CVE-2026-10753

The CVE-2026-10753 entry concerns the Site Kit by Google WordPress plugin (pre-1.176.0). Root cause: a REST API write endpoint did not properly restrict access, allowing lower-privileged users with dashboard sharing (e.g., Editors) to modify a site-wide Site Kit setting that should be admin-only....

CVE-2026-10735

CVE-2026-10735 corresponds to a supply‑chain compromise of ShapedPlugin Pro products. Pro plugins (Product Slider Pro for WooCommerce, Real Testimonials Pro, Smart Post Show Pro) were distributed via the vendor’s update channel with a backdoor loader (LicenseLoader.php) that runs on admin_init an...

CVE-2026-10749

The Post Duplicator WordPress plugin is affected by CVE-2026-10749 in versions before 3.0.15. During post duplication, attacker-supplied serialized values are stored without the WordPress meta API’s double-serialization protection, enabling PHP Object injection by users with Contributor-level acc...

CVE-2026-9709

The CVE concerns the premium Cornerstone WordPress page builder (bundled with X Theme) prior to version 7.8.9. A REST API route fails to enforce capability checks, allowing any authenticated user to disclose other users’ metadata, including roles, session token previews, and stored billing/shippi...

CVE-2026-10531

CVE-2026-10531 concerns the AI Share & Summarize WordPress plugin, affected older releases prior to 2.0.4. The vulnerability stems from insufficient sanitization/escaping of some shortcode attributes, specifically title_style, before output. This enables a stored Cross‑Site Scripting (XSS) attack...

CVE-2026-11997

CVE-2026-11997 affects the WordPress plugin Bulk SEO Image

CVE-2026-8622

The CVE-2026-8622 entry concerns the WordPress plugin Image Sizes on Demand (versions affected: all up to and including 1.3). The vulnerability is a Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable caused by insufficient input sanitization and output escaping. It allows unaut...

CVE-2026-9612

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdevgenerateorderpdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order...

CVE-2026-9620

CVE-2026-9620 concerns the WordPress plugin WP Latest Posts (≤ 5.0.11). It enables a Stored Cross-Site Scripting (XSS) via crafted image src attributes in post content. The root cause is insufficient output escaping in the plugin’s field() and loop() functions, which extract the raw src from img ...

CVE-2026-8688

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-8865

CVE-2026-8865 affects the Avalon23 Products Filter for WooCommerce WordPress plugin (

CVE-2026-9183

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24blockenqueuescripts function being hooked to enqueueblockeditorassets and, for any non-administrator user, falling back to loading...

CVE-2026-8896

The CVE-2026-8896 entry concerns the MIR blocks and shortcodes plugin for WordPress. Affected component: the msc_stats shortcode in versions up to 1.0.0. Issue: insufficient input sanitization and output escaping for shortcode attributes (e.g., title, ready_animation_text) inside the msc_stats() ...

CVE-2026-12416

The CVE affects the WordPress Invoice Generator plugin up to version 1.0.0. The root cause is pravel_invoice_change_password(), registered as a nopriv AJAX handler without nonce or authorization checks, which compares the supplied reset_activation_code to the user’s forgot_email meta with a loose...

CVE-2026-9643

WP Meta SEO for WordPress insert(). This allows injection of arbitrary scripts that execute when an administrator visits the 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). Exploitation details are not provided beyond the generic flow; no fixes, mitigations, or exploita...

CVE-2026-9172

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...

CVE-2026-6292

The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to and including 1.0. This is due to a completely broken nonce validation in the entermpclploginoptions function, which contains an inverted check if wpverifynonce... return false;...

CVE-2026-8617

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplussavetokenactioncallback and searchplusresettokenactioncallback...

CVE-2026-8705

The CVE describes a SQL injection in the ClearSale Total WordPress plugin (versions <= 3.4.2). The vulnerability occurs via the pagseguro[metodo] POST parameter of the clearsale_total_push AJAX action, which is accessible to unauthenticated users (wp_ajax_nopriv_clearsale_total_push). Although...

CVE-2026-9184

The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updatelb24token AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce which is generated and localized to any...