PT-2026-26542

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. An authorization bypass in the poll plugin allowed authenticat...

CVE-2026-32843

creationtimestamp| type| source ---|---|--- 2026-03-19 18:07:00+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mhglrpg3jo2x...

CVE-2026-2233

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draftpost function in all versions up to, and including, 4.2.8. This makes it...

CVE-2026-2233

The CVE CVE-2026-2233 affects the WordPress plugin User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration (wp-user-frontend). Multiple sources confirm a missing capability check in the draft_post() function that allows unauthenticated attackers to modi...

CVE-2026-2879

The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the id parameter in the create method of the GetGenieChat REST API endpoint. The method accepts a user-controlled post ID and, when...

CVE-2026-32301

creationtimestamp| type| source ---|---|--- 2026-03-12 20:34:16+00:00| published-proof-of-concept| https://github.com/centrifugal/centrifugo/security/advisories/GHSA-j77h-rr39-c552 2026-03-12 22:41:32+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mgvhu5jil72k 2026-03-13...

CVE-2026-2917

CVE-2026-2917 (Happy Addons for Elementor, WordPress) is an Insecure Direct Object Reference vulnerability affecting all versions up to 3.21.0. The root cause is the can_clone() check only enforcing a general capability (current_user_can('edit_posts')) and an action nonce bound to the generic ha_...

CVE-2026-2917 Happy Addons for Elementor <= 3.21.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Post Duplication via 'post_id' Parameter

The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.21.0 via the haduplicatething admin action handler. This is due to the canclone method only checking currentusercan'editposts' a general capability without...

CVE-2026-1071

creationtimestamp| type| source ---|---|--- 2026-03-07 09:53:48+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mghkmpxojd27...

CVE-2026-1820 Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute

The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmaltscdivupdatealttext' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

WordPress Media Library Alt Text Editor plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'postid' Shortcode Attribute vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Media Library Alt Text Editor versions = 1.0.0...

CVE-2026-2371 Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load'

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspbelreusableload AJAX handler. The handler accepts an...

CVE-2026-29122

creationtimestamp| type| source ---|---|--- 2026-03-05 01:54:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mgbovbzvbc2u...

CVE-2025-15598

creationtimestamp| type| source ---|---|--- 2026-03-03 12:09:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mg5qdpf7pa2z...

CVE-2026-28554

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforoapproveajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation...

CVE-2026-28218

creationtimestamp| type| source ---|---|--- 2026-02-26 22:26:13+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mfsahuhdrx2v...

CVE-2026-27970

creationtimestamp| type| source ---|---|--- 2026-02-26 06:18:25+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mfqkfcc4zw2v 2026-02-27 20:10:11+00:00| seen| https://gist.github.com/alon710/b3ea10b84b3ec49955d7221d8d85c2f7 2026-03-05 01:48:24+00:00| seen|...

CVE-2021-31838

creationtimestamp| type| source ---|---|--- 2026-02-24 18:00:14+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mfmqogbmpz2r...

PT-2026-20607

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $ REQUEST'post id' parameter without verification in the...

CVE-2020-36990

creationtimestamp| type| source ---|---|--- 2026-01-28 14:44:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mdij5ksm2r2t...