Wordpress

WP AutoSuggest version 0.24 contains an SQL injection vulnerability that allows an unauthenticated attacker to execute arbitrary SQL queries by injecting malicious code through the wpas_keys parameter via GET requests to autosuggest.php, potentially extracting sensitive database information.

The GEO my WP plugin for WordPress is vulnerable to SQL Injection (CVE-2026-9757) via the 'swlatlng' and 'nelatlng' parameters, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries into a BETWEEN clause.

The Spectra Gutenberg Blocks WordPress plugin is vulnerable to remote code execution, allowing authenticated attackers with Contributor access or higher to execute arbitrary code by crafting a malicious two-block payload within post content.

CVE-2026-7459 is an authenticated account takeover vulnerability in the Simple History WordPress plugin where a subscriber-level user can read password reset emails and escalate privileges to an administrator account.

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the REST API endpoint, allowing unauthenticated attackers to delete arbitrary user accounts due to a flawed permission check and lack of role validation.

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery (CVE-2026-6075) due to missing nonce verification, allowing unauthenticated attackers to trick an administrator into performing unauthorized bulk actions.

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS), allowing unauthenticated attackers to inject arbitrary web scripts into pages, which execute when a user accesses the injected page, affecting versions up to and including 0.9.0.

The OTP Login With Phone Number, OTP Verification plugin for WordPress versions 1.8.50 through 1.8.60 is vulnerable to authentication bypass due to improper validation of the Firebase session, allowing unauthenticated attackers to authenticate as arbitrary users, including administrators, by supplying a victim's phone number.

The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection (CVE-2025-11993) due to deserialization of untrusted data in the 'import_settings' function, potentially leading to arbitrary code execution if a suitable POP chain is present.

The WP Maps Pro plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8732), allowing unauthenticated attackers to create administrator accounts and take over vulnerable sites.

The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation (CVE-2026-8809), allowing an unauthenticated attacker to create an administrator-level user by bypassing validation in versions up to 0.9.2.5 if a specific form is exposed.

CVE-2026-8380 is a critical authorization bypass vulnerability in the WordPress Frontend File Manager plugin <= 23.6 that allows authenticated low-privilege users, or unauthenticated users with guest uploads enabled, to permanently delete arbitrary WordPress posts, pages, attachments, and custom post types.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2, allowing attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to arbitrary file upload, allowing authenticated attackers with author-level access to achieve remote code execution by uploading executable files with double extensions.

The Appointment Booking Calendar WordPress plugin is vulnerable to time-based blind SQL Injection (CVE-2026-7797) via the 'append_where_sql' parameter, allowing unauthenticated attackers to extract sensitive information from the database by injecting SQL queries through the /appointments/bulk REST endpoint with a specific request format.

The SlimStat Analytics plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via the User-Agent header, allowing unauthenticated attackers to inject arbitrary web scripts if the 'show_complete_user_agent_tooltip' setting is enabled.

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting (CVE-2026-7052) via the 'file_upload' parameter in versions up to 2.8.2, allowing unauthenticated attackers to inject arbitrary web scripts.

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF), leading to arbitrary file deletion via SQL injection and PHP object injection due to missing nonce verification and unsafe deserialization, allowing attackers to delete arbitrary files on the server.

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to remote code execution (RCE) via the 'callback_raw' shortcode attribute, allowing authenticated attackers with author-level access or higher to execute arbitrary code on the server.

The WPCode WordPress plugin before or equal to 2.3.5 is vulnerable to remote code execution due to missing capability restrictions on the 'wpcode' custom post type, allowing authenticated attackers with author-level access to execute arbitrary PHP code via XML-RPC.

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters (CVE-2026-8143) in versions up to 2.1.6, potentially leading to arbitrary script execution in the administrator's browser.

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution (CVE-2026-6169) due to the use of the BladeOne templating engine's runString() method, which allows authenticated attackers with Editor-level access or higher to execute arbitrary PHP code by injecting it into a plugin template.

The LiteSpeed Cache plugin for WordPress is vulnerable to stored Cross-Site Scripting (XSS) via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints, affecting versions up to 7.7, allowing unauthenticated attackers to inject arbitrary JavaScript into CCSS/UCSS content by bypassing IP-based access controls.

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion (CVE-2026-9200) in versions up to 0.2.1, allowing authenticated attackers with contributor-level access and above to include and execute arbitrary PHP files on the server, potentially leading to privilege escalation and code execution.

The Login with NEAR plugin for WordPress is vulnerable to authentication bypass due to the `ajaxLoginWithNear()` function issuing valid authentication cookies based on a substring check of the `account` POST parameter, allowing unauthenticated attackers to log in as existing users or create new accounts.

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8787) where an authenticated attacker with Subscriber-level access can log in as any existing user, including an Administrator, by submitting that user's email address to the `acb_firebase_auth` AJAX action without proper ownership verification, leading to full account takeover.

The Login with OTP plugin for WordPress is vulnerable to authentication bypass due to an incomplete fix for CVE-2024-11178, allowing unauthenticated attackers to brute-force OTP codes and gain administrative access.

A public exploit is available for WordPress Temporary Login Plugin version 1.0.0, which demonstrates an authentication bypass vulnerability that can lead to account takeover, increasing the risk for unpatched systems.

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability (CVE-2018-25352) that allows authenticated attackers to manipulate database queries by injecting SQL code through the entry_id POST parameter, potentially leading to privilege escalation.

WordPress Contact Form Maker Plugin version 1.12.20 is vulnerable to SQL injection, enabling authenticated attackers to manipulate database queries via AJAX actions (FormMakerSQLMapping and generete_csv_fmc) by injecting malicious SQL code through the 'name' and 'search_labels' parameters, potentially extracting sensitive database information or escalating privileges.

WordPress Form Maker Plugin version 1.12.24 and below is vulnerable to SQL injection, allowing authenticated attackers to manipulate database queries through the FormMakerSQLMapping and generete_csv actions via crafted POST requests, potentially leading to data extraction, modification, or privilege escalation.

The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on WC-AJAX endpoints, allowing attackers to manipulate order payment flows and exfiltrate sensitive order details (CVE-2026-9284).

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check (CVE-2026-6898), allowing authenticated attackers with subscriber-level access or higher to update the REST API Secret Key, create administrator accounts, and achieve complete site takeover.

CVE-2026-6897 is a critical vulnerability in the Wishlist Member plugin for WordPress, allowing authenticated attackers with subscriber-level access to modify plugin settings, including the REST API secret key, ultimately enabling them to create administrator accounts and take over the entire site.

The WishList Member plugin for WordPress is vulnerable to Missing Authorization, allowing attackers to obtain the REST API Secret Key and escalate privileges to administrator.

The WishList Member plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6419) due to a missing capability and nonce check in the ajax_get_screen() function, allowing authenticated attackers with subscriber-level access to retrieve the plugin's REST API Secret Key and create administrator accounts, leading to complete site takeover.

A public exploit has been published for CVE-2026-27384, a critical unauthenticated remote code execution vulnerability in the W3 Total Cache WordPress plugin.

A remote, unauthenticated attacker can exploit a cross-site scripting (XSS) vulnerability in the Royal Elementor Addons plugin for WordPress.

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress versions up to 3.1.65 is vulnerable to an authorization bypass (CVE-2026-9011) that allows unauthenticated attackers to retrieve the full content of non-public Dittys by exploiting the ditty_init AJAX endpoint.

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference (CVE-2026-8679) in versions up to 2.0.2, allowing unauthenticated attackers to view track metadata of any playlist, regardless of its status.

CVE-2026-9018 allows unauthenticated attackers to escalate privileges to administrator by exploiting a vulnerability in the Easy Elements for Elementor plugin, which lacks proper input validation during user registration.

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in versions up to 5.6, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution if a signature custom field is added to the booking form.

CVE-2026-5118 is a critical vulnerability in the Divi Form Builder WordPress plugin (versions 5.1.2 and earlier) that allows unauthenticated attackers to create administrator accounts directly through the registration form, leading to full site takeover.

The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to unauthenticated remote code execution (RCE) due to PHP function injection, allowing attackers to execute arbitrary code on affected sites.

The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts that execute when a user accesses an injected page.

The AcyMailing plugin for WordPress is vulnerable to a missing authorization issue (CVE-2026-5200), allowing authenticated attackers with subscriber-level access to modify privileged AcyMailing configuration, export subscriber secret keys, and potentially achieve administrator account takeover if the administrator's email address is known.

The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion (LFI) in versions up to 4.1.0, allowing authenticated attackers with subscriber-level access to include and execute arbitrary PHP files on the server via the 'template' parameter, potentially leading to access control bypass, sensitive data access, or code execution.

The Boost plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7637) due to deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie, potentially leading to arbitrary code execution if a suitable property-oriented programming (POP) chain is present.

The Boost plugin for WordPress is vulnerable to time-based SQL Injection (CVE-2026-9010) via the 'current_url' and 'user_name' parameters in versions up to 2.0.3, allowing unauthenticated attackers to extract sensitive information from the database due to insufficient input sanitization.

The Read More & Accordion plugin for WordPress is vulnerable to privilege escalation due to insufficient restrictions on database table writes and data validation during import, allowing authenticated attackers to create administrator accounts.

The Account Switcher plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6456) due to a loose comparison and lack of validation on the `rememberLogin` REST API endpoint, allowing authenticated attackers to gain administrator privileges.

The Creative Mail plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping of the 'checkout_uuid' parameter and lack of sufficient preparation on the SQL query in the `has_checkout_consent()` method, allowing unauthenticated attackers to extract sensitive information from the database.

The Easy Elements for Elementor plugin for WordPress is vulnerable to privilege escalation (CVE-2026-7284) due to unrestricted user role assignment during registration, allowing unauthenticated attackers to gain administrator access.

The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file upload (CVE-2026-6555) due to a validation mismatch, allowing unauthenticated attackers to upload malicious PHP files leading to remote code execution.

The Kirki plugin for WordPress is vulnerable to arbitrary file deletion via CVE-2026-8073 due to insufficient file path validation and a missing capability check in the 'downloadZIP' function, allowing unauthenticated attackers to delete files within the WordPress uploads directory.

Funnel Builder for WooCommerce Checkout versions prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and inject malicious JavaScript, impacting checkout page visitors.

The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to 28.1.6, allowing unauthenticated attackers to extract sensitive information from the database.

The Piotnet Forms plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'piotnetforms_ajax_form_builder' function, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution.

The Piotnet Addons for Elementor Pro plugin for WordPress, versions up to 7.1.70, is vulnerable to unauthenticated arbitrary file upload due to insufficient file type validation in the 'pafe_ajax_form_builder' function, potentially leading to remote code execution.

The WordPress WP with Spritz plugin version 1.0 is vulnerable to remote file inclusion (RFI), allowing unauthenticated attackers to read arbitrary files by injecting file paths into the `url` parameter of the `wp.spritz.content.filter.php` endpoint, potentially exposing sensitive system configuration and credentials.

Google Drive for WordPress 2.2 is vulnerable to path traversal (CVE-2018-25326), allowing unauthenticated attackers to read arbitrary files by injecting directory traversal sequences in the file_name parameter.

WooCommerce CSV Importer 3.3.6 contains a path traversal vulnerability (CVE-2018-25325) that allows registered users to delete arbitrary files by submitting crafted filenames via the delete_export_file AJAX action.

WordPress Plugin Peugeot Music 1.0 contains an arbitrary file upload vulnerability (CVE-2018-25335) that allows unauthenticated attackers to upload malicious files by sending POST requests to the upload.php endpoint, leading to potential code execution.

The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin is vulnerable to privilege escalation (CVE-2026-8719) due to missing capability enforcement, allowing authenticated users (Subscriber+) to invoke admin-level MCP tools and gain administrator privileges.

WordPress Backup and Restore plugin 1.0.3 contains an arbitrary file deletion vulnerability (CVE-2021-47979) allowing authenticated attackers to delete files by manipulating parameters in AJAX requests to admin-ajax.php.

WordPress Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability (CVE-2021-47977) that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter in requests to admin-ajax.php.

WP Learn Manager 1.1.2 contains a stored cross-site scripting vulnerability (CVE-2021-47975) that allows unauthenticated attackers to inject malicious scripts through the fieldtitle parameter via a POST request to the jslm_fieldordering page, resulting in arbitrary JavaScript execution when administrators view the field ordering interface.

Supsystic Digital Publications 1.6.9 contains a path traversal vulnerability in the Folder input field, allowing attackers to access sensitive files, and a stored XSS vulnerability due to improper input sanitization, leading to arbitrary script execution in the context of affected users (CVE-2020-37245).

Supsystic Membership version 1.4.7 is vulnerable to SQL injection (CVE-2020-37244), allowing unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters, potentially extracting sensitive database information.

Supsystic Pricing Table plugin version 1.8.7 contains an SQL injection vulnerability via the 'sidx' GET parameter, enabling unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action, as well as stored XSS vulnerabilities.

Supsystic Ultimate Maps 1.1.12 is vulnerable to SQL injection via the 'sidx' GET parameter, allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive database information.

HS Brand Logo Slider version 2.1 contains an unrestricted file upload vulnerability (CVE-2020-37227) allowing authenticated users to bypass client-side validation and upload arbitrary files, leading to remote code execution by intercepting upload requests and renaming files to executable extensions.

The WordPress Plugin WPGraphQL version 1.3.5 is vulnerable to a denial-of-service attack where unauthenticated attackers can exhaust server resources by sending batched GraphQL queries with duplicated fields, potentially causing server out-of-memory conditions and MySQL connection errors.

WordPress WP Super Edit plugin version 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component, allowing unauthenticated attackers to upload arbitrary files leading to remote code execution and complete system compromise.

The Quick Playground plugin for WordPress, versions up to 1.3.3, is vulnerable to a path traversal vulnerability (CVE-2026-6403) in the qckply_zip_theme() function, allowing unauthenticated attackers to create ZIP archives containing arbitrary server files, including wp-config.

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6228) in versions up to and including 3.28.36, allowing unauthenticated attackers to gain administrator privileges.

The Form Notify plugin for WordPress is vulnerable to CVE-2026-5229, an authentication bypass, due to trusting user-controlled cookie data after a LINE OAuth login, allowing unauthenticated attackers to gain administrative access.

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss (CVE-2026-4094) due to a missing capability check, allowing authenticated attackers with Contributor-level access or higher to delete the multi-currency configuration.

CVE-2026-4031 is an authorization bypass vulnerability in the Database Backup for WordPress plugin (<= 2.5.2) that allows unauthenticated attackers to intercept database backup files by manipulating the backup directory via the wp_db_temp_dir parameter, leading to sensitive information exposure.

The Database Backup for WordPress plugin before 2.5.3 is vulnerable to unauthenticated arbitrary file read and deletion due to improper authorization checks and user-controlled backup directories, leading to sensitive information exposure and potential site takeover on WordPress Multisite environments.

The Database Backup for WordPress plugin up to version 2.5.2 is vulnerable to unauthorized database export due to improper authorization enforcement, allowing unauthenticated attackers to export database tables in WordPress Multisite environments.

The InfusedWoo Pro plugin for WordPress is vulnerable to arbitrary file read in versions up to 5.1.2, allowing unauthenticated attackers to make web requests to arbitrary locations, potentially querying and modifying information from internal services.

The InfusedWoo Pro plugin for WordPress is vulnerable to an authorization bypass (CVE-2026-6512) in versions up to 5.1.2, allowing unauthenticated attackers to delete posts, pages, products, orders, comments, and change post statuses.

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in versions up to 5.1.2 due to missing authorization checks in the infusedwoo_gdpr_upddata() function, allowing authenticated attackers to grant themselves administrator privileges.

The Fluent Forms WordPress plugin through 6.2.0 is vulnerable to Insecure Direct Object Reference (IDOR), allowing authenticated users with manager-level access or higher to bypass form-level access controls, export arbitrary database tables, and enumerate table names via error messages, as tracked by CVE-2026-5395.

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion in versions up to 1.4.107 due to insufficient file path validation in the become-dealer logo upload flow, allowing authenticated attackers with subscriber level access and above to delete arbitrary files on the server.

The ManageWP Worker plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'MWP-Key-Name' HTTP request header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator visits the plugin's connection management page with debug parameters; this affects all versions up to and including 4.9.31.

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler, allowing unauthenticated attackers to create malicious automation recipes for auto-login actions.

The Fluent Forms plugin for WordPress is vulnerable to authorization bypass via a user-controlled key (CVE-2026-5396), allowing authenticated attackers with restricted access to specific forms to manipulate submissions of unauthorized forms by spoofing the 'form_id' parameter.

The Burst Statistics plugin for WordPress is vulnerable to authentication bypass, allowing unauthenticated attackers with knowledge of an administrator username to impersonate that administrator by supplying a random Basic Authentication password, leading to privilege escalation.

The Custom Twitter Feeds plugin for WordPress is vulnerable to stored cross-site scripting (XSS) in versions up to and including 2.5.4 due to insufficient output escaping, allowing unauthenticated attackers to inject arbitrary web scripts.

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to local file inclusion (LFI) via the 'path' parameter in the 'get_content' AJAX action, allowing authenticated attackers with Author-level access or higher to include and execute arbitrary PHP files, leading to potential code execution.

The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection (CVE-2026-4798) via the ‘product_order’ parameter in versions up to 3.15.1, potentially allowing unauthenticated attackers to extract sensitive database information if WooCommerce was previously used and deactivated.

The JoomSport plugin for WordPress is vulnerable to time-based blind SQL Injection (CVE-2026-6929) via the 'sortf' parameter in versions up to 5.7.7, allowing unauthenticated attackers to extract sensitive information from the database.

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-7635), allowing unauthenticated attackers to inject a crafted PHP serialized payload via the User-Agent header, leading to a persistent Denial of Service condition.

The MonsterInsights WordPress plugin through 10.1.2 is vulnerable to unauthorized access and data modification, allowing authenticated attackers with subscriber-level access to retrieve Google OAuth tokens and reset Google Ads integration due to missing capability checks on `get_ads_access_token()` and `reset_experience()` functions.

The Court Reservation – Manage Your Court Bookings Online plugin for WordPress versions 1.10.11 and earlier are vulnerable to SQL injection via the 'id' parameter, enabling unauthenticated attackers to extract sensitive database information.

The LifePress plugin for WordPress is vulnerable to stored cross-site scripting (XSS) due to insufficient input sanitization and output escaping within the `lp_update_mds` AJAX action, allowing unauthenticated attackers to inject arbitrary web scripts via the 'n' parameter that execute when a user accesses the injected page; this affects versions up to and including 2.2.2.

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection (CVE-2026-2993) in versions up to 1.4.17, allowing unauthenticated attackers to extract sensitive information from the database.

WordPress Plugin Survey & Poll version 1.5.7.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the wp_sap cookie parameter, potentially leading to sensitive data extraction.

WordPress Plugin Download From Files version 1.48 and earlier contains an arbitrary file upload vulnerability (CVE-2021-47940) that allows unauthenticated attackers to upload malicious files by exploiting the AJAX fileupload action.

WordPress MStore API 2.0.6 contains an arbitrary file upload vulnerability, allowing unauthenticated attackers to upload malicious files via POST requests to the REST API, leading to remote code execution.

WordPress TheCartPress version 1.5.3.6 contains an unauthenticated privilege escalation vulnerability, CVE-2021-47932, allowing attackers to create administrator accounts via crafted POST requests to the AJAX handler.

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) in versions up to 6.8.8 due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitrary web scripts into the admin statistics page.

The User Frontend WordPress plugin is vulnerable to authenticated deserialization, allowing subscriber-level attackers to inject PHP objects for potential arbitrary code execution.

The Slider Revolution plugin for WordPress is vulnerable to arbitrary file upload due to insufficient file type validation, allowing authenticated attackers with subscriber-level access or higher to upload executable files, potentially leading to remote code execution.

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the `get_current_letter_docs` and `docs_sort_by_letter` AJAX actions, allowing unauthenticated attackers to extract sensitive information from the database.

The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in versions up to 2.5.9, allowing unauthenticated attackers to extract sensitive information from the database.

The LatePoint WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'first_name' parameter, affecting versions up to 5.5.0, allowing unauthenticated attackers to inject malicious scripts.

The WeePie Cookie Allow plugin for WordPress is vulnerable to SQL Injection via the 'consent' parameter in versions up to 3.4.11, allowing unauthenticated attackers to extract sensitive information from the database.

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability allowing unauthenticated attackers to download complete database backups by accessing predictable file paths.

The Forminator Forms WordPress plugin is vulnerable to an unauthenticated path traversal that allows reading arbitrary files on the server when specific features are enabled.

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5, potentially allowing unauthenticated attackers to extract sensitive information from the database.

The Mentoring plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to register with administrator-level user accounts due to improper role restriction in the mentoring_process_registration() function.

The Contact Form 7 WordPress plugin through version 2.6.7 is vulnerable to uncontrolled resource consumption, allowing unauthenticated attackers to exhaust server memory and crash the PHP process by supplying an arbitrarily large integer value to the REST API endpoint, leading to unbounded loop execution.

An information disclosure vulnerability in the Easy PayPal Events & Tickets WordPress plugin (versions 1.3 and earlier) allows unauthenticated attackers to enumerate and retrieve all customer order records via the scan_qr.php endpoint.

An unauthenticated remote attacker can exploit a hardcoded authentication bypass vulnerability in the Easy PayPal Events & Tickets plugin for WordPress (versions 1.3 and earlier) by providing 'test' as the hash parameter, allowing retrieval of sensitive order details.

The NEX-Forms WordPress plugin is vulnerable to stored XSS via POST parameter key names, allowing unauthenticated attackers to inject arbitrary web scripts.

The WCFM plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) that allows authenticated attackers with Vendor-level access or higher to delete arbitrary users, including administrators.

The Salon Booking System WordPress plugin is vulnerable to arbitrary file read, allowing unauthenticated attackers to exfiltrate local files by manipulating file-field values in booking confirmation emails.

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification of Stripe webhook configurations due to missing capability checks, allowing authenticated attackers with Subscriber-level access to disrupt payment processing.

The Geo Mashup WordPress plugin is vulnerable to Time-Based SQL Injection due to insufficient input sanitization, allowing unauthenticated attackers to extract sensitive database information.

A time-based SQL injection vulnerability (CVE-2026-4061) exists in the Geo Mashup WordPress plugin (<= 1.13.18) due to insufficient sanitization of the 'map_post_type' parameter, enabling unauthenticated attackers to extract sensitive information via time-based blind SQL injection if the Geo Search feature is enabled.

The Widget Options plugin for WordPress is vulnerable to Remote Code Execution (CVE-2026-2052) due to insufficient input sanitization in the Display Logic feature, allowing authenticated attackers with Contributor-level access and above to execute arbitrary code on the server.

The PixelYourSite Pro WordPress plugin is vulnerable to server-side request forgery (SSRF), allowing unauthenticated attackers to make arbitrary web requests from the server, potentially querying or modifying internal services.

The Gravity Forms plugin for WordPress is vulnerable to stored cross-site scripting (XSS) via Consent field hidden inputs, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the entries list page.

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers to modify SMTP settings and escalate privileges.

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in versions up to 2.0.46 due to a loose PHP comparison, allowing unauthenticated attackers to log in as any verified user by submitting a 'true' OTP value.

A privilege escalation vulnerability exists in the Import and export users and customers plugin for WordPress (versions <= 2.0.8) due to an incomplete blocklist allowing authenticated users to gain administrator privileges on subsites within a Multisite network.

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, allowing unauthenticated attackers to upload arbitrary files leading to potential remote code execution.

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 1.2.9.2, allowing unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with malicious code by tricking a site administrator into clicking a link.

The Temporary Login plugin for WordPress versions up to 1.0.0 is vulnerable to authentication bypass due to improper input validation, allowing unauthenticated attackers to log in as arbitrary temporary users by sending a specially crafted GET request.

CVE-2018-25308 is a remote code execution vulnerability in BuddyPress Xprofile Custom Fields Type 2.6.3 that allows authenticated users to delete arbitrary files on the server by manipulating POST parameters.

The Create DB Tables plugin for WordPress versions 1.2.1 and earlier is vulnerable to an authorization bypass, allowing authenticated users to create and delete database tables without proper checks, potentially leading to complete site destruction.

The HTTP Headers WordPress plugin is vulnerable to remote code execution (RCE) due to insufficient validation of the htpasswd file path and lack of sanitization of the username, allowing authenticated administrators to write arbitrary code to the server.

A deserialization of untrusted data vulnerability in the MetaSlider Responsive Slider plugin for WordPress (versions up to 3.106.0) allows for unauthenticated object injection, potentially leading to remote code execution.

The Everest Forms plugin for WordPress is vulnerable to arbitrary file read and deletion, allowing unauthenticated attackers to access sensitive data or cause denial of service by manipulating the 'old_files' parameter in versions up to 3.4.4.

The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation, allowing authenticated attackers to read sensitive files or delete critical files leading to potential remote code execution.

The Unlimited Elements for Elementor plugin for WordPress is vulnerable to arbitrary file read due to insufficient path traversal sanitization, allowing authenticated attackers to read sensitive files from the WordPress host.

A missing authorization vulnerability in the Plisio Accept Cryptocurrencies with Plisio WordPress plugin (versions up to 2.0.5) allows attackers to bypass payment verification due to incorrectly configured access control security levels.

The AcyMailing plugin for WordPress is vulnerable to privilege escalation (CVE-2026-3614), allowing authenticated attackers with subscriber-level access to gain administrative privileges.

The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter within 'product_data' of the `/wp-json/InkXEProductDesignerLite/add-item-to-cart` REST API endpoint, allowing unauthenticated attackers to extract sensitive information from the database.

The Riaxe Product Customizer plugin for WordPress is vulnerable to privilege escalation, allowing unauthenticated attackers to update arbitrary WordPress options via a publicly accessible AJAX endpoint and escalate privileges to administrator.

An SQL Injection vulnerability, identified as CVE-2025-63029, exists in the WC Lovers WCFM Marketplace WordPress plugin up to version 3.7.1, potentially allowing attackers to execute arbitrary SQL queries.

The Smart Post Show WordPress plugin versions 3.0.12 and earlier are vulnerable to PHP Object Injection via deserialization of untrusted input in the import_shortcodes() function, potentially leading to remote code execution if a suitable POP chain is present.

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the `delete_question_answer()` function, allowing unauthenticated attackers to delete quiz answer options.

CVE-2025-5804 is a PHP Local File Inclusion vulnerability in the Case Theme User WordPress plugin before version 1.0.4 due to improper filename control in include/require statements, potentially allowing attackers to execute arbitrary code by including malicious local files.

CVE-2025-58913 is a PHP Local File Inclusion vulnerability in the CactusThemes VideoPro WordPress theme, affecting versions from n/a through 2.3.8.1 due to improper control of the filename for include/require statements, potentially allowing unauthorized file access.

The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion due to a logic flaw that allows authenticated users to delete arbitrary files writable by the PHP process by manipulating post metadata.

The BuddyPress Groupblog plugin for WordPress is vulnerable to privilege escalation (CVE-2026-5144), allowing a low-privileged user to gain administrator access on a WordPress Multisite network by manipulating group blog settings.

A reflected cross-site scripting (XSS) vulnerability exists in the Zootemplate Cerato WordPress theme (versions n/a through 2.2.18) due to improper neutralization of user-supplied input, potentially allowing attackers to execute arbitrary JavaScript in a user's browser.

The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization, allowing authenticated attackers with subscriber-level access or higher to uninstall/deactivate the plugin and delete plugin options, and is also exploitable via Cross-Site Request Forgery.

The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal, allowing authenticated attackers with subscriber-level access to overwrite arbitrary files on the server with a fixed PHP docblock content, potentially causing denial of service.

Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system allowing unauthenticated remote code execution and system takeover.

The WordPress adivaha Travel Plugin version 2.3 is vulnerable to time-based blind SQL injection via the 'pid' GET parameter, allowing unauthenticated attackers to inject SQL code through the /mobile-app/v3/ endpoint for potential data extraction or denial of service.

The WCAPF - WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection (CVE-2026-3396) due to insufficient escaping and SQL query preparation, allowing unauthenticated attackers to extract sensitive information from the database in versions up to 4.2.3.

The Gerador de Certificados – DevApps WordPress plugin is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Product Feed PRO for WooCommerce WordPress plugin (versions 13.4.6-13.5.2.1) is vulnerable to Cross-Site Request Forgery (CSRF) attacks, allowing unauthenticated attackers to perform administrative actions by tricking an administrator into clicking a malicious link.

The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection (CVE-2026-3296) in versions up to 3.4.3, allowing unauthenticated attackers to execute arbitrary code by injecting serialized PHP objects via form fields.

A cross-site request forgery (CSRF) vulnerability exists in the Analytify Under Construction, Coming Soon & Maintenance Mode WordPress plugin (versions n/a through 2.1.1), potentially allowing attackers to execute unauthorized actions on behalf of legitimate users.

The Amelia WordPress plugin is vulnerable to an insecure direct object reference, allowing authenticated attackers with Provider-level access or higher to escalate privileges and gain persistence by taking over any WordPress account, including Administrator by manipulating the `externalId` field.

The Ninja Forms File Uploads plugin for WordPress is vulnerable to unauthenticated arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Media Library Assistant WordPress plugin through version 3.34 is vulnerable to SQL injection, allowing attackers to manipulate database queries.

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'feed_data' parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute when a user accesses the injected page.

The ProfilePress WordPress plugin before 4.16.12 is vulnerable to an unauthorized membership payment bypass, allowing authenticated attackers to obtain paid memberships without payment by manipulating subscription IDs during checkout.

The Perfmatters plugin for WordPress versions up to 2.5.9.1 is vulnerable to arbitrary file deletion via path traversal, allowing authenticated attackers with minimal privileges to delete sensitive files.

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 5.6.2, allowing unauthenticated attackers to make arbitrary web requests and potentially query or modify internal services.

The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation, allowing unauthenticated attackers to move arbitrary files on the server, potentially leading to remote code execution.

The Query Monitor WordPress plugin is vulnerable to reflected cross-site scripting (XSS) due to insufficient input sanitization and output escaping of the '$_SERVER['REQUEST_URI']' parameter, allowing unauthenticated attackers to inject arbitrary web scripts.

The Contact Form by Supsystic WordPress plugin is vulnerable to Server-Side Template Injection (SSTI) via the `cfsPreFill` parameter, leading to unauthenticated Remote Code Execution (RCE).

The Oxygen Theme for WordPress is vulnerable to Server-Side Request Forgery (SSRF) in versions up to 6.0.8, allowing unauthenticated attackers to make arbitrary web requests via the laborator_calc_route AJAX action.

The Fluent Booking plugin for WordPress is vulnerable to stored cross-site scripting (XSS) allowing unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page, affecting versions up to and including 2.0.01.

The Blackhole for Bad Bots WordPress plugin through version 3.8 is vulnerable to stored cross-site scripting (XSS) via the User-Agent HTTP header, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the plugin's admin page.

The Masteriyo LMS plugin for WordPress is vulnerable to privilege escalation, allowing authenticated users with student-level access or higher to gain administrator privileges by manipulating the 'InstructorsController::prepare_object_for_database' function.

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with subscriber-level access or higher to delete arbitrary files, potentially leading to remote code execution.

The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter, allowing unauthenticated attackers to extract sensitive database information in versions up to 2.4.8.

The ReviewX WordPress plugin is vulnerable to arbitrary method calls, allowing unauthenticated attackers to potentially achieve remote code execution.

CVE-2026-4021 describes an authentication bypass vulnerability in the Contest Gallery plugin for WordPress, allowing unauthenticated attackers to gain admin access by manipulating the user activation key and using an AJAX login endpoint.

The WP Maps WordPress plugin before version 4.9.2 is vulnerable to time-based SQL Injection via the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive information from the database.

CVE-2026-2892 is a purchase verification bypass vulnerability in the Otter Blocks plugin for WordPress, affecting versions up to 3.1.4, that allows unauthenticated attackers to access restricted content by forging a cookie used for purchase validation.

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation, potentially leading to remote code execution.

The Form Maker by 10Web WordPress plugin is vulnerable to SQL Injection via the 'inputs' parameter in versions up to 1.15.42, allowing unauthenticated attackers to extract sensitive information from the database.

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery (SSRF) allowing authenticated attackers with Contributor-level access or higher to make arbitrary requests and retrieve sensitive information from internal services.

The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.1.3, allowing unauthenticated attackers to upload arbitrary PHP files by manipulating the file type parameter and exploiting extension sanitization vulnerabilities.

An unauthenticated PHP Object Injection vulnerability exists in the Profile Builder Pro WordPress plugin (versions up to 3.14.5) due to the insecure use of `maybe_unserialize()` on the 'args' POST parameter in the `wppb_request_users_pins_action_callback()` AJAX handler, potentially leading to arbitrary code execution.

Highland Software's Custom Role Manager plugin for WordPress, versions 1.0.0 and earlier, contains a privilege escalation vulnerability (CVE-2026-7106) that allows authenticated users with subscriber-level access to modify user roles due to insufficient authorization checks in the hscrm_save_user_roles() function.

CVE-2026-41940 is an authentication bypass vulnerability in WebPros cPanel & WHM and WP2 (WordPress Squared) that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

The MoreConvert Pro plugin for WordPress versions 1.9.14 and earlier is vulnerable to authentication bypass due to improper handling of guest waitlist verification tokens, allowing unauthenticated attackers to potentially gain administrative access.

The LatePoint WordPress plugin is vulnerable to stored XSS via the booking_form_page_url parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user accesses the injected page.

The Gravity Forms plugin for WordPress is vulnerable to unauthenticated stored cross-site scripting (XSS) in versions up to 2.10.0, allowing attackers to inject arbitrary JavaScript code into the product name field within repeater fields, which executes when an administrator views the affected entry.

The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to 1.2.2, allowing unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution by exploiting a nopriv AJAX route and uploading malicious ZIP files.

The Betheme theme for WordPress is vulnerable to arbitrary file upload, allowing authenticated attackers with author-level privileges or higher to upload arbitrary files, including PHP, leading to remote code execution.

A time-based blind SQL Injection vulnerability exists in the ARMember WordPress plugin (<= 4.0.60) due to insufficient input sanitization of the 'orderby' parameter, allowing unauthenticated attackers to extract sensitive database information.

The WP-Optimize plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation, allowing authenticated attackers with author-level access or higher to delete arbitrary files, potentially leading to remote code execution.

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.10.0, allowing unauthenticated attackers to inject arbitrary web scripts via form submissions that execute when an administrator views the entry detail page.

The GeekyBot WordPress plugin is vulnerable to SQL Injection, allowing unauthenticated attackers to extract sensitive information from the database by manipulating the 'attributekey' parameter.

The ExactMetrics plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation via a REST API endpoint, potentially leading to remote code execution by authenticated attackers.

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting (XSS) in versions up to and including 2.8.11, allowing unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page due to missing nonce verification and improper handling of file upload fields.