PT-2026-26865

The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp ajax nopriv without proper authentication checks, capability...

WordPress Contact List plugin <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'clmapiframe' Parameter vulnerability discovered by Tharadol Suksamran d3kc4rt1 in WordPress Plugin Contact List versions = 3.0.18...

WordPress Image Alt Text Manager plugin <= 1.8.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Title vulnerability

Authenticated Author+ Stored Cross-Site Scripting via Post Title vulnerability discovered by WordFence in WordPress Plugin Alt Manager versions = 1.8.2...

WordPress Lumise Product Designer plugin < 2.0.9 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Jarno Vos jrn5151 in WordPress Plugin Lumise Product Designer versions 2.0.9...

WordPress plugin RockPress 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-32036

OpenClaw gateway plugin (versions before 2026.2.26) is affected by a path traversal flaw in /api/channels that lets an attacker bypass route authentication by using encoded dot-segment traversal. The underlying issue arises when path normalization does not block alternate paths, enabling access t...

CVE-2026-32036

OpenClaw gateway plugin versions prior to 2026.2.26 contain a path traversal vulnerability that allows remote attackers to bypass route authentication checks by manipulating /api/channels paths with encoded dot-segment traversal sequences. Attackers can craft alternate paths using encoded travers...

WordPress Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin <= 4.0.4 - Authenticated (Author+) Local File Inclusion vulnerability

WordPress Photo Gallery, Sliders, Proofing and Themes - NextGEN Gallery plugin = 4.0.4 - Authenticated Author+ Local File Inclusion vulnerability discovered by WordFence in WordPress Plugin NextGEN Gallery versions = 4.0.4...

The Query Monitor plugin for WordPress has Reflected Cross-Site Scripting via Request URI

Impact The Query Monitor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'REQUESTURI' parameter in all versions up to, and including, 3.20.3 due to insufficient output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web script...

CVE-2025-53222

CVE-2025-53222 affects tagDiv Opt-In Builder (td-subscription) and is a Reflected XSS in input that is generated into web pages. Affected versions are from unspecified starting point up to and including 1.7.3. The issue has a CVSS v3.1 base score of 7.1 ( HIGH ), with network attack vector, low t...

CVE-2025-50001 WordPress tagDiv Composer plugin <= 5.4.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through = 5.4.2...

CVE-2025-50001

CVE-2025-50001 : Reflected Cross-Site Scripting in the WordPress plugin tagDiv Composer (td-composer) up to version

CVE-2025-32223 WordPress Tutor LMS plugin <= 3.9.4 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through = 3.9.4...

CVE-2026-27413

CVE-2026-27413 is a SQL Injection vulnerability in the WordPress plugin Profile Builder Pro (the Profile Builder Pro component). The issue is described as an improper neutralization of special elements used in SQL commands, allowing Blind SQL Injection. Affected versions are Profile Builder Pro: ...

CVE-2026-27540 WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture woocommerce-wholesale-lead-capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through = 2.0.3.1...

CVE-2026-28044

The CVE-2026-28044 entry concerns WP Rocket (WordPress plugin)

WordPress plugin tagDiv Composer 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...

PT-2026-26249

Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0...

WordPress Nexa Blocks plugin <= 1.1.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Nabil Irawan in WordPress Plugin Nexa Blocks versions = 1.1.1...

WordPress Hide My WP Ghost plugin < 7.0.00 - Open Redirection vulnerability

Open Redirection vulnerability discovered by Or Benit in WordPress Plugin Hide My WP Ghost versions 7.0.00...