EUVD-2026-38104

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the viewpage function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete...

PT-2026-49831

Name of the Vulnerable Software and Affected Versions Real Testimonials Pro affected versions not specified Product Slider Pro for WooCommerce affected versions not specified Smart Post Show Pro affected versions not specified Description A supply chain compromise occurred where attackers...

CVE-2026-49104

Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms = 1.2.1 versions...

EUVD-2026-36889

Unauthenticated PHP Object Injection in Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms = 1.1.8 versions...

EUVD-2026-36881

Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms = 1.2.1 versions...

Popular WordPress Plugin Scripts Tampered to Plant Hidden Backdoors on Sites

An attacker tampered with trusted JavaScript files used by WordPress sites running PushEngage , OptinMonster , and TrustPulse , turning those files into a way to break into the sites. When a site administrator was logged in as the file loaded, the code created an admin account under the attacker'...

WordPress plugin Hippoo Mobile App for WooCommerce 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-48750

Unauthenticated Broken Authentication in Booknetic = 4.8.5 versions...

WordPress Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Romain Deperne ang3L in WordPress Plugin Unlimited Elementor Inner Sections By BoomDevs versions = 1.3.3...

PT-2026-46368

Unauthenticated Local File Inclusion in Skyward = 1.10 versions...

PT-2026-46374

Unauthenticated Local File Inclusion in Orpheus = 1.3 versions...

PT-2026-46370

Unauthenticated Local File Inclusion in Gunslinger = 1.7 versions...

PT-2026-46387

Name of the Vulnerable Software and Affected Versions WP Meta Sort Posts versions prior to 1.0 Description The WP Meta Sort Posts plugin for WordPress is subject to Cross-Site Request Forgery CSRF, a type of attack where an unauthorized user tricks a victim into performing actions they did not...

PT-2026-46329

Unauthenticated Local File Inclusion in Planty = 1.14.0 versions...

PT-2026-46331

Unauthenticated Local File Inclusion in MaxiNet = 1.2.10 versions...

PT-2026-46353

Unauthenticated Local File Inclusion in Preservation = 1.10 versions...

PT-2026-46352

Unauthenticated Local File Inclusion in Mission = 1.22 versions...

PT-2026-46364

Unauthenticated Local File Inclusion in Gita = 1.11 versions...

PT-2026-46322

Unauthenticated Local File Inclusion in Modernee = 1.6.0 versions...

PT-2026-46321

Unauthenticated Cross Site Scripting XSS in Qreatix = 1.9.4 versions...