CVE-2026-1927

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshiftapppassvalidation function in all versions up to, and including, 12.6. This makes it possible for authenticated attackers, with...

CVE-2025-15285

CVE-2025-15285 concerns the WordPress plugin SEO Flow by LupsOnline (versions

Quarterly WordPress Threat Intelligence Report – Q4 2025

As the leader in WordPress security, Wordfence provides unparalleled security coverage that fully encompasses protection, active monitoring, detection, and response all built around our threat intelligence, demonstrating a strong commitment to security. Our mission is to ensure comprehensive...

CVE-2026-0914

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'lwcontentblock' shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress plugin xSmart has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Blogzee code-related vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

CVE-2026-0739 WMF Mobile Redirector <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters

The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...

CVE-2014-4017

Cross-site scripting XSS vulnerability in the Conversion Ninja plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter to lp/index.php...

CVE-2014-4941

Absolute path traversal vulnerability in Cross-RSS wp-cross-rss plugin 1.7 for WordPress allows remote attackers to read arbitrary files via a full pathname in the rss parameter to proxy.php...

CVE-2023-4703

The All in One B2B for WooCommerce WordPress plugin through 1.0.3 does not properly validate parameters when updating user details, allowing an unauthenticated attacker to update the details of any user. Updating the password of an Admin user leads to privilege escalation...

CVE-2023-4150

The User Activity Tracking and Log WordPress plugin before 4.0.9 does not have proper CSRF checks when managing its license, which could allow attackers to make logged in admins update and deactivate the plugin's license via CSRF attacks...

CVE-2023-4209

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

CVE-2018-21003

The buddyforms plugin before 2.2.8 for WordPress has SQL injection...

CVE-2018-6891

Bookly 1 WordPress Booking Plugin Lite before 14.5 has XSS via a jQuery.ajax request to ng-paymentdetailsdialog.js...

CVE-2016-10919

The wassup plugin before 1.9.1 for WordPress has XSS via the Top stats widget or the wassupURI::addsiteurl method, a different vulnerability than CVE-2012-2633...

CVE-2016-10874

The wp-database-backup plugin before 4.3.3 for WordPress has CSRF...

CVE-2016-10892

The chained-quiz plugin before 1.0 for WordPress has multiple XSS issues...

CVE-2016-10973

The Brafton plugin before 3.4.8 for WordPress has XSS via the wp-admin/admin.php?page=BraftonArticleLoader tab parameter to BraftonAdminPage.php...

CVE-2016-10951

The fs-shopping-cart plugin 2.07.02 for WordPress has SQL injection via the pid parameter...

CVE-2016-10947

The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin...