CVE-2026-8293 Really Simple Security < 9.5.10.1 - Authentication Bypass via Two-Factor OTP Skip

The Really Simple Security WordPress plugin before 9.5.10.1 does not enforce the second-factor challenge in two of its two-factor authentication REST endpoints, allowing an attacker who knows a user's password to obtain a WordPress authentication session for that user without completing the email...

PT-2026-31293

Name of the Vulnerable Software and Affected Versions Beaver Builder Page Builder versions up to and including 2.10.1.1 Description The Beaver Builder Page Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting through the settingsjs parameter due to inadequate input...

CVE-2026-3309 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress <= 4.16.11 - Unauthenticated Arbitrary Shortcode Execution via Checkout Billing Fields

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.11. This is due to the plugin allowing user-supplied billing fie...

CVE-2026-1390

The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the countdownsettingscontent function. This makes it possible for unauthenticated attackers to update the plugin settings...

PT-2026-26718

The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize ig data function which only sanitizes array values but not array keys...

CVE-2026-2466

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2025-68031

CVE-2025-68031 is a reflected Cross-Site Scripting vulnerability in the WordPress plugin прац farazsms (افزونه پیامک حرفه ای فراز اس ام اس) up to version 2.7.3. The issue is described as Improper Neutralization of Input During Web Page Generation, enabling Reflected XSS. Public sources confirm af...

CVE-2026-0745

The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'downloadlanguage' function. This makes it possible for authenticated attackers, with Administrator-level access and above, ...

CVE-2026-1088 Login Page Editor <= 1.2 - Cross-Site Request Forgery to Settings Update

The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotionloginformprocess AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login...

CVE-2023-25452

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Michael Pretty prettyboymp CMS Press plugin = 0.2.3 versions...

PT-2026-1428

Name of the Vulnerable Software and Affected Versions MediaPress plugin for WordPress versions up to and including 1.6.1 Description The MediaPress plugin for WordPress is susceptible to Stored Cross-Site Scripting through the mpp-uploader shortcode. This is due to inadequate input sanitization a...

CVE-2025-49355

Technical details for CVE-2025-49355 are not publicly available in the provided documents. Monitor for updates.

WordPress MelaPress Login Security plugin 2.1.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary User Deletion vulnerability discovered by Michelle Porter - Wordfence in WordPress Plugin MelaPress Login Security versions 2.1.0...

CVE-2025-14032

The Bold Timeline Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'boldtimelinegroup' shortcode in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-4970

CVE-2025-4970 pertains to the WordPress plugin BSK PDF Manager and describes a Stored Cross-Site Scripting (XSS) via SVG file uploads in all versions up to 3.7.1. The issue arises from insufficient input sanitization and output escaping during SVG handling, allowing an authenticated attacker with...

CVE-2025-11536

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 8.2.5 via the wpajaximportelementortemplate action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to ma...

EUVD-2023-29407

Malicious code in bioql PyPI...

CVE-2025-58608

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in BuddyDev MediaPress mediapress allows PHP Local File Inclusion.This issue affects MediaPress: from n/a through = 1.5.9.1...

CVE-2025-58608

CVE-2025-58608 : MediaPress (BuddyDev MediaPress plugin) contains a PHP Local File Inclusion due to improper control of filenames in include/require. Affected: MediaPress versions up to 1.5.9.1. Impact is high per CVSS metrics (network attack, no user interaction, total impact). Remediation: upgr...

CVE-2022-1688

The Note Press WordPress plugin through 0.1.10 does not sanitise and escape the id parameter before using it in various SQL statement via the admin dashboard, leading to SQL Injections...