PT-2026-47141

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

PT-2026-47131

Name of the Vulnerable Software and Affected Versions WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More versions prior to 1.10.0.2 Description The plugin is subject to insufficient verification of data authenticity. The PayPal Commerce webhook endpoint...

PT-2026-47140

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

PT-2026-47143

Name of the Vulnerable Software and Affected Versions WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters versions prior to 4.9.5 Description The plugin is subject to Stored Cross-Site Scripting XSS, a flaw where malicious scripts are permanently stored on the...

CVE-2026-8976

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action...

CVE-2026-8976 RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action...

CVE-2026-8608

The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capturepayment AJAX handler registered via wpajaxnoprivemcapturepayment trusting...

CVE-2026-6448 Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...

CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

CVE-2026-6448

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...

CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

CVE-2026-8608

The CVE affects the WordPress plugin “Event Monster” (Event Monster – Event Management, Events Calendar, Tickets) up to version 2.1.0. The root cause is Insufficient Verification of Data Authenticity in the capture_payment() AJAX handler (wp_ajax_nopriv_em_capture_payment), which trusts client-su...

CVE-2026-6448 Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters

The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...

CVE-2026-9719

CVE-2026-9719 concerns the LatePoint WordPress plugin (versions up to 5.6.0). The issue is a Cross‑Site Request Forgery caused by missing/incorrect nonce validation in the change_status function, enabling unauthenticated actors to alter invoice statuses (e.g., mark unpaid as paid) via forged requ...

CVE-2026-10038 Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar...

CVE-2026-9290

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the profile template scope function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files...

CVE-2026-10038

The Charitable – Donation Plugin for WordPress (Charitable) up to version 1.8.11.1 is affected by an Insecure Direct Object Reference/Authorization Bypass that enables Arbitrary Attachment Deletion via the profile avatar update flow. The issue stems from save_avatar() calling wp_delete_attachment...

CVE-2026-9290 WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the profile template scope function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files...

CVE-2025-12656

The WPvivid Backup & Migration plugin for WordPress is affected by an arbitrary directory deletion vulnerability due to insufficient file path validation in delete_cancel_staging_site() in all versions up to and including 0.9.128. Authenticated attackers with Administrator-level access can delete...

CVE-2026-7047 Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funpajaxmodifynotes function. This makes it possible for unauthenticated attackers to trick a logged-in...