Wordpress

The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.

An information disclosure vulnerability in the Easy PayPal Events & Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.

An unauthenticated remote attacker can exploit a hardcoded authentication bypass vulnerability in the Easy PayPal Events & Tickets plugin for WordPress (versions 1.3 and earlier) by providing 'test' as the hash parameter, allowing retrieval of sensitive order details.

The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.

The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.

The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.

The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.

A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (<= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.

The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.

The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.

The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in versions up to 2.0.46 due to a loose PHP comparison, allowing unauthenticated attackers to log in as any verified user by submitting a 'true' OTP value.

A privilege escalation vulnerability exists in the Import and export users and customers plugin for WordPress (versions <= 2.0.8) due to an incomplete blocklist allowing authenticated users to gain administrator privileges on subsites within a Multisite network.

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.

The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.

CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.

The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.

The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.

A deserialization of untrusted data vulnerability in the MetaSlider Responsive Slider plugin for WordPress (versions up to 3.106.0) allows for unauthenticated object injection, potentially leading to remote code execution.

The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to arbitrary file read due to insufficient path traversal sanitization, allowing authenticated attackers to read sensitive files from the WordPress host.

A missing authorization vulnerability in the Plisio Accept Cryptocurrencies with Plisio WordPress plugin (versions up to 2.0.5) allows attackers to bypass payment verification due to incorrectly configured access control security levels.

The AcyMailing plugin for WordPress is vulnerable to privilege escalation (CVE-2026-3614), allowing authenticated attackers with subscriber-level access to gain administrative privileges.

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.

The Riaxe Product Customizer plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to update arbitrary WordPress options via a publicly accessible AJAX endpoint and escalate privileges to administrator.

An SQL Injection vulnerability, identified as CVE-2025-63029, exists in the WC Lovers WCFM Marketplace WordPress plugin up to version 3.7.1, potentially allowing attackers to execute arbitrary SQL queries.

The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.

CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.

CVE-2025-58913 is a PHP Local File Inclusion vulnerability in the CactusThemes VideoPro WordPress theme, affecting versions from n/a through 2.3.8.1 due to improper control of the filename for include/require statements, potentially allowing unauthorized file access.

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.

The BuddyPress Groupblog plugin for WordPress is vulnerable to privilege escalation (CVE-2026-5144), allowing a low-privileged user to gain administrator access on a WordPress Multisite network by manipulating group blog settings.

A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.

The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal, allowing authenticated attackers with subscriber-level access to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service.

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.

The WordPress adivaha Travel Plugin version 2.3 is vulnerable to time-based blind SQL injection via the 'pid' GET parameter, allowing unauthenticated attackers to inject SQL code through the /mobile-app/v3/ endpoint for potential data extraction or denial of service.

The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.

The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.

A cross-site request forgery (CSRF) vulnerability exists in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (versions n/a through 2.1.1), potentially allowing attackers to execute unauthorized actions on behalf of legitimate users.

The Amelia WordPress plugin is vulnerable to an insecure direct object reference, allowing authenticated attackers with Provider-level access or higher to escalate privileges and gain persistence by taking over any WordPress account, including Administrator by manipulating the `externalId` field.

The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Media Library Assistant WordPress plugin through version 3.34 is vulnerable to SQL injection, allowing attackers to manipulate database queries.

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.

The ProfilePress WordPress plugin before 4.16.12 is vulnerable to an unauthorized membership payment bypass, allowing authenticated attackers to obtain paid memberships without payment by manipulating subscription IDs during checkout.

The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 5.6.2, allowing unauthenticated attackers to make arbitrary web requests and potentially query or modify internal services.

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation, allowing unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution.

The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.

The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).

The Oxygen Theme for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 6.0.8, allowing unauthenticated attackers to make arbitrary web requests via the laborator_calc_route AJAX action.

The Fluent Booking plugin for WordPress is vulnerable to stored cross-site scripting (XSS) allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page, affecting versions up to and including 2.0.01.

The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.

The Masteriyo LMS plugin for WordPress is vulnerable to privilege escalation, allowing authenticated users with student-level access or higher to gain administrator privileges by manipulating the 'InstructorsController::prepare_object_for_database' function.

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.

The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter, allowing unauthenticated attackers to extract sensitive database information in versions up to 2.4.8.

The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.

CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.

The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.

An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.

Highland Software's Custom Role Manager plugin for WordPress, versions 1.0.0 and earlier, contains a privilege escalation vulnerability (CVE-2026-7106) that allows authenticated users with subscriber-level access to modify user roles due to insufficient authorization checks in the hscrm_save_user_roles() function.

CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.

A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (<= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.

The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.