PT-2026-49143

Name of the Vulnerable Software and Affected Versions WP Go Maps versions prior to 10.0.10 Description The plugin fails to properly enforce the marker approval filter on the admin-ajax fallback for its datatables route. This allows unauthenticated visitors to retrieve marker records that the site...

CVE-2026-8438 All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path

The All-In-One Security AIOS – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the getrestroute function and missing output escaping in the columndefault method of the...

CVE-2026-5464

The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...

PT-2026-46380

Unauthenticated Local File Inclusion in Roneous = 2.1.5 versions...

PT-2026-44746

The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays poll get user information' AJAX action, which serializes and returns the...

CVE-2026-8887 Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...

wpsecscan

WPSecScan !testshttps://github.com/bryanflowers/wpsecscan...

CVE-2026-9104 Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

CVE-2026-8719

The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be...

CVE-2026-7525

The CVE pertains to WordPress plugin My Calendar – Accessible Event Manager (versions ≤ 3.7.9). It describes an authorization bypass: authenticated users with custom-level access can tamper with the POST body (e.g., event_approved) to publish events or set statuses (cancelled, private) beyond the...

CVE-2026-45210 WordPress Broadstreet Ads plugin <= 1.52.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through = 1.52.2...

PT-2026-35424

Name of the Vulnerable Software and Affected Versions JupiterX Core versions prior to 4.14.2 Description Cross Site Scripting XSS exists in the subscriber role, allowing an attacker to execute malicious scripts in the victim's browser. Recommendations Update to version 4.14.2 or later...

PT-2026-35641

Name of the Vulnerable Software and Affected Versions WooCommerce Product Filters versions prior to 2.0.6 Description An unauthenticated PHP Object Injection issue exists in the software. PHP Object Injection occurs when user-supplied input is passed to the unserialize function without proper...

PT-2026-35426

Name of the Vulnerable Software and Affected Versions wp-photo-album-plus affected versions not specified Description An unauthenticated SQL Injection exists in the wp-photo-album-plus WordPress plugin. SQL Injection is a type of flaw that allows an attacker to interfere with the queries that an...

PT-2026-35427

Name of the Vulnerable Software and Affected Versions Booking Activities versions prior to 1.16.48.2 Description An unauthenticated broken access control issue exists in the software, allowing users to bypass authorization checks without providing credentials. Recommendations Update to version...

CVE-2026-4089

CVE-2026-4089 affects the WordPress plugin Twittee Text Tweet (≤ 1.0.8). The vulnerability is a Stored Cross-Site Scripting flaw in the ttt_twittee_tweeter() function where shortcode attributes (notably id, tweet, content, balloon, theme) are extracted and concatenated into HTML/inline JavaScript...

PT-2026-33765

https://t.co/4bpvciSJjS CVE-2026-39533 WordPress plugin vulnerability another-wordpress-classifieds-plugin cybersecurity wordpressfirewall wordpresssecurity hack…...

PT-2026-33764

Name of the Vulnerable Software and Affected Versions Simply Schedule Appointments versions prior to 1.6.9.28 Description An unauthenticated SQL Injection exists in the software, allowing an attacker to execute arbitrary SQL queries without needing to log in. SQL Injection is a technique where...

CVE-2026-4091

The CVE concerns the WordPress OPEN-BRAIN plugin

CVE-2026-4365

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the deletequestionanswer function in all versions up to, and including, 4.3.2.8. The plugin exposes a wprest nonce in public frontend HTML lpData to unauthenticated visitors, and...