224912 matches found
CVE-2026-9227 GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...
EUVD-2026-32730
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...
EUVD-2026-32731
The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...
CVE-2026-7651
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...
CVE-2026-7651 User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...
CVE-2026-9618 PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink
The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...
CVE-2026-9618
The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...
CVE-2026-7651 User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Media Deletion via 'profile-pic-url' Parameter
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...
EUVD-2026-32732
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...
CVE-2026-7651
CVE-2026-7651 describes an insecure direct object reference in the WordPress plugin “User Registration & Membership” (Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder) up to version 5.1.5. The bug arises from missing ownership val...
CVE-2026-9227 GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_and_ext Filter
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...
CVE-2026-9227
The connected CVE entries confirm a vulnerability in GutenBee ≤ 2.20.1 (WordPress plugin): an Arbitrary File Upload via the function gutenbee_file_and_ext_json. The root cause is a flawed strpos() check that only tests for the presence of ".json" in the filename, not that it ends with a .json ext...
CVE-2026-9618
The CVE-2026-9618 entry concerns the PeachPay for WooCommerce plugin (WordPress) with versions up to and including 1.120.46. Affected component: peachpay_stripe_handle_admin_actions function, where missing/incorrect nonce validation enables Cross-Site Request Forgery. Impact: unauthenticated atta...
CVE-2026-9227
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbeefileandextjson function. This is due to a flawed strpos substring check that only verifies whether the filename contains the string '.json' rath...
CVE-2026-9618 PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink
The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...
CVE-2026-7634
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...
CVE-2026-7634
Technical details are not publicly available in the provided documents. Monitor for updates.
EUVD-2026-32729
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...
CVE-2026-7634 SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent Header
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary we...
CVE-2026-9644
The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmartwidget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...