EUVD-2026-30236

The GLS Shipping for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failedorders' parameter in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

📄 WordPress Supsystic Contact Form 1.7.36 Server-Side Template Injection

Proof of concept code execution exploit for a server-side template injection vulnerability in WordPress Supsystic Contact Form plugin versions 1.7.36 and below Exploit Title: WordPress Plugin Supsystic Contact Form 1.7.36 - SSTI Date: 3/30/2026 Exploit Author: bootstrapbool Vendor Homepage:...

WordPress plugin Essential Addons for Elementor 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

WordPress plugin MapGeo – Interactive Geo Maps 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress plugin Bold Page Builder 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress plugin MW WP Form 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress Media Sync plugin <= 1.4.9 - Authenticated (Author+) Path Traversal vulnerability

Authenticated Author+ Path Traversal vulnerability discovered by Drew Webber mcdruid in WordPress Plugin Media Sync versions = 1.4.9...

WordPress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin <= 4.3.5 - Authenticated (Subscriber+) Payment Bypass to Free Course Enrollment vulnerability

Authenticated Subscriber+ Payment Bypass to Free Course Enrollment vulnerability discovered by winrace in WordPress Plugin LearnPress versions = 4.3.5...

CVE-2020-37169 WordPress Plugin ultimate-member 2.1.3 Local File Inclusion

WordPress Plugin ultimate-member 2.1.3 contains a local file inclusion vulnerability that allows authenticated attackers to include arbitrary files by manipulating the pack parameter in class-admin-upgrade.php. Attackers can send POST requests with malicious pack values to include unintended PHP...

CVE-2026-4608

CVE-2026-4608 affects the WordPress ProfileGrid – User Profiles, Groups and Communities plugin (versions up to and including 5.9.8.4). It describes a blind SQL Injection via the rid parameter, caused by insufficient escaping of user input and inadequate query preparation, allowing authenticated a...

CVE-2026-7619

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of...

PT-2026-40595

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save widget and reset all widgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with...

PT-2026-40582

The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-40610

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

WordPress plugin Cost of Goods 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress plugin Powie s WHOIS Domain Check 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

NPM: OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input

NPM: OpenClaude Sandbox Bypass via Model-Controlled dangerouslyDisableSandbox Input vulnerability discovered by ? in WordPress Npm openclaude versions 0.5.1...

WordPress Broadstreet plugin <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Advertiser Creation vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

CVE-2026-45212 WordPress Asset CleanUp: Page Speed Booster plugin <= 1.4.0.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through = 1.4.0.3...

CVE-2026-42741 WordPress Ninja Forms Views – Display & Edit Ninja Forms Submissions on your site frontend plugin <= 3.3.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Aman Ninja Forms Views Display & Edit Ninja Forms Submissions on your site frontend views-for-ninja-forms allows Blind SQL Injection.This issue affects Ninja Forms Views Display & Edit Ninja Forms...