CVE-2026-10862

CVE-2026-10862 affects the WordPress plugin Accordions (versions up to and including 2.3.23). The root cause is insufficient input sanitization and output escaping in the Accordion body field, enabling authenticated attackers with Custom-level access or higher to perform Stored Cross-Site Scripti...

CVE-2026-10862 Accordions <= 2.3.23 - Authenticated (Custom+) Stored Cross-Site Scripting via Accordion Body Field

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and...

CVE-2026-10862

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and...

PT-2026-47722

Name of the Vulnerable Software and Affected Versions Slider Revolution versions prior to 7.0.11 Description The plugin is subject to sensitive information disclosure resulting from three design flaws. First, a valid backend AJAX nonce revslider actions is leaked to all authenticated users,...

PT-2026-47678

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc options page function. This makes it possible for unauthenticated attackers to modify plugin settin...

PT-2026-47679

Name of the Vulnerable Software and Affected Versions FastPicker versions prior to 1.0.3 Description The FastPicker plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the settingsPage function lacks proper nonce validation, which is a unique token used to verify th...

PT-2026-47767

Wow Forms WordPress Plugin version 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to read arbitrary database information by exploiting an unescaped POST parameter. Attackers can inject SQL code through the 'mwpformid' parameter in requests to the admin-ajax.php...

PT-2026-47681

Name of the Vulnerable Software and Affected Versions WpMobi versions prior to 0.0.4 Description The WpMobi plugin for WordPress is subject to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs due to missing or...

PT-2026-47634

Name of the Vulnerable Software and Affected Versions Enable Media Replace versions prior to 4.1.9 Description Insufficient input sanitization and output escaping in the Enable Media Replace plugin for WordPress allow authenticated attackers with Author-level access or higher to perform Stored...

PT-2026-47799

Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...

WordPress plugin WP Meta Sort Posts 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Extra Settings for RocketChat 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added to a...

WordPress plugin 6Storage Rentals 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

Catalyst-Plugin-Authentication 授权问题漏洞

Catalyst-Plugin-Authentication is an open-source authentication plugin framework developed by Catalyst. Versions of Catalyst-Plugin-Authentication prior to 0.10027 contained vulnerabilities related to authorization. These vulnerabilities stemmed from the lack of automatic session ID changes after...

WordPress plugin MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress plugin jQuery Hover Footnotes 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-47724

Name of the Vulnerable Software and Affected Versions MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails versions prior to 2.0.5 Description Insufficient input sanitization and output escaping allow authenticated attackers with author-level access or higher to perfor...

Adobe USD-Fileformat-plugins Heap-based Buffer Overflow Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe USD-Fileformat-plugins. Interaction with the USD library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within t...

PT-2026-47674

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute and other attributes of the romancart button shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied...

PT-2026-47671

Name of the Vulnerable Software and Affected Versions ePaperFlip Publisher versions prior to 1.1 Description The ePaperFlip Publisher plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the publicationid attribute of the epaperflip embed shortcode lacks sufficie...