Malicious Package

Overview wm-plugin-json-conditions is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

MAL-2026-4339 Malicious code in wm-plugin-native-functions-restorer (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b56a05c0c4409a73fdb43bcd1cd03212baff2d79072fb687c8ed7923f0af5036 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4338 Malicious code in wm-plugin-json-conditions (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 43ae510c22e7ea36051bfaa2a241bc7f8035d9047c3fe927438ceef2f2ca81cf Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4337 Malicious code in wm-plugin-create-iframe-capturing (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3b8f21008e1afe359d81b5a894a1b3977ba8a70993db9afc6f6d695cb37ab3f5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview wm-plugin-teach-me-widget is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious code in wm-plugin-open-teach-me-after-deployable-played (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 655533b31e25a157ee83f60bf9745992f585b321861539de7e40a9a7549dd38d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4341 Malicious code in wm-plugin-set-walkme-language (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b3a79fac1678c77b806378e3a6a61fbe14204f4ff38758d151a231e0d990ea94 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

WordPress Draft List plugin 2.6.3-2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Draft List versions 2.6.3-2.6.3...

WordPress CBX 5 Star Rating & Review plugin <= 1.0.7 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin CBX 5 Star Rating & Review versions = 1.0.7...

WordPress AI Chatbot & Workflow Automation by AIWU plugin <= 1.4.14 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin AIWU versions = 1.4.14...

WordPress Correct Prices plugin <= 1.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Correct Prices versions = 1.0...

WordPress SponsorMe plugin <= 0.5.2 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin SponsorMe versions = 0.5.2...

WordPress VatanSMS WP SMS plugin <= 1.01 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin VatanSMS WP SMS versions = 1.01...

WordPress Oliver POS plugin < 4.5.4 - Other Vulnerability Type vulnerability

Other Vulnerability Type vulnerability discovered by Hunter Jensen skid in WordPress Plugin Oliver POS versions 4.5.4...

WordPress Kirki – Freeform Page Builder, Website Builder & Customizer plugin <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure vulnerability

Missing Authorization to Authenticated Subscriber+ Sensitive Form Submission Data Exposure vulnerability discovered by Z3no in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions = 6.0.6...

CLSA-2026-1779583625 vim: Fix of CVE-2026-46483

CVE-2026-46483: fix command injection in tar plugin Vimuntar when decompressing .tgz archives by passing the special flag to shellescape upstream vim 9.2.0479...

CLSA-2026-1779583115 vim: Fix of CVE-2026-46483

CVE-2026-46483: fix command injection in tar plugin Vimuntar when decompressing .tgz archives by passing the special flag to shellescape upstream vim 9.2.0479...

WordPress WooCommerce PayPal Payments plugin <= 4.0.1 - Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure vulnerability

Missing Authorization to Unauthenticated Order Manipulation and Information Disclosure vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce PayPal Payments versions = 4.0.1...

WordPress Wishlist Member plugin <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) API Secret Key Disclosure and Privilege Escalation vulnerability

Missing Authorization to Authenticated Subscriber+ API Secret Key Disclosure and Privilege Escalation vulnerability discovered by h0xilo in WordPress Plugin WishList Member X versions = 3.30.1...

WordPress Wishlist Member plugin <= 3.30.1 - Missing Authorization to Authenticated (Subscriber+) Generate API Secret Key vulnerability

Missing Authorization to Authenticated Subscriber+ Generate API Secret Key vulnerability discovered by h0xilo in WordPress Plugin WishList Member X versions = 3.30.1...