PT-2026-49082

Name of the Vulnerable Software and Affected Versions FooGallery versions prior to 3.1.32 Description The FooGallery plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the foogallery sanitize javascript function uses an incomplete blacklist for JavaScript event...

PT-2026-49090

Name of the Vulnerable Software and Affected Versions Meow Gallery versions prior to 5.4.5 Description The Meow Gallery plugin for WordPress allows unauthorized modification of data because of a missing capability check on the REST API endpoint "/wp-json/meow-gallery/v1/save shortcode"...

PT-2026-49091

Name of the Vulnerable Software and Affected Versions Bookly versions prior to 27.3 Description The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient input sanitization and output escaping...

CVE-2026-24618 WordPress Hash Elements plugin <= 1.5.4 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data. This issue affects Hash Elements: from n/a through 1.5.4...

CVE-2026-24618

CVE-2026-24618 affects the WordPress Hash Elements plugin (Hash Elements) versions up to 1.5.4. The vulnerability is described as Exposure of Sensitive System Information to an Unauthorized Control Sphere, enabling retrieval of embedded sensitive data. According to the provided sources, the CVSS ...

CVE-2026-24618 WordPress Hash Elements plugin <= 1.5.4 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HashThemes Hash Elements allows Retrieve Embedded Sensitive Data. This issue affects Hash Elements: from n/a through 1.5.4...

WordPress Hash Elements plugin <= 1.5.4 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by theviper17 in WordPress Plugin Hash Elements versions = 1.5.4...

WordPress Meow Gallery plugin <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation vulnerability

Missing Authorization to Authenticated Author+ Shortcode creation vulnerability discovered by Chawabhon Netisingha JNX03 in WordPress Plugin Meow Gallery versions = 5.4.4...

WordPress Page Builder: Pagelayer – Drag and Drop website builder plugin <= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration vulnerability

Incorrect Authorization to Authenticated Contributor+ Mail Relay Configuration vulnerability discovered by Drew Webber mcdruid in WordPress Plugin PageLayer versions = 2.0.9...

WordPress Page Builder: Pagelayer – Drag and Drop website builder plugin <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin PageLayer versions = 2.0.9...

WordPress Canvas plugin <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Theme Canvas versions = 2.5.2...

WordPress Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel plugin <= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin FooGallery versions = 3.1.31...

WordPress LWS Optimize – All-in-One Speed Booster & Cache Tools plugin <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read vulnerability

Authenticated Editor+ Arbitrary File Read vulnerability discovered by Omar Elshopky in WordPress Plugin LWS Optimize versions = 3.3.19...

WordPress Kastell theme <= 2.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Kastell versions = 2.0...

WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability

Path Traversal vulnerability discovered by R2D2 in WordPress Plugin FastDup versions = 2.7.2...

WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10...

WordPress Nifty theme <= 1.4.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme Nifty versions = 1.4.1...

WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Bonds in WordPress Plugin WordPress & WooCommerce Scraper Plugin, Import Data from Any Site versions = 1.0.7...

WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Plugin WordPress & WooCommerce Scraper Plugin, Import Data from Any Site versions = 1.0.7...

WordPress BookPro plugin <= 1.1.0 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO in WordPress Plugin BookPro versions = 1.1.0...