CVE-2026-7556 FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-5714 Enable Media Replace <= 4.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'location_dir' Parameter

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2026-7556

The FV Flowplayer Video Player plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in all versions up to 7.5.49.7212. The issue arises from insufficient input sanitization and output escaping in comment text, allowing unauthenticated attackers to inject web scrip...

CVE-2026-5714

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

EUVD-2026-35293

The Enable Media Replace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘locationdir’ parameter in all versions up to, and including, 4.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2026-7556 FV Flowplayer Video Player <= 7.5.49.7212 - Unauthenticated Stored Cross-Site Scripting via Comment Text

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-7556

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment text in all versions up to, and including, 7.5.49.7212 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

EUVD-2026-35290

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and...

CVE-2026-10862

CVE-2026-10862 affects the WordPress plugin Accordions (versions up to and including 2.3.23). The root cause is insufficient input sanitization and output escaping in the Accordion body field, enabling authenticated attackers with Custom-level access or higher to perform Stored Cross-Site Scripti...

PT-2026-47629

The Accordions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion body field in all versions up to, and including, 2.3.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Custom-level access and...

PT-2026-47679

Name of the Vulnerable Software and Affected Versions FastPicker versions prior to 1.0.3 Description The FastPicker plugin for WordPress is subject to Cross-Site Request Forgery. This occurs because the settingsPage function lacks proper nonce validation, which is a unique token used to verify th...

PT-2026-47684

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the six storage get user info and six storage update profile AJAX actions. This is due to the six storage getUserInfo...

PT-2026-47685

Name of the Vulnerable Software and Affected Versions Recover Exit For WooCommerce versions prior to 1.0.4 Description The plugin is subject to Local File Inclusion due to insufficient validation and sanitization of the tpf POST parameter within the recover exit function. This allows...

PT-2026-47676

Name of the Vulnerable Software and Affected Versions Global Body Mass Index Calculator versions prior to 1.3 Description The Global Body Mass Index Calculator plugin for WordPress contains a Stored Cross-Site Scripting issue. The GBMI Calc Widget::widget function fails to properly sanitize input...

PT-2026-47673

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstg shortcode function, which...

PT-2026-47722

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: 1 the plugin leaks a valid backend AJAX nonce revslider actions to all authenticated users including Subscribers via...

PT-2026-47765

Product Catalog 8 1.2 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the selectedCategory parameter. Attackers can submit POST requests to the admin-ajax.php endpoint with the...

PT-2026-47762

Simply Poll 1.4.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to extract database information by injecting SQL code through the 'pollid' POST parameter. Attackers can send requests to the admin-ajax.php endpoint with the 'spAjaxResults' actio...

PT-2026-47690

The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered html capability across all paths that write to its block template code fields, allowing administrators on multisite installations or single-site installs with DISALLOW UNFILTERED HTML defined to inje...

PT-2026-47639

Name of the Vulnerable Software and Affected Versions Product Filter Widget for Elementor versions prior to 1.0.7 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts. This is achieved via a CSRF-style form auto-submission...