3369 matches found
PT-2026-49141
Name of the Vulnerable Software and Affected Versions LatePoint versions prior to 5.5.2 Description A privilege escalation issue exists where users with Contributor roles can gain higher privileges. Recommendations Update to version 5.5.2 or later...
PT-2026-49140
Name of the Vulnerable Software and Affected Versions Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons versions prior to 1.4.9 Description An issue exists that leads to the exposure of sensitive subscriber data. Recommendations Update to a version...
PT-2026-49169
Name of the Vulnerable Software and Affected Versions WP Travel Engine versions prior to 6.7.11 Description An unauthenticated issue exists in the WP Travel Engine plugin that allows for an unspecified vulnerability type to be exploited without requiring user authentication. Recommendations Updat...
CVE-2026-8438 All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path
The All-In-One Security AIOS – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the getrestroute function and missing output escaping in the columndefault method of the...
CVE-2026-5464
The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...
PT-2026-46380
Unauthenticated Local File Inclusion in Roneous = 2.1.5 versions...
PT-2026-44746
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays poll get user information' AJAX action, which serializes and returns the...
CVE-2026-8887 Listen Shortcode <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes src, start, end in the listenEmbedJS function,...
wpsecscan
WPSecScan !testshttps://github.com/bryanflowers/wpsecscan...
CVE-2026-9104 Draft List <= 2.6.3 - Authenticated (Author+) Stored Cross-Site Scripting via Draft Post Title
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...
CVE-2026-8719
The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be...
CVE-2026-7525
The CVE pertains to WordPress plugin My Calendar – Accessible Event Manager (versions ≤ 3.7.9). It describes an authorization bypass: authenticated users with custom-level access can tamper with the POST body (e.g., event_approved) to publish events or set statuses (cancelled, private) beyond the...
CVE-2026-45210 WordPress Broadstreet Ads plugin <= 1.52.2 - Broken Access Control vulnerability
Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through = 1.52.2...
PT-2026-35427
Name of the Vulnerable Software and Affected Versions Booking Activities versions prior to 1.16.48.2 Description An unauthenticated broken access control issue exists in the software, allowing users to bypass authorization checks without providing credentials. Recommendations Update to version...
PT-2026-35426
Name of the Vulnerable Software and Affected Versions wp-photo-album-plus affected versions not specified Description An unauthenticated SQL Injection exists in the wp-photo-album-plus WordPress plugin. SQL Injection is a type of flaw that allows an attacker to interfere with the queries that an...
PT-2026-35424
Name of the Vulnerable Software and Affected Versions JupiterX Core versions prior to 4.14.2 Description Cross Site Scripting XSS exists in the subscriber role, allowing an attacker to execute malicious scripts in the victim's browser. Recommendations Update to version 4.14.2 or later...
PT-2026-35641
Name of the Vulnerable Software and Affected Versions WooCommerce Product Filters versions prior to 2.0.6 Description An unauthenticated PHP Object Injection issue exists in the software. PHP Object Injection occurs when user-supplied input is passed to the unserialize function without proper...
CVE-2026-4089
CVE-2026-4089 affects the WordPress plugin Twittee Text Tweet (≤ 1.0.8). The vulnerability is a Stored Cross-Site Scripting flaw in the ttt_twittee_tweeter() function where shortcode attributes (notably id, tweet, content, balloon, theme) are extracted and concatenated into HTML/inline JavaScript...
PT-2026-33764
Name of the Vulnerable Software and Affected Versions Simply Schedule Appointments versions prior to 1.6.9.28 Description An unauthenticated SQL Injection exists in the software, allowing an attacker to execute arbitrary SQL queries without needing to log in. SQL Injection is a technique where...
PT-2026-33765
https://t.co/4bpvciSJjS CVE-2026-39533 WordPress plugin vulnerability another-wordpress-classifieds-plugin cybersecurity wordpressfirewall wordpresssecurity hack…...