NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

NPM: OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.20...

WordPress Contest Gallery plugin <= 28.1.7 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Jakub Herman in WordPress Plugin Contest Gallery versions = 28.1.7...

WordPress Advanced Form Integration plugin <= 1.126.12 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Idan Vaknin in WordPress Plugin Advanced Form Integration versions = 1.126.12...

WordPress Classified Listing plugin <= 5.3.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by endy in WordPress Plugin Classified Listing versions = 5.3.8...

WordPress Contest Gallery plugin <= 28.1.7 - Other Vulnerability Type vulnerability

Other Vulnerability Type vulnerability discovered by endy in WordPress Plugin Contest Gallery versions = 28.1.7...

WordPress Contest Gallery plugin <= 28.1.6 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by endy in WordPress Plugin Contest Gallery versions = 28.1.6...

WordPress Best Payments Plugin for WP plugin <= 4.6.19 - Payment Bypass vulnerability

Payment Bypass vulnerability discovered by Weerawat Pawanawiwat ErbaZZ in WordPress Plugin Best Payments Plugin for WP versions = 4.6.19...

WordPress Wallet System for WooCommerce plugin <= 2.7.5 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Jakub Herman in WordPress Plugin Wallet System for WooCommerce versions = 2.7.5...

WordPress Classified Listing plugin <= 5.3.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin Classified Listing versions = 5.3.9...

WordPress AutomatorWP plugin <= 5.6.7 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin AutomatorWP versions = 5.6.7...

WordPress Favicon Rotator plugin <= 1.2.11 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by timomangcut in WordPress Plugin Favicon Rotator versions = 1.2.11...

WordPress JoomSport plugin <= 5.7.7 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin JoomSport versions = 5.7.7...

WordPress Classified Listing plugin <= 5.3.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Cruzer in WordPress Plugin Classified Listing versions = 5.3.8...

WordPress GD Rating System plugin <= 3.6.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Doan Dinh Van in WordPress Plugin GD Rating System versions = 3.6.2...

WordPress PowerPack Pro for Elementor plugin < v2.13.0 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin PowerPack Pro for Elementor versions v2.13.0...

WordPress WP Meteor Website Speed Optimization Addon plugin <= 3.4.16 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin WP Meteor Page Speed Optimization Topping versions = 3.4.16...

WordPress Eventin plugin <= 4.1.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Lorenzo Fradeani in WordPress Plugin WP Event SOlution versions = 4.1.8...

WordPress WPPizza plugin <= 3.19.9 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Muhan Luo in WordPress Plugin WPPizza versions = 3.19.9...

WordPress Complianz – GDPR/CCPA Cookie Consent plugin <= 7.4.5 - Missing Authorization to Unauthenticated Private Post Content Disclosure vulnerability

Missing Authorization to Unauthenticated Private Post Content Disclosure vulnerability discovered by Wesley van de Kamp - Conda Security in WordPress Plugin Complianz versions = 7.4.5...

WordPress Amelia plugin <= 2.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Niv Kochan in WordPress Plugin Amelia versions = 2.2...

NPM: Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion

NPM: Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion vulnerability discovered by ? in WordPress Npm thrift versions 0.23.0...

WordPress Check & Log Email plugin < 2.0.13 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Matthew Rollings in WordPress Plugin Check & Log Email versions 2.0.13...

WordPress Woostify theme <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Theme Woostify versions = 2.5.0...

WordPress Timeline Blocks for Gutenberg plugin <= 1.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Athiwat Tiprasaharn Jitlada in WordPress Plugin Timeline Blocks for Gutenberg versions = 1.1.10...

WordPress Social Post Embed plugin <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by hxuu in WordPress Plugin Social Post Embed versions = 2.0.1...

WordPress WP User Frontend plugin <= 4.3.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Sajjad Haqi in WordPress Plugin WP User Frontend versions = 4.3.1...

WordPress Order Delivery Date for WooCommerce plugin <= 4.5.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Order Delivery Date for WooCommerce versions = 4.5.1...

WordPress Profile Builder Pro plugin <= 3.15.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Profile Builder Pro versions = 3.15.0...

WordPress Simply Schedule Appointments plugin < 1.6.11.2 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Jakub Herman in WordPress Plugin Simply Schedule Appointments versions 1.6.11.2...

WordPress Funnel Builder by FunnelKit plugin <= 3.15.0.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Funnel Builder by FunnelKit versions = 3.15.0.1...

WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme AI Lab versions 5.4.2...

WordPress LatePoint plugin <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability vulnerability

Authenticated Agent+ Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability vulnerability discovered by skyv3il - AI SAFE in WordPress Plugin LatePoint versions = 5.4.1...

WordPress TheGem theme Elements (for Elementor) plugin < 5.12.1.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin TheGem Theme Elements for Elementor versions 5.12.1.1...

WordPress Highland Software Custom Role Manager plugin <= 1.0.0 - Authenticated (Subscriber+) Privilege Escalation vulnerability

Authenticated Subscriber+ Privilege Escalation vulnerability discovered by Herc Bandiola in WordPress Plugin Highland Software Custom Role Manager versions = 1.0.0...

WordPress SureForms Pro plugin <= 2.8.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin SureForms Pro versions = 2.8.0...

WordPress Templately plugin <= 3.6.1 - Sensitive Data Exposure vulnerability

Sensitive Data Exposure vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Templately versions = 3.6.1...

NPM: OpenClaw: Agent gateway config mutations could change protected operator settings

NPM: OpenClaw: Agent gateway config mutations could change protected operator settings vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy

NPM: OpenClaw: Bundled MCP/LSP tools could bypass configured tool policy vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

NPM: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.5, 2026.4.20...

NPM: OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks

NPM: OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Paired-device pairing actions were not limited to the caller device

NPM: OpenClaw: Paired-device pairing actions were not limited to the caller device vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config

NPM: OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Isolated cron awareness events were recorded as trusted system events

NPM: OpenClaw: Isolated cron awareness events were recorded as trusted system events vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy

NPM: OpenClaw: Feishu card actions could misclassify DMs and skip dmPolicy vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization

NPM: OpenClaw: Assistant media route missed scope enforcement for trusted-proxy authorization vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: OpenClaw: Hook mapping templates could bypass hook session-key opt-in

NPM: OpenClaw: Hook mapping templates could bypass hook session-key opt-in vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.20...

NPM: simple-git is vulnerable to Remote Code Execution

NPM: simple-git is vulnerable to Remote Code Execution vulnerability discovered by ? in WordPress Npm simple-git versions 3.36.0...

WordPress myCred plugin <= 3.0.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin myCred versions = 3.0.3...

WordPress Groundhogg plugin < 4.4.1 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin Groundhogg versions 4.4.1...

NPM: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output

NPM: PostCSS has XSS via Unescaped in its CSS Stringify Output vulnerability discovered by ? in WordPress Npm postcss versions 8.5.10...