Wordfence

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery (CVE-2026-6075) due to missing nonce verification, allowing unauthenticated attackers to trick an administrator into performing unauthorized bulk actions.

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters (CVE-2026-8143) in versions up to 2.1.6, potentially leading to arbitrary script execution in the administrator's browser.

The Boost plugin for WordPress is vulnerable to time-based SQL Injection (CVE-2026-9010) via the 'current_url' and 'user_name' parameters in versions up to 2.0.3, allowing unauthenticated attackers to extract sensitive information from the database due to insufficient input sanitization.

The InfusedWoo Pro plugin for WordPress is vulnerable to arbitrary file read in versions up to 5.1.2, allowing unauthenticated attackers to make web requests to arbitrary locations, potentially querying and modifying information from internal services.

The Career Section plugin for WordPress is vulnerable to arbitrary file upload in versions up to 1.7 due to missing file type validation in the CV upload handler, potentially leading to remote code execution.

The LatePoint WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'first_name' parameter, affecting versions up to 5.5.0, allowing unauthenticated attackers to inject malicious scripts.