WordPress Wholesale Suite plugin <= 2.2.6 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Teemu Saarentaus in WordPress Plugin Wholesale Suite versions = 2.2.6...

CVE-2026-24950 WordPress Authorsy plugin <= 1.0.6 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through = 1.0.6...

CVE-2026-24953

CVE-2026-24953 is a path traversal vulnerability in WordPress plugin Simple File List (versions 6.1.15, or apply vendor-provided fixes as available.

CVE-2026-24948

CVE-2026-24948 is a reflected XSS vulnerability in the WordPress plugin Reflector (fox-themes Reflector reflector-plugins) affecting versions up to and including 1.2.2. The issue arises from improper input neutralization during web page generation, enabling Reflected XSS. Public sources in connec...

CVE-2026-24944

Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through = 10.44...

CVE-2026-22352 WordPress Persian Woocommerce SMS plugin <= 7.1.1 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through = 7.1.1...

CVE-2025-69398

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through = 1.7...

CVE-2025-69384 WordPress Timeline Event History plugin <= 3.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through = 3.2...

CVE-2025-69377

CVE-2025-69377 : WordPress WordPress User Extra Fields plugin (wp-user-extra-fields)

CVE-2025-69326 WordPress NEX-Forms plugin <= 9.1.7 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through = 9.1.7...

CVE-2025-69309

CVE-2025-69309 affects WordPress plugin Saasplate Core (saasplate-core) up to and including version 1.2.8, due to improper neutralization of special elements in SQL queries, enabling Blind SQL Injection. Affected versions range from n/a through 1.2.8; Red Hat and CVE listings corroborate this sco...

CVE-2025-68862

CVE-2025-68862 is a path traversal vulnerability in the WordPress plugin Woo File Dropzone (woo-file-dropzone) affecting versions up to and including 1.1.7. The issue enables traversal outside the intended directory, with Red Hat and NVD entries describing it as an improper limitation of a pathna...

CVE-2025-68848 WordPress amr cron manager plugin <= 2.3 - Reflecte dCross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through = 2.3...

CVE-2025-68843 WordPress FeedWordPress Advanced Filters plugin <= 0.6.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordPress Advanced Filters: from n/a through = 0.6.2...

CVE-2025-68846 WordPress Asynchronous Javascript plugin <= 1.3.5 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through = 1.3.5...

CVE-2025-68845

CVE-2025-68845 corresponds to a Reflected XSS in the WordPress plugin “eDS Responsive Menu” (eds-responsive-menu) by aThemeArt Translations. The vulnerability stems from improper input neutralization during web page generation, allowing reflected cross-site scripting. Affected range: eds-responsi...

CVE-2025-68501

CVE-2025-68501 : Mollie Payments for WooCommerce (plugin for WordPress) up to version 8.1.1 suffers a Reflected XSS due to improper input neutralization during web page generation. Public info lists affected software as Mollie Payments for WooCommerce ≤ 8.1.1, with remediation recommended as upgr...

CVE-2025-68026 WordPress LC Wizard plugin <= 2.1.1 - Settings Change vulnerability

Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through = 2.1.1...

CVE-2025-67998 WordPress Miraculous Elementor plugin <= 2.0.7 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through = 2.0.7...

CVE-2025-67991 WordPress User Extra Fields plugin <= 16.8 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Reflected XSS.This issue affects User Extra Fields: from n/a through = 16.8...