CVE-2026-49111 WordPress Masteriyo - LMS plugin <= 2.2.0 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0...

CVE-2026-49111

The CVE covers WordPress Masteriyo LMS plugin versions up to 2.2.0 with an Incorrect Privilege Assignment vulnerability that enables Privilege Escalation. Affected component: Masteriyo LMS plugin. Root cause: incorrect privilege handling within the plugin. Impact: HIGH (CVSS 3.1, base score 8.8; ...

CVE-2026-49062 WordPress Faust.js plugin <= 1.8.7 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7...

CVE-2026-49062 WordPress Faust.js plugin <= 1.8.7 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in WP Engine Faust.Js allows Password Recovery Exploitation. This issue affects Faust.Js: from n/a through 1.8.7...

CVE-2026-49062

CVE-2026-49062 concerns the WordPress plugin Faust.js (faustwp)

CVE-2026-52704 WordPress WooCommerce PDF Invoice Builder plugin <= 2.0.8 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8...

CVE-2026-52704

The vulnerability CVE-2026-52704 affects the WordPress WooCommerce PDF Invoice Builder plugin (

CVE-2016-20068 WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint wit...

CVE-2016-20068

The CVE-2016-20068 entry details an unauthenticated blind SQL injection in WordPress Booking Calendar Contact Form 1.0.23. The vulnerability is triggered via admin-ajax.php with action set to dex_bccf_calendar_ajaxevent, using a crafted value in the id parameter to extract sensitive database info...

CVE-2016-20068 WordPress Booking Calendar Contact Form 1.0.23 SQL Injection

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint wit...

EUVD-2016-10897

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint wit...

EUVD-2019-20182

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicatequoteinvoice and...

CVE-2019-25746 WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicatequoteinvoice and...

CVE-2019-25746

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability exploitable via the post parameter. Attackers can target admin.php with action=duplicate_quote_invoice and malicious post values to extract data or modify data. Evidence: authenticated, low-privilege requirement...

CVE-2018-25437

CVE-2018-25437 concerns WordPress CherryFramework Themes 3.1.4, where an information disclosure vulnerability lets unauthenticated attackers download sensitive backup files via download_backup.php in admin/data_management, exposing the entire wp-content/themes directory. According to the provided...

CVE-2018-25437 WordPress CherryFramework Themes 3.1.4 Backup File Download

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

CVE-2018-25437 WordPress CherryFramework Themes 3.1.4 Backup File Download

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

EUVD-2018-21959

WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the downloadbackup.php endpoint. Attackers can directly access the downloadbackup.php script in the admin/datamanagement...

CVE-2019-25746 WordPress Sliced Invoices 3.8.2 SQL Injection via post Parameter

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicatequoteinvoice and...

CVE-2018-25436 WordPress Plugin Baggage Freight Shipping Australia 0.1.0 Arbitrary File Upload

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the uplo...