versions prior to 1.28.2 Description An issue exists when parsing MP4 audio tracks where the isomp4 plugin's qtdemux audio caps function fails to sufficiently validate atom data before performing division operations...

CVE-2026-3426

CVE-2026-3426: The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on save_widget() and reset_all_widgets() in all versions up to 2.0.2. This allows authenticated attackers with Author-level access and above to m...

CVE-2025-14033 ilGhera Support System for WooCommerce <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'getticketcontentcallback' function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view any...

PT-2026-40586

The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle ajax action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated...

WordPress Broadstreet plugin <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure vulnerability

Authenticated Subscriber+ Information Disclosure vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

CVE-2026-42742 WordPress Views for WPForms plugin <= 3.4.6 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through = 3.4.6...

CVE-2026-6813

The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...