CVE-2026-12115

The Counter Box – Add Countdowns, Timers & Dynamic Counters to WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.0.13 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level...

WordPress SALESmanago & Leadoo plugin <= 3.11.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by endy in WordPress Plugin SALESmanago & Leadoo versions = 3.11.2...

CVE-2026-54804

WordPress Melhor Envio plugin ≤ 2.16.3 has a Broken Authentication vulnerability (CVE-2026-54804). CVSS v3.1: Network, Privileges Required Low, User Interaction None, Confidentiality/Integrity Low, Availability High; base score 7.6 (High). Affected: Melhor Envio WordPress plugin versions up to an...

CVE-2026-54803 WordPress SMS Alert Order Notifications plugin <= 3.9.4 - Privilege Escalation vulnerability

Subscriber Privilege Escalation in SMS Alert Order Notifications = 3.9.4 versions...

CVE-2026-54802

CVE-2026-54802 affects the WordPress plugin “SMS Alert Order Notifications” (versions

CVE-2026-54189

JetEngine WordPress plugin

CVE-2026-54187 WordPress JetEngine plugin <= 3.8.10.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in JetEngine = 3.8.10.1 versions...

CVE-2026-54184

The CVE concerns WordPress plugin Clean Login prior to or up to version 1.15 with an Unauthenticated Insecure Direct Object References (IDOR) vulnerability. The root cause is an IDOR issue in the plugin, potentially exposing object identifiers to unauthenticated users. CVSS 3.1 metrics indicate h...

CVE-2026-52698 WordPress PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget plugin <= 4.2.3 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget = 4.2.3 versions...

CVE-2026-49778 WordPress WPFunnels Pro plugin <= 2.9.4 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in WPFunnels Pro = 2.9.4 versions...

CVE-2026-49081

The CVE-2026-49081 entry notes an Unauthenticated Broken Access Control in the WordPress User Registration Stripe plugin, affecting versions

CVE-2026-49058

CVE-2026-49058 affects WordPress LoginPress Pro plugin versions

CVE-2026-48967

CVE-2026-48967 concerns a SQL Injection vulnerability in the WordPress Geo Mashup plugin (versions

CVE-2026-45436

CVE-2026-45436 affects WordPress WPBakery Page Builder plugin for WordPress, specifically versions

CVE-2026-40783 WordPress Blocksy Companion Pro plugin <= 2.1.37 - Remote Code Execution (RCE) vulnerability

Contributor Remote Code Execution RCE in Blocksy Companion Pro = 2.1.37 versions...

CVE-2026-40768

The CVE covers WordPress Salon booking system plugin versions

CVE-2026-40726

CVE-2026-40726 affects the WordPress plugin User Registration Stripe (versions

CVE-2026-40724 WordPress Client Portal (Pro) plugin <= 5.6.2 - Arbitrary File Download vulnerability

CP Client Arbitrary File Download in Client Portal Pro = 5.6.2 versions...

CVE-2026-40724

CVE-2026-40724 concerns the WordPress Client Portal (Pro) plugin, affected versions &lt;= 5.6.2. The vulnerability is described as an Arbitrary File Download in CP Client Arbitrary File Download for Client Portal (Pro)

CVE-2026-39597

This CVE covers an unauthenticated, reflected Cross Site Scripting (XSS) in the WordPress WPZOOM Addons for Elementor plugin (versions