CVE-2026-10753

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access such as Editors to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0...

CVE-2026-10092

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

CVE-2026-10531

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2026-10552

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel blcapmainpage and on the Hall of Shame and Log subpages, which accept a 'blcapaction' / 'action'...

CVE-2026-10749

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP...

CVE-2026-10091

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

EUVD-2026-38714

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

CVE-2026-7761 Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

CVE-2026-7761

CVE-2026-7761 affects the WordPress plugin Ultimate Member up to version 2.11.4. The description in connected sources details a chain of three logic flaws causing account takeover via password reset URL disclosure: (1) an MD5 hash fallback in get_directory_by_hash() allows routing to a crafted po...

CVE-2026-10749

CVE-2026-10749 affects the Post Duplicator WordPress plugin (pre-3.0.15). The vulnerability arises from improper handling of custom metadata during post duplication, storing attacker-supplied serialized values without the WordPress meta API double-serialization protection, enabling PHP Object inj...

EUVD-2026-38694

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP...

EUVD-2026-38695

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access such as Editors to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0...

EUVD-2026-38696

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co...

CVE-2026-9709

The CVE-2026-9709 entry describes a vulnerability in the Premium Cornerstone page builder bundled with the X Theme (WordPress plugin) prior to version 7.8.9. The root cause is missing capability checks on one REST API route, allowing any authenticated user to disclose metadata of other users, inc...

CVE-2026-10749 Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP...

CVE-2026-10753

CVE-2026-10753 concerns Site Kit by Google for WordPress prior to 1.176.0. A REST API write endpoint is not properly restricted to administrators, allowing lower-privileged users (e.g., Editors with dashboard sharing access) to modify a site-wide setting that should be admin-only. Impact: potenti...

CVE-2026-10531 AI Share & Summarize < 2.0.4 - Contributor+ Stored XSS via title_style Shortcode Attribute

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2026-10531

The CVE describes Stored XSS in the WordPress plugin “AI Share & Summarize” prior to version 2.0.4. The root cause is insufficient sanitisation/escaping of shortcode attributes (notably title_style) before output, enabling users with the Contributor role or higher to inject scripts on pages. Affe...

CVE-2026-9178 WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure via 'user/list' REST Endpoint

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/ callback userDetail with permissioncallback set to 'returntrue', and the function's home-grown authentication only...

CVE-2026-11997 Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings page handler BulkSeoImage, which dispatches to launchbulk / BulkSeoImageGo whenever the request...