CVE-2026-10736

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2026-11357

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editorassetsvariables. This makes it possible for authenticated attackers, with contributor-level access and abov...

CVE-2026-11358

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-11360

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sortdirection' parameter in all versions up to, and including, 4.0.10 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2026-10623

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.3.0 via the 'ruleid' parameter due to missing validation on a user controlled key. This makes it possible for...

CVE-2026-10029

The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.13.1 via the getevents. This makes it possible for unauthenticated attackers to extract sensitive data including...

EUVD-2026-37853

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

CVE-2026-9815

The CVE-2026-9815 entry concerns the MagicForm WordPress plugin (versions up to 0.1.3). The affected component is the file upload path via an unauthenticated AJAX action, where the per-field extension allowlist being empty leads to improper validation of uploaded file types. As a result, unauthen...

EUVD-2026-37852

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, allowing unauthenticated attackers to upload PHP files and execute arbitrary code on the server...

CVE-2026-11402 Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Block Attribute

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-11402

The CVE-2026-11402 entry concerns the WordPress plugin “Services Section Block – Showcase Service Details in Grid or Columns.” Affected component is the ‘link’ Block Attribute, with stored XSS in all versions up to 1.4.4 due to insufficient input sanitization and output escaping. The vulnerabilit...

CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-11358

The CVE concerns the Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress (versions up to 3.0.6). The vulnerability is a Stored Cross-Site Scripting flaw arising from insufficient input sanitization and output escaping in admin settings. It a...

EUVD-2026-37849

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

EUVD-2026-37850

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it...

CVE-2026-11784 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

CVE-2026-12093 Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation via Forged Stripe 'charge.refunded' Webhook

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

CVE-2026-11784

The CVE describes a Cross‑Site Request Forgery in the WordPress plugin Optimole – Optimize Images (

EUVD-2026-37847

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to deactivate arbitra...

EUVD-2026-37848

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...