CVE-2026-8386

WP Go Maps for WordPress is affected up to version 10.0.9. The vulnerability arises because the public single-marker REST endpoint does not filter by approval state, enabling unauthenticated users to fetch marker records that administrators have not approved for public display. Exposed data may i...

CVE-2026-9278

The CVE-2026-9278 entry concerns the Form Builder CP WordPress plugin prior to 1.2.47. Affected component: form_structure value handling in the plugin’s form configuration. Root cause: improper sanitization before storing and using the value in a client-side script, enabling Stored XSS. Impact: a...

CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

EUVD-2026-36698

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

CVE-2026-8935

The CVE concerns the WP MAPS PRO WordPress plugin prior to version 6.1.1. The vulnerability arises from an unauthenticated AJAX action that, when a valid nonce (publicly emitted on frontend pages enqueuing the map script) is supplied, unconditionally creates an administrator account and returns a...

EUVD-2026-36697

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title,...

CVE-2026-8385 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title,...

PT-2026-49437

Subscriber Broken Authentication in WP Full Stripe Free = 8.4.1 versions...

PT-2026-49452

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

PT-2026-49216

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like...

PT-2026-49225

WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate quote invoice an...

PT-2026-49187

Name of the Vulnerable Software and Affected Versions OttoKit versions prior to 1.1.28 Description Unauthenticated PHP Object Injection occurs in the software. PHP Object Injection is a vulnerability that allows an attacker to pass malicious serialized objects into the application, which can lead...

PT-2026-49215

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...

PT-2026-49211

Answer My Question 1.3 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' POST parameter. Attackers can submit crafted SQL statements to the modal.php endpoint to extract...

PT-2026-49456

Unauthenticated SQL Injection in WP Data Access = 5.5.70 versions...

PT-2026-49232

Name of the Vulnerable Software and Affected Versions GPTranslate – Multilingual AI Translation for WordPress versions prior to 2.32.7 Description An unauthenticated SQL Injection exists in the GPTranslate plugin for WordPress. This allows an attacker to execute arbitrary SQL queries on the...

PT-2026-49223

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the uplo...

PT-2026-49487

Subscriber SQL Injection in WP Time Slots Booking Form = 1.2.50 versions...

PT-2026-49493

Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System = 3.3.6 versions...

PT-2026-49403

Unauthenticated Privilege Escalation in WP BASE Booking = 5.9.0 versions...