CVE-2026-27049

CVE-2026-27049 affects Jobica Core (WordPress plugin) up to version 1.4.2. The Wordfence report corroborates an authentication bypass via missing authorization (Authentication Bypass Using an Alternate Path or Channel), implying an authentication abuse vector. The initial description cites a 9.8 ...

CVE-2026-25465 WordPress CP Multi View Event Calendar plugin <= 1.4.36 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in codepeople CP Multi View Event Calendar cp-multi-view-calendar allows Stored XSS.This issue affects CP Multi View Event Calendar : from n/a through = 1.4.36...

CVE-2026-25461 WordPress Listeo Core plugin <= 2.0.21 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through = 2.0.21...

CVE-2026-25452

CVE-2026-25452 affects the WordPress plugin Remoji (Remoji – Post/Comment Reaction and Enhancement) with a Stored XSS vulnerability described as improper neutralization of input during web page generation. The issue targets Remoji versions from

CVE-2026-25447

CVE-2026-25447 describes an Unauthenticated remote code execution vector in the WordPress plugin Widget Wrangler (

CVE-2026-25417

Connected document confirms a concrete vulnerability: WordPress ProfileGrid plugin versions ≤ 5.9.8.1 has a Cross Site Scripting (XSS) flaw discovered by daroo. The issue affects the ProfileGrid plugin for WordPress; no explicit root cause, impact details, or exploit workflow are provided in the ...

CVE-2026-25396 WordPress Commerce Coinbase For WooCommerce plugin <= 1.6.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooCommerce commerce-coinbase-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Commerce Coinbase For WooCommerce: from n/a through = 1.6.6...

CVE-2026-25361 WordPress WpEvently plugin <= 5.1.4 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through = 5.1.4...

CVE-2026-25347 WordPress WP REST Cache plugin <= 2026.1.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Acato WP REST Cache wp-rest-cache allows Stored XSS.This issue affects WP REST Cache: from n/a through = 2026.1.0...

CVE-2026-25347

The connected PATCHSTACK entry identifies a Cross Site Scripting (XSS) vulnerability in the WordPress plugin WP REST Cache (versions ≤ 2026.1.0). The flaw is documented as discovered by Nguyen Ba Khanh . The provided material does not specify the exact root cause, affected components beyond the p...

CVE-2026-25346 WordPress FAQ Builder AYS plugin <= 1.8.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Ays Pro FAQ Builder AYS faq-builder-ays allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FAQ Builder AYS: from n/a through = 1.8.2...

CVE-2026-25334

CVE-2026-25334 describes an Incorrect Privilege Assignment vulnerability in the WordPress Salon Booking System Pro plugin. Versions prior to 10.30.12 are affected and allow privilege escalation, effectively an account takeover. The public details in the connected sources identify the affected pro...

CVE-2026-25334 WordPress Salon Booking System Pro plugin < 10.30.12 - Account Takeover vulnerability

Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking-plugin-pro allows Privilege Escalation.This issue affects Salon Booking System Pro: from n/a through 10.30.12...

CVE-2026-25035 WordPress Contest Gallery plugin <= 28.1.2.2 - Account Takeover vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through = 28.1.2.2...

CVE-2026-24989

CVE-2026-24989 describes a deserialization of untrusted data in the SUMO Affiliates Pro plugin for WordPress (affs), enabling PHP object injection. Affected: SUMO Affiliates Pro versions below 11.4.0. Root cause: deserialization of untrusted input leading to object injection. Impact: according to...

CVE-2026-24979 WordPress Jobica Core plugin <= 1.4.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in NooTheme Jobica Core jobica-core allows Reflected XSS.This issue affects Jobica Core: from n/a through = 1.4.1...

CVE-2026-24981 WordPress Visionary Core plugin <= 1.4.9 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through = 1.4.9...

CVE-2026-24980 WordPress Visionary Core plugin <= 1.4.9 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in NooTheme Visionary Core noo-visionary-core allows Reflected XSS.This issue affects Visionary Core: from n/a through = 1.4.9...

CVE-2026-24964

CVE-2026-24964 describes a Server-Side Request Forgery (SSRF) in the WordPress plugin Contest Gallery (contest-gallery). Affected versions are up to and including 28.1.2.1 . The root cause involves improper handling/validation of outgoing requests initiated by the plugin, enabling an attacker to ...

CVE-2026-24373 WordPress RegistrationMagic plugin <= 6.0.7.1 - Account Takeover vulnerability

Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through = 6.0.7.1...