CVE-2026-56005 WordPress WP Activity Log plugin <= 5.6.3.1 - Cross Site Scripting (XSS) vulnerability

Subscriber Cross Site Scripting XSS in WP Activity Log = 5.6.3.1 versions...

CVE-2026-54849

CVE-2026-54849 concerns WordPress Premmerce Wishlist for WooCommerce plugin versions &lt;= 1.1.11, with unauthenticated SQL injection vulnerability. The connected records confirm the affected software (Premmerce Wishlist for WooCommerce), the vulnerable component (the plugin’s request handling le...

CVE-2026-54843

CVE-2026-54843 concerns the WordPress MDTF plugin (WordPress MDTF) with versions up to 1.3.7. The vulnerability is an unauthenticated SQL injection in MDTF

CVE-2026-54841 WordPress Vitepos plugin <= 3.4.2 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in Vitepos = 3.4.2 versions...

CVE-2026-54838 WordPress WC Vendors Marketplace plugin <= 2.6.8 - SQL Injection vulnerability

Subscriber SQL Injection in WC Vendors Marketplace = 2.6.8 versions...

CVE-2026-54830

Affected software: WordPress Five Star Restaurant Reservations plugin, versions

CVE-2026-54822 WordPress SALESmanago & Leadoo plugin <= 3.11.2 - SQL Injection vulnerability

Subscriber SQL Injection in SALESmanago & Leadoo = 3.11.2 versions...

CVE-2026-54822

Summary: CVE-2026-54822 affects the WordPress plugin case “SALESmanago & Leadoo” (versions up to 3.11.2). The vulnerability is a Subscriber SQL Injection in the plugin’s handling of subscriber data, with the root cause not explicitly detailed beyond the SQL injection label. The CVSS metrics indic...

CVE-2026-27366

CVE-2026-27366 concerns WordPress WordPress MainWP Child plugin versions

WordPress WPCafe plugin <= 3.0.14 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by L4m in WordPress Plugin WPCafe versions = 3.0.14...

EUVD-2026-39189

The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'postid' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficie...

EUVD-2026-39188

The InPost PL WordPress plugin before 1.9.1 does not verify that the request originates from the legitimate buyer before allowing the WooCommerce order parcel-locker destination to be updated, allowing unauthenticated attackers to silently redirect the shipping destination of any pending or...

WordPress SeedProd Pro plugin < 6.19.5 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin SeedProd Pro versions 6.19.5...

WordPress Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin <= 2.22.7 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by PRISM in WordPress Plugin Tourfic versions = 2.22.7...

CVE-2026-12937

The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'postid' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficie...

CVE-2026-10824

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records...

CVE-2026-12937 Tourfic <= 2.22.7 - Unauthenticated SQL Injection via 'post_id' Parameter

The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'postid' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficie...

CVE-2026-12937

CVE-2026-12937 concerns the Tourfic WordPress plugin (versions ≤ 2.22.7). The issue is a generic SQL Injection via the post_id parameter caused by insufficient escaping and lack of prepared statements in the vulnerable SQL path. The vulnerability is exploitable by unauthenticated users, who can a...

CVE-2026-5305 Email Address Encoder (Free < 1.0.25, Premium < 0.3.12) - Unauthenticated Stored XSS

The Email Address Encoder WordPress plugin before 1.0.25, email-encoder-premium WordPress plugin before 0.3.12 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks...

CVE-2026-5305

The CVE-2026-5305 issue affects the WordPress plugins Email Address Encoder (free) prior to 1.0.25 and Email Encoder Premium prior to 0.3.12. The root cause is improper handling of email replacement, which can allow unauthenticated attackers to perform Stored XSS. Impact per sources is high (CVE-...