CVE-2026-42728 WordPress HT Contact Form 7 plugin <= 2.8.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through = 2.8.2...

CVE-2026-42735

The CVE concerns the WordPress KiviCare plugin by Iqonic Design (affected: KiviCare kivicare-clinic-management-system, plugin version

CVE-2026-42733

Summary: CVE-2026-42733 affects the WordPress RealMag777 WPCS currency-switcher plugin (WPCS) versions up to and including 1.3.1. The issue is a DOM-based XSS caused by improper input neutralization during web page generation . Reported CVSS v3.1 metrics indicate a base score of 7.1 (HIGH) with n...

CVE-2026-42738

The CVE-2026-42738 entry concerns the WordPress Clover-based plugin Smart Online Order for Clover (clover-online-orders), affected versions up to and including 1.6.0. A stored XSS flaw arises from improper neutralization of input during web page generation, enabling malicious input to be stored a...

CVE-2026-42737 WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.9 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through = 1.8.9...

CVE-2026-42732

CVE-2026-42732 affects the WordPress plugin Ads by WPQuads (quick-adsense-reloaded) up to version 3.0.2. The issue is described as Improper Validation of Specified Quantity in Input, allowing Input Data Manipulation. The CVE notes a Medium severity (CVSS 3.1: 6.5) with network attack vector, no u...

CVE-2026-42736

BP Better Messages WordPress plugin ≤ 2.14.16 is affected by an Insecure Direct Object Reference (IDOR) vulnerability that enables an authorization bypass via a user-controlled key due to misconfigured access controls. Affected component: BP Better Messages plugin for WordPress; root cause: impro...

CVE-2026-42730 WordPress MasterStudy LMS plugin <= 3.7.29 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through = 3.7.29...

CVE-2026-42738 WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through = 1.6.0...

CVE-2026-42733 WordPress WPCS plugin <= 1.3.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through = 1.3.1...

CVE-2026-42730

CVE-2026-42730 concerns the WordPress MasterStudy LMS plugin (versions

CVE-2026-42728

HT Contact Form 7 WordPress plugin (ht-contactform) &lt; = 2.8.2 is affected by CVE-2026-42728: Improper neutralization of input during web page generation, enabling Stored XSS. Root cause: input not properly sanitized before page generation. CVSSv3.1 base score 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I...

CVE-2026-42730 WordPress MasterStudy LMS plugin <= 3.7.29 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through = 3.7.29...

CVE-2026-42732 WordPress Ads by WPQuads plugin <= 3.0.2 - Broken Authentication vulnerability

Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through = 3.0.2...

CVE-2026-42735 WordPress KiviCare plugin <= 4.3.0 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through = 4.3.0...

CVE-2026-42732 WordPress Ads by WPQuads plugin <= 3.0.2 - Broken Authentication vulnerability

Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through = 3.0.2...

CVE-2026-42725

CVE-2026-42725 describes an Insecure Direct Object References (IDOR) vulnerability in the WordPress plugin Checkout Files Upload for WooCommerce (versions

CVE-2026-42736 WordPress BP Better Messages plugin <= 2.14.16 - Insecure Direct Object References (IDOR) vulnerability

Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through = 2.14.16...

CVE-2026-42738 WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through = 1.6.0...

CVE-2026-42735 WordPress KiviCare plugin <= 4.3.0 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through = 4.3.0...