EUVD-2026-34889

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 5.38. This is due to a capability check in the saveajax function of the licensing module,...

EUVD-2026-34888

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

CVE-2026-5415 WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

CVE-2026-5415

The CVE-2026-5415 issue affects the WP Captcha PRO plugin for WordPress (

CVE-2026-5415 WP Captcha PRO <= 5.38 - Authenticated (Subscriber+) Authentication Bypass via Temporary Login Link

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

CVE-2026-5415

The WP Captcha PRO the premium version of the Advanced Google reCAPTCHA plugin, both have the same slug plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.38. This is due to the ajaxruntool AJAX handler relying solely on a nonce check...

CVE-2026-10580

The CVE-2026-10580 entry describes an Authentication Bypass vulnerability in the Hippoo Mobile App for WooCommerce WordPress plugin (versions up to 1.9.4). A logic conflation in HippooPermissions::get_user_permissions() makes administrators and unauthenticated visitors share a null sentinel, whic...

WordPress WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Yousef Alraddadi - none in WordPress Plugin WP Maps versions = 4.9.4...

WordPress MapPress Maps for WordPress plugin <= 2.96.6 - Unauthenticated Insecure Direct Object Reference vulnerability

Unauthenticated Insecure Direct Object Reference vulnerability discovered by Kitch - KitchGlobal in WordPress Plugin MapPress Maps for WordPress versions = 2.96.6...

WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations vulnerability

Missing Authorization to Authenticated Contributor+ Privileged Cloud API Operations vulnerability discovered by Abi Wiranata in WordPress Plugin SEO Plugin by Squirrly SEO versions = 12.4.16...

WordPress Klamra Paycal for Aspaclaria plugin <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by KEVIN LEE crattack - OPCIA in WordPress Plugin Klamra Paycal for Aspaclaria versions = 1.1.4...

WordPress Smart Slider 3 plugin <= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read vulnerability

Authenticated Administrator+ Path Traversal to Arbitrary File Read vulnerability discovered by Nguyen Khanh Hao in WordPress Plugin Smart Slider 3 versions = 3.5.1.36...

WordPress Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure vulnerability

Missing Authorization to Unauthenticated Information Exposure vulnerability discovered by Anirudh Makkar in WordPress Plugin Essential Addons for Elementor versions = 6.6.4...

WordPress LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin <= 4.3.6 - Unauthenticated Sensitive Information Exposure vulnerability

Unauthenticated Sensitive Information Exposure vulnerability discovered by Jamshed Yergashvoyev CVE Guy - Turan Security in WordPress Plugin LearnPress versions = 4.3.6...

WordPress Quick Playground plugin <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read vulnerability

Authenticated Administrator+ Arbitrary File Read vulnerability discovered by Pablo Santiago in WordPress Plugin Quick Playground versions = 1.3.4...

WordPress MDJM Event Management plugin <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload vulnerability

Authenticated Administrator+ Arbitrary File Upload vulnerability discovered by Ryan Kozak in WordPress Plugin Mobile DJ Manager versions = 1.7.8.3...

WordPress LearnPress – Backup & Migration Tool plugin <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read vulnerability

Authenticated Administrator+ Path Traversal to Arbitrary File Read vulnerability discovered by Wannes Verwimp in WordPress Plugin LearnPress Export Import versions = 4.1.4...

WordPress EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by UKO - Korea univ. in WordPress Plugin EmbedPress versions = 4.5.3...

WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by Bao Luu Gia Nguyen in WordPress Plugin Drag and Drop Multiple File Upload – Contact Form 7 versions = 1.3.9.7...

WordPress WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity vulnerability

Unauthenticated Insufficient Verification of Data Authenticity vulnerability discovered by Valatty in WordPress Plugin Contact Form by WPForms versions = 1.10.0.4...