NPM: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts

NPM: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...

NPM: OpenClaw's ACP child sessions inherit subagent security envelope constraints

NPM: OpenClaw's ACP child sessions inherit subagent security envelope constraints vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.21...

WordPress User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification vulnerability

Missing Authorization to Authenticated Contributor+ Limited Page Content Modification vulnerability discovered by Hunter Jensen skid in WordPress Plugin User Registration versions = 5.1.4...

WordPress GenerateBlocks plugin <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure vulnerability

Insecure Direct Object Reference to Authenticated Contributor+ Sensitive Information Exposure vulnerability discovered by kai63001 in WordPress Plugin GenerateBlocks versions = 2.2.0...

WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.52.0 - Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass vulnerability

Missing Authorization to Unauthenticated Stripe PaymentIntent Reuse / Underpayment Bypass vulnerability discovered by Kittipat Jitphonchana in WordPress Plugin Forminator versions = 1.52.0...

NPM: OpenClaw: Slack thread context could include messages from non-allowlisted senders

NPM: OpenClaw: Slack thread context could include messages from non-allowlisted senders vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.1...

WordPress WebinarIgnition plugin < 4.09.86 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Dahmani Toumi pegaSUS in WordPress Plugin WebinarIgnition versions 4.09.86...

WordPress Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel plugin <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Webbernaut in WordPress Plugin Carousel, Slider, Gallery by WP Carousel versions = 2.7.10...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Caspian in WordPress Plugin Royal Elementor Addons versions = 1.7.1056...

WordPress Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery vulnerability

Authenticated Contributor+ Server-Side Request Forgery vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin Gutenverse versions = 3.5.3...

WordPress EmailKit – Email Customizer for WooCommerce & WP plugin <= 1.6.5 - Authenticated (Author+) Arbitrary File Read vulnerability

Authenticated Author+ Arbitrary File Read vulnerability discovered by Nguyen Cong Quang in WordPress Plugin EmailKit versions = 1.6.5...

WordPress Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Gutenverse versions = 3.5.3...

WordPress Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website versions = 2.1.0...

WordPress Publish 2 Ping.fm plugin <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Publish 2 Ping.fm versions = 1.1...

WordPress addfreespace plugin <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin addfreespace versions = 0.1.3...

WordPress DX Sources plugin <= 2.0.1 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin DX Sources versions = 2.0.1...

WordPress WP-Clippy plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin WP-Clippy versions = 1.0.0...

WordPress Simple Owl Shortcodes plugin <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Simple Owl Shortcodes versions = 2.1.1...

WordPress Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories plugin <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Post Expirator versions = 4.10.0...

WordPress Loco Translate plugin <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read vulnerability

Authenticated Translator+ Path Traversal to Limited File Read vulnerability discovered by shark3y in WordPress Plugin Loco Translate versions = 2.8.2...

WordPress Simple Membership plugin <= 4.7.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hhhai in WordPress Plugin Simple Membership versions = 4.7.2...

WordPress Event Tickets plugin <= 5.27.5 - Bypass Vulnerability vulnerability

Bypass Vulnerability vulnerability discovered by endy in WordPress Plugin Event Tickets versions = 5.27.5...

WordPress Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin <= 4.11.70 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Fernando Mecozzi in WordPress Plugin Premium Addons for Elementor versions = 4.11.70...

WordPress Total theme <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Theme Total versions = 2.2.1...

WordPress Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification vulnerability

Missing Authorization to Unauthenticated Form Action Meta Modification vulnerability discovered by Nguyen C in WordPress Plugin Royal Elementor Addons versions = 1.7.1056...

WordPress FundPress – WordPress Donation Plugin plugin <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status Modification vulnerability

Missing Authorization to Unauthenticated Arbitrary Donation Status Modification vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin FundPress versions = 2.0.8...

WordPress Booking for Appointments and Events Calendar – Amelia plugin <= 2.1.2 - Unauthenticated Authorization Bypass vulnerability

Unauthenticated Authorization Bypass vulnerability discovered by awhacken in WordPress Plugin Amelia versions = 2.1.2...

WordPress WP Customer Area plugin <= 8.3.4 - Path Traversal vulnerability

Path Traversal vulnerability discovered by iamlooper in WordPress Plugin WP Customer Area versions = 8.3.4...

WordPress Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Caspian in WordPress Plugin Jeg Elementor Kit versions = 3.1.0...

WordPress Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin <= 6.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Essential Blocks for Gutenberg versions = 6.0.4...

WordPress App Builder – Create Native Android & iOS Apps On The Flight plugin <= 5.6.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Avatar Modification vulnerability

Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary User Avatar Modification vulnerability discovered by Ren Voza in WordPress Plugin App Builder versions = 5.6.0...

WordPress Simple Link Directory plugin <= 8.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Simple Link Directory versions = 8.9.2...

WordPress MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites plugin <= 2.1.9 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin MaxiBlocks versions = 2.1.9...

WordPress Advanced Classifieds & Directory Pro plugin <= 3.2.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Advanced Classifieds & Directory Pro versions = 3.2.4...

WordPress Advanced Scrollbar – Custom Scrollbar Styling and Behavior plugin <= 1.1.3 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Advanced scrollbar versions = 1.1.3...

WordPress AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization plugin <= 2.9.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Add Expires Headers & Optimized Minify versions = 2.9.2...

WordPress AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o plugin <= 1.7.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin AiBud WP versions = 1.7.2...

WordPress AI Puffer – Chat. Create. Automate. (formerly AI Power) plugin <= 1.8.99 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin GPT3 AI Content Writer versions = 1.8.99...

WordPress AidWP – Donation & Payment Forms (Stripe Powered) plugin <= 3.2.6 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin AidWP versions = 3.2.6...

WordPress Announcement & Notification Banner – Bulletin plugin <= 3.12.1 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WordPress Announcement & Notification Banner Plugin – Bulletin versions = 3.12.1...

WordPress Anti-Spam Protection – No API Key, GDPR Friendly plugin <= 2.3.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Anti-Spam by Fullworks : GDPR Compliant Spam Protection versions = 2.3.7...

WordPress Auto-Install Free SSL – Generate & Install Free SSL Certificates plugin <= 4.5.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Free SSL Certificate Plugin, HTTPS Redirect, Renewal Reminder – Auto-Install Free SSL versions = 4.5.0...

WordPress Automatic Internal Links for SEO by Pagup plugin <= 2.0.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Internal Linking for SEO traffic & Ranking – Auto internal links 100% automatic versions = 2.0.0...

WordPress Automatic YouTube Gallery plugin <= 2.5.5 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Automatic YouTube Gallery versions = 2.5.5...

WordPress AWCA – The Great Analytics Insights for Your eStore plugin <= 3.12.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Advanced WC Analytics versions = 3.12.0...

WordPress Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages plugin <= 2.6.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin BP Better Messages versions = 2.6.7...

WordPress bBlocks – Essential Gutenberg Blocks & Patterns Collection plugin <= 1.9.8 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin B Blocks versions = 1.9.8...

WordPress BlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block Editor plugin <= 3.2.6 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Blockspare versions = 3.2.6...

WordPress Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News plugin <= 3.4.9 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin News & Blog Designer Pack versions = 3.4.9...

WordPress Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) plugin <= 2.1.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Bulk Auto Image Alt Text Alt tag, Alt attribute optimization image SEO + Woocommerce versions = 2.1.0...