CVE-2026-3124 - The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all v

CVE-2026-2602 - The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImage

CVE-2026-2442 - The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Im

CVE-2026-1307 - The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to

CVE-2025-15445 - The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without n

CVE-2025-12886 - The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up

CVE-2026-4987 - The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulne

CVE-2026-4248 - The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all vers

CVE-2026-33559 - WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On

CVE-2026-3098 - The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to,

CVE-2026-2511 - The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL I

CVE-2026-2389 - The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scr

CVE-2026-2231 - The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple pa

CVE-2026-1032 - The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio

CVE-2026-1890 - The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowi

CVE-2026-1430 - The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, w

CVE-2025-15488 - The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution du

CVE-2025-15433 - The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to d

CVE-2026-1206 - The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensi

CVE-2026-4389 - The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cr

CVE-2026-4331 - The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthoriz

CVE-2026-4329 - The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-4281 - The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization

CVE-2026-4278 - The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2026-2931 - The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versio

CVE-2026-4335 - The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4075 - The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-3328 - The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via dese

CVE-2026-1986 - The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is v

CVE-2026-4484 - The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to,

CVE-2026-4758 - The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient

CVE-2026-25334 - Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking

CVE-2026-23806 - Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allo

CVE-2026-22523 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-2343 - The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action tha

CVE-2026-4766 - The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gal

CVE-2026-4662 - The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX a

CVE-2026-4283 - The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in

CVE-2026-3138 - The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data lo

CVE-2026-3079 - The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filt

CVE-2026-33290 - WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw

CVE-2026-4056 - The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification o

CVE-2026-4021 - The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin

CVE-2026-4001 - The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Executio

CVE-2026-4306 - The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in

CVE-2026-4066 - The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a m

CVE-2026-3225 - The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of

CVE-2026-2412 - The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged

CVE-2025-6229 - The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Fo

CVE-2026-1969 - The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its A

CVE-2026-4314 - The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege E

CVE-2026-3427 - The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnera

CVE-2026-3629 - The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation

CVE-2026-4373 - The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in a

CVE-2026-4261 - The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, a

CVE-2026-4161 - The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4143 - The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in

CVE-2026-4127 - The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions

CVE-2026-4087 - The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids'

CVE-2026-4086 - The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat'

CVE-2026-4084 - The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2026-4077 - The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4072 - The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4069 - The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n

CVE-2026-4067 - The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcod

CVE-2026-4022 - The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cr

CVE-2026-4004 - The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search

CVE-2026-3997 - The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' sh

CVE-2026-3996 - The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game]

CVE-2026-3651 - The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to

CVE-2026-3645 - The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all

CVE-2026-3641 - The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, an

CVE-2026-3619 - The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles'

CVE-2026-3617 - The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amou

CVE-2026-3570 - The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up t

CVE-2026-3554 - The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-3546 - The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all

CVE-2026-3506 - The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versi

CVE-2026-3478 - The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in

CVE-2026-3460 - The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference i

CVE-2026-3354 - The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Widt

CVE-2026-3353 - The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'AP

CVE-2026-3347 - The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-3335 - The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and inc

CVE-2026-3334 - The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blo

CVE-2026-3333 - The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-3331 - The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in v

CVE-2026-3003 - The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-2941 - The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of dat

CVE-2026-2837 - The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-2723 - The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions u

CVE-2026-2720 - The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee da

CVE-2026-2503 - The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[c

CVE-2026-2501 - The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plug

CVE-2026-2496 - The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plug

CVE-2026-2468 - The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in

CVE-2026-2440 - The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to

CVE-2026-2427 - The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from

CVE-2026-2424 - The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-2375 - The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable

CVE-2026-2351 - The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, an

CVE-2026-2294 - The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vuln

CVE-2026-2290 - The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all vers

CVE-2026-2279 - The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_orde

CVE-2026-2277 - The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' an

CVE-2026-2121 - The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add

CVE-2026-1935 - The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all ve

CVE-2026-1914 - The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fuse

CVE-2026-1911 - The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_t

CVE-2026-1908 - The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-1899 - The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin

CVE-2026-1891 - The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-1889 - The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute

CVE-2026-1886 - The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scrip

CVE-2026-1854 - The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's

CVE-2026-1851 - The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'w

CVE-2026-1822 - The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's

CVE-2026-1806 - The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-S

CVE-2026-1800 - The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via

CVE-2026-1648 - The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all ver

CVE-2026-1647 - The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_S

CVE-2026-1575 - The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

CVE-2026-1503 - The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-

CVE-2026-1397 - The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site S

CVE-2026-1392 - The SR WP Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio

CVE-2026-1390 - The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versi

CVE-2026-1378 - The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio

CVE-2026-1313 - The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all ve

CVE-2026-1278 - The Mandatory Field plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin sett

CVE-2026-1275 - The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-1253 - The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modificat

CVE-2026-1247 - The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in a

CVE-2026-1093 - The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cr

CVE-2026-0609 - The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is v

CVE-2025-14037 - The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path tr

CVE-2025-13910 - The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting vi

CVE-2024-13785 - The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable

CVE-2026-4302 - The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery

CVE-2026-4083 - The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-3577 - The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the back

CVE-2026-3572 - The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored C

CVE-2026-3567 - The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized acces

CVE-2026-3474 - The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary

CVE-2026-3368 - The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious

CVE-2026-3350 - The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-3339 - The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions u

CVE-2026-2430 - The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loadi

CVE-2026-2352 - The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_p

CVE-2026-3584 - The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, an

CVE-2026-3550 - The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and

CVE-2026-2432 - The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulner

CVE-2026-2421 - The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in al

CVE-2026-4136 - The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Unvalidated Redirect

CVE-2026-4038 - The Aimogen Pro plugin for WordPress is vulnerable to Arbitrary Function Call that can lead to privi

CVE-2026-3658 - The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress

CVE-2026-3475 - The Instant Popup Builder plugin for WordPress is vulnerable to Unauthenticated Arbitrary Shortcode

CVE-2026-4120 - The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cro

CVE-2026-4068 - The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in a

CVE-2026-4006 - The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dis

CVE-2026-2571 - The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a miss

CVE-2026-27096 - Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer Word

CVE-2026-1238 - The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh

CVE-2026-1463 - The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable

CVE-2026-3090 - The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP

CVE-2026-2992 - The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privil

CVE-2026-2991 - The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authen

CVE-2026-2512 - The Code Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field me

CVE-2026-1217 - The Yoast Duplicate Post plugin for WordPress is vulnerable to unauthorized modification of data due

CVE-2026-3512 - The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via t

CVE-2025-15363 - The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users wit

CVE-2026-1926 - The Subscriptions for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of

CVE-2026-1780 - The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via t

CVE-2026-2373 - The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vuln

CVE-2026-2579 - The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to

CVE-2026-2233 - The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registrat

CVE-2026-1948 - The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthoriz

CVE-2026-1947 - The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure D

CVE-2026-1883 - The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress i

CVE-2026-1870 - The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vul

CVE-2026-4063 - The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data mo

CVE-2026-3986 - The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-3891 - The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing

CVE-2026-3045 - The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable t

CVE-2026-32448 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-32412 - Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and Wo

CVE-2026-32409 - Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator form

CVE-2026-2890 - The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all version

CVE-2026-2888 - The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-cont

CVE-2026-2879 - The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions

CVE-2026-2257 - The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions

CVE-2026-22210 - wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject

CVE-2026-1704 - The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress

CVE-2026-2987 - The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' p

CVE-2026-2687 - The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its setti

CVE-2025-15473 - The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowin

CVE-2026-3657 - The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_le

CVE-2026-3226 - The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notif

CVE-2026-3496 - The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter

CVE-2026-3178 - The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_d

CVE-2026-3906 - WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature

CVE-2026-3492 - The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions

CVE-2026-3231 - The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to S

CVE-2026-1454 - The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to S

CVE-2026-3903 - The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to

CVE-2026-2918 - The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Referenc

CVE-2026-2917 - The Happy Addons for Elementor plugin for WordPress is vulnerable to Insecure Direct Object Referenc

CVE-2026-1708 - The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress

CVE-2026-3534 - The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-backgro

CVE-2026-3222 - The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_i

CVE-2026-2707 - The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry

CVE-2026-2631 - The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST en

CVE-2026-2626 - The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of

CVE-2026-2466 - The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputt

CVE-2026-2358 - The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_li

CVE-2026-1867 - The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a

CVE-2026-1753 - The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could

CVE-2026-2413 - The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the

CVE-2025-13067 - The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all ve

CVE-2026-3453 - The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versi

CVE-2026-2324 - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerab

CVE-2026-1781 - The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in al

CVE-2025-12473 - The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilde

CVE-2026-2569 - The Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnera

CVE-2026-3228 - The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site

CVE-2026-2724 - The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripti

CVE-2026-1261 - The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz featu

CVE-2026-3585 - The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to,

CVE-2026-1920 - The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vuln

CVE-2026-1919 - The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vuln

CVE-2026-1508 - The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deletin

CVE-2026-0953 - The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to,

CVE-2026-2433 - The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is

CVE-2026-2420 - The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-1825 - The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plu

CVE-2026-1824 - The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-1823 - The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin

CVE-2026-1820 - The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-1805 - The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugi

CVE-2026-1574 - The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2026-1569 - The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-

CVE-2026-1087 - The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versi

CVE-2026-1086 - The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request

CVE-2026-1085 - The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up

CVE-2026-1074 - The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-fe

CVE-2026-1073 - The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forg

CVE-2026-1071 - The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin setting

CVE-2025-14675 - The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file

CVE-2025-8899 - The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privi

CVE-2026-3352 - The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to

CVE-2026-2722 - The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin setting