CVE-2026-39527

The CVE-2026-39527 entry concerns the WordPress WpStream plugin. Affected product: WordPress WpStream plugin versions prior to 4.11.2. Vulnerable component/behavior: Arbitrary File Upload under the Subscriber role, enabling an attacker with low privileges to upload arbitrary files. Root cause: de...

CVE-2026-39524

CVE-2026-39524 affects the WordPress Masteriyo LMS plugin <= 2.1.5. The vulnerability is described as Unauthenticated Broken Access Control, enabling a payment bypass vulnerability without authentication. CVSS 3.1 base score 7.5 (HIGH) with NETWORK attack vector, LOW attack complexity, and no ...

CVE-2026-39525

The CVE-2026-39525 entry documents an unauthenticated broken access control in the WordPress Booking Activities plugin, affected versions ≤ 1.16.48.1. The vulnerability allows unauthenticated actors to access or modify data via the plugin’s functionality (impact per CVSS: Confidentiality: None, I...

CVE-2026-39519

CVE-2026-39519 affects the WordPress plugin GeekyBot (versions <= 1.2.0). The vulnerability is an unauthenticated SQL Injection in GeekyBot

CVE-2026-39515

The WordPress Motors plugin for WordPress, versions prior to 1.4.107, contains a Broken Access Control vulnerability that involves the Subscriber role. The issue enables unauthorized actions due to access control weaknesses in Motors

CVE-2026-39518

The CVE pertains to WordPress EventPrime plugin versions

CVE-2026-39514

The CVE describes an unauthenticated Reflected Cross Site Scripting (XSS) vulnerability in the WordPress plugin Paid Member Subscriptions (versions up to 2.17.3 ). The issue is triggered via reflected input, affecting the plugin’s handling of user-supplied data and potentially enabling code execu...

CVE-2026-39513

CVE-2026-39513 affects the WordPress Easy Appointments plugin for versions up to 3.12.21, with an Unauthenticated Broken Access Control vulnerability. The connected documents confirm the affected product, version range, and vulnerability type but do not provide exploitation details, confirmed roo...

CVE-2026-39512

WordPress GeoDirectory plugin ≤ 2.8.152 contains an Unauthenticated SQL Injection vulnerability. Affects that plugin version, enabling network-based attacks with no authentication; CVSSv3.1 base score 9.3 (CRITICAL) with high confidentiality impact and low availability impact. Connected sources p...

CVE-2026-39511

CVE-2026-39511 affects the WordPress plugin WP Photo Album Plus

CVE-2026-39507

The CVE-2026-39507 entry refers to the WordPress Social Slider Feed plugin, affected in versions <= 2.3.2, with an unauthenticated Cross Site Scripting (XSS) vulnerability. The issue is described as unauthenticated XSS in Social Slider Feed

CVE-2026-39503

CVE-2026-39503 affects the WordPress plugin Easy Digital Downloads (versions

CVE-2026-39502

This CVE concerns the WordPress plugin Form Maker by 10Web (versions <= 1.15.38). The issue is described as an Unauthenticated SQL Injection vulnerability in Form Maker by 10Web

CVE-2026-39498

The Connected document identifies CVE-2026-39498-related details: a PHP Object Injection vulnerability in the WordPress YayMail plugin , affecting versions ≤ 4.3.3 and discovered by daroo . No additional root-cause, impact, exploit, or remediation details are provided in the sources. Monitor for ...

CVE-2026-39499

The connected PatchStack entry documents a PHP Object Injection vulnerability in the WordPress plugin “Advanced Product Fields (Product Addons) for WooCommerce” (versions

CVE-2026-39492

The CVE records an unauthenticated SQL Injection in WordPress WP Maps plugin

CVE-2026-39493

CVE-2026-39493 : The WordPress plugin Simply Schedule Appointments (versions

CVE-2026-39491

CVE-2026-39491 affects the WordPress JupiterX Core plugin (versions

CVE-2026-39489

The CVE-2026-39489 entry details a vulnerability in WordPress Download Monitor plugin versions

CVE-2026-39481

CVE-2026-39481 affects the WordPress plugin Modula Image Gallery (versions up to 2.14.18). The issue is described as a PHP Object Injection vulnerability in the plugin, with the author component cited in the initial description. Providing concrete exploit details, affected files, or remediation s...

CVE-2026-39480

CVE-2026-39480 affects the WordPress plugin Backup Migration (versions

CVE-2026-39474

The CVE CVE-2026-39474 concerns the WordPress Post Duplicator plugin (versions

CVE-2026-39478

CVE-2026-39478 concerns the WordPress plugin “Anti-Malware Security and Brute-Force Firewall” (versions

CVE-2026-39472

The CVE-2026-39472 affects the WordPress WooCommerce PDF Invoices & Packing Slips plugin prior to version 5.9.0, where a PHP Object Injection vulnerability was reported affecting shop manager operations. The root cause is a PHP Object Injection flaw in this plugin version, with CVSS 3.1 base metr...

CVE-2026-39471

CVE-2026-39471 affects the WordPress ShortPixel Image Optimizer plugin (

CVE-2026-39470

CVE-2026-39470 affects the WordPress plugin WooCommerce Cart Abandonment Recovery, specifically versions earlier than 2.1.0. The issue is a Privilege Escalation that allows a shop manager to gain higher privileges. The reported impact is Confidentiality, Integrity, and Availability at high severi...

CVE-2026-39468

WordPress Meta Box – WordPress Custom Fields Framework plugin

CVE-2026-39465

CVE-2026-39465 : The WordPress plugin Responsive Slider by MetaSlider (versions

CVE-2026-39463

CVE-2026-39463 affects the WordPress plugin ManageWP Worker (versions

CVE-2026-39451

CVE-2026-39451 concerns the WordPress WP Google Review Slider plugin (versions <= 18.0), with an unauthenticated Cross-Site Scripting (XSS) vulnerability reported. The Patchstack entry notes the vulnerability (discovered by hhhai) in versions

CVE-2026-39450

CVE-2026-39450 concerns the WordPress FunnelKit Automations plugin, version

CVE-2026-39449

CVE-2026-39449 is an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress plugin Contact Form to Any API for versions ≤ 3.0.3. The issue is documented by Patchstack and CVEs listed in connected records; affected component is the plugin and the root cause details are not discl...

CVE-2026-39447

CVE-2026-39447: Unauthenticated Cross-Site Scripting (XSS) in the WordPress plugin Simply Schedule Appointments (versions

CVE-2026-39435

CVE-2026-39435 affects WordPress CformsII plugin versions

CVE-2026-39441

CVE-2026-39441 affects the WordPress plugin Feed KuantoKusta for WooCommerce – Free, version

CVE-2026-34902

CVE-2026-34902 describes an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress plugin “WooCommerce Product Table Lite” up to version 4.6.3. The issue affects the plugin’s handling of input in the product table rendering, enabling XSS payloads to be executed in contexts wher...

CVE-2026-39434

CVE-2026-39434 affects WordPress CTX Feed plugin (WebAppick CTX Feed) versions

CVE-2026-34901

CVE-2026-34901 affects WordPress iControlWP plugin,

CVE-2026-34898

The CVE-2026-34898 entry concerns the WordPress plugin “Event Tickets Manager for WooCommerce” (versions <= 1.5.3). It describes Unauthenticated Broken Access Control, with CVSS v3.1 base metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, base score 7.5 (HIGH). The vulnerability impacts integrity (...

CVE-2026-34900

CVE-2026-34900 concerns the WordPress GiveWP plugin up to version 4.14.2, with an Unauthenticated Reflected Cross Site Scripting (XSS) vulnerability reported. The connected Patchstack entry confirms the affected product and vulnerability type (Reflected XSS) but does not provide specific exploit ...

CVE-2026-34892

The CVE-2026-34892 entry describes a Broken Access Control vulnerability in the WordPress Rank Math SEO plugin (versions

CVE-2026-34891

CVE-2026-34891 concerns the WordPress IDPay Payment Gateway for WooCommerce plugin (

CVE-2026-34886

The CVE-2026-34886 entry affects WordPress WordPress Simple Membership plugin versions

CVE-2026-27407

CVE-2026-27407 concerns the WordPress AI Engine plugin, affected versions

CVE-2026-27333

The CVE concerns the WordPress plugin “Paid Videochat Turnkey Site” (versions

CVE-2026-27089

WPTravelly plugin for WordPress, versions

CVE-2026-27053

The CVE concerns WordPress plugin Broadcast Live Video (versions

CVE-2026-25425

CVE-2026-25425 concerns the WordPress plugin User Registration (versions ≤ 5.1.2). The connected sources confirm an Unauthenticated Broken Access Control vulnerability in this plugin, affecting its ability to restrict access to certain functions or data. The CVE entry explicitly lists the issue a...

CVE-2026-25440

The CVE-2026-25440 entry concerns the WordPress plugin “Essential Addons for Elementor” (Lite) versions prior to 6.6.0, which contains an Unauthenticated Broken Access Control vulnerability. The issue is triggered in versions <6.6.0 and can be exploited without authentication, with no user int...

CVE-2026-24637

CVE-2026-24637 affects the WordPress PowerPress Podcasting plugin, specifically versions