Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10105 vulnerabilities
CVE-2026-12119 (GCVE-0-2026-12119)
Vulnerability from cvelistv5 – Published: 2026-06-20 08:29 – Updated: 2026-06-20 08:29
VLAI
Title
Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute
Summary
The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the 'eeSFL' shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php.
Severity
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eemitch | Simple File List |
Affected:
0 , ≤ 6.3.7
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple File List",
"vendor": "eemitch",
"versions": [
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the \u0027frontmanage\u0027 shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and above, to perform arbitrary file operations including deletion, move, folder creation, and download. An attacker can create a draft post containing the \u0027eeSFL\u0027 shortcode, render it via the post preview endpoint to harvest the nonce needed to authorize the operations, and then submit file operation requests that bypass the intended authorization checks in includes/ee-list-ops-bar-process.php."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-20T08:29:49.055Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f1ed51a3-c049-4816-ada1-49f7edcb9a6f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-front-end.php#L140"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-ops-bar-process.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-ops-bar-display.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-display.php#L341"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3579098%40simple-file-list\u0026new=3579098%40simple-file-list\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T14:38:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-19T20:27:15.000Z",
"value": "Disclosed"
}
],
"title": "Simple File List \u003c= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via \u0027frontmanage\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12119",
"datePublished": "2026-06-20T08:29:49.055Z",
"dateReserved": "2026-06-12T15:00:06.461Z",
"dateUpdated": "2026-06-20T08:29:49.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11911 (GCVE-0-2026-11911)
Vulnerability from cvelistv5 – Published: 2026-06-20 08:29 – Updated: 2026-06-20 08:29
VLAI
Title
Simple File List <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter
Summary
The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint.
Severity
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eemitch | Simple File List |
Affected:
0 , ≤ 6.3.7
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple File List",
"vendor": "eemitch",
"versions": [
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple File List plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the eeSFL_DeleteFile function in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The simplefilelist_edit_job AJAX action is registered via wp_ajax_nopriv_, making it accessible without authentication, and the is_admin() guard that would otherwise restrict access is bypassed because is_admin() always returns true for requests to the admin-ajax.php endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-20T08:29:48.704Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/748c4ca8-fcbf-43e5-ab70-721e83253663?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L894"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L1281"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/simple-file-list.php#L262"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-display.php#L473"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3579098%40simple-file-list\u0026new=3579098%40simple-file-list\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T14:38:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-19T20:27:13.000Z",
"value": "Disclosed"
}
],
"title": "Simple File List \u003c= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in \u0027eeSubFolder\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11911",
"datePublished": "2026-06-20T08:29:48.704Z",
"dateReserved": "2026-06-10T16:35:08.986Z",
"dateUpdated": "2026-06-20T08:29:48.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11912 (GCVE-0-2026-11912)
Vulnerability from cvelistv5 – Published: 2026-06-20 08:29 – Updated: 2026-06-20 08:29
VLAI
Title
Simple File List <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action
Summary
The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated.
Severity
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| eemitch | Simple File List |
Affected:
0 , ≤ 6.3.7
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple File List",
"vendor": "eemitch",
"versions": [
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple File List plugin for WordPress is vulnerable to arbitrary file modification due to insufficient authorization checks in all versions up to, and including, 6.3.7. This makes it possible for unauthenticated attackers to delete and modify files on the serve. This vulnerability is exploitable even when the administrator has not enabled the AllowFrontManage setting, because the is_admin() check unconditionally short-circuits the guard before that setting is evaluated."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-20T08:29:48.184Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/509a40d2-a33a-49ba-b858-fa8805127a1b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L1265"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L1586"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/simple-file-list.php#L262"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-list-display.php#L473"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-file-list/tags/6.3.6/includes/ee-functions.php#L880"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3579098%40simple-file-list\u0026new=3579098%40simple-file-list\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T14:38:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-19T20:27:11.000Z",
"value": "Disclosed"
}
],
"title": "Simple File List \u003c= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11912",
"datePublished": "2026-06-20T08:29:48.184Z",
"dateReserved": "2026-06-10T16:38:42.826Z",
"dateUpdated": "2026-06-20T08:29:48.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9843 (GCVE-0-2026-9843)
Vulnerability from cvelistv5 – Published: 2026-06-20 01:27 – Updated: 2026-06-20 01:27
VLAI
Title
Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value
Summary
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP's bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file.
Severity
8.1 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| crmperks | Database for Contact Form 7, WPforms, Elementor forms |
Affected:
0 , ≤ 1.5.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Database for Contact Form 7, WPforms, Elementor forms",
"vendor": "crmperks",
"versions": [
{
"lessThanOrEqual": "1.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the view_page function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Successful exploitation requires an administrator to view or edit the poisoned form entry, at which point PHP\u0027s bracket parser reshapes the attacker-crafted JSON key to bypass the stored-path isset check and trigger deletion of the traversal-specified file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-20T01:27:22.783Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4169b390-0972-4aa9-ae04-f5f67afe15ef?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/includes/plugin-pages.php#L1197"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/contact-form-entries.php#L747"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/contact-form-entries.php#L435"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/includes/data.php#L539"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.5.1/templates/view.php#L559"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3578556/contact-form-entries"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T13:43:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-19T11:55:33.000Z",
"value": "Disclosed"
}
],
"title": "Database for Contact Form 7, WPforms, Elementor forms \u003c= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9843",
"datePublished": "2026-06-20T01:27:22.783Z",
"dateReserved": "2026-05-28T13:28:02.938Z",
"dateUpdated": "2026-06-20T01:27:22.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11551 (GCVE-0-2026-11551)
Vulnerability from cvelistv5 – Published: 2026-06-19 23:29 – Updated: 2026-06-19 23:29
VLAI
Title
Branda – White Label & Branding, Free Login Page Customizer <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover
Summary
The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity
9.8 (Critical)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpmudev | Branda – White Label & Branding, Free Login Page Customizer |
Affected:
0 , ≤ 3.4.29
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Branda \u2013 White Label \u0026 Branding, Free Login Page Customizer",
"vendor": "wpmudev",
"versions": [
{
"lessThanOrEqual": "3.4.29",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Van Nhan"
},
{
"lang": "en",
"type": "finder",
"value": "Vo Van Minh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Branda plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.29. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T23:29:21.990Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/56f13af3-71b6-42d4-9fda-a75778f32091?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/branda-white-labeling/tags/3.4.29/inc/modules/login-screen/signup-password.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3568291/branda-white-labeling/trunk/inc/modules/login-screen/signup-password.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T05:31:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-19T11:05:45.000Z",
"value": "Disclosed"
}
],
"title": "Branda \u2013 White Label \u0026 Branding, Free Login Page Customizer \u003c= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11551",
"datePublished": "2026-06-19T23:29:21.990Z",
"dateReserved": "2026-06-08T05:16:38.024Z",
"dateUpdated": "2026-06-19T23:29:21.990Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12238 (GCVE-0-2026-12238)
Vulnerability from cvelistv5 – Published: 2026-06-19 18:32 – Updated: 2026-06-19 18:32
VLAI
Title
WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation
Summary
The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the 'WPGMZA' prefix) does not prevent exploitation because classes such as WPGMZA\Map and WPGMZA\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpgmaps | WP Go Maps – Google Map, OpenStreetMap, Leaflet Map |
Affected:
0 , ≤ 10.1.01
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Go Maps \u2013 Google Map, OpenStreetMap, Leaflet Map",
"vendor": "wpgmaps",
"versions": [
{
"lessThanOrEqual": "10.1.01",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanh \u0110i\u1ec1m"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Go Maps \u2013 Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to create arbitrary records in plugin database tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-backed class name via the phpClass parameter. The namespace validation check (requiring the \u0027WPGMZA\u0027 prefix) does not prevent exploitation because classes such as WPGMZA\\Map and WPGMZA\\Marker satisfy it while still triggering an INSERT into the corresponding plugin table before the route rejects the request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T18:32:05.833Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c51c6cfb-9a79-4190-87ff-7eddb866ae56?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-maps/tags/10.0.10/includes/class.rest-api.php#L1052"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T03:59:56.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-19T06:01:56.000Z",
"value": "Disclosed"
}
],
"title": "WP Go Maps \u003c= 10.1.01 - Unauthenticated Arbitrary Record Creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12238",
"datePublished": "2026-06-19T18:32:05.833Z",
"dateReserved": "2026-06-15T03:44:18.959Z",
"dateUpdated": "2026-06-19T18:32:05.833Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6798 (GCVE-0-2026-6798)
Vulnerability from cvelistv5 – Published: 2026-06-19 06:51 – Updated: 2026-06-19 06:51
VLAI
Title
2Download Connector for 2DL Hosted Checkout <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via 'ToDownload_email' Parameter
Summary
The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers' subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 2download | 2Download Connector for 2DL Hosted Checkout |
Affected:
0 , ≤ 0.1.5
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "2Download Connector for 2DL Hosted Checkout",
"vendor": "2download",
"versions": [
{
"lessThanOrEqual": "0.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohamed Haidar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 2Download Connector for 2DL Hosted Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 0.1.5. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to view arbitrary customers\u0027 subscription data including subscription status, product names, order IDs, purchase dates, and expiry dates."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T06:51:07.887Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46a36f2b-c352-4d76-b4c4-8a73ec5dd910?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/2download-connector/trunk/src/Shortcodes/Shortcodes.php#L1776"
},
{
"url": "https://plugins.trac.wordpress.org/browser/2download-connector/tags/0.1.5/src/Shortcodes/Shortcodes.php#L1776"
},
{
"url": "https://plugins.trac.wordpress.org/browser/2download-connector/trunk/src/Shortcodes/Shortcodes.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/2download-connector/tags/0.1.5/src/Shortcodes/Shortcodes.php#L1278"
},
{
"url": "https://plugins.trac.wordpress.org/browser/2download-connector/trunk/src/Shortcodes/Shortcodes.php#L1767"
},
{
"url": "https://plugins.trac.wordpress.org/browser/2download-connector/tags/0.1.5/src/Shortcodes/Shortcodes.php#L1767"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3524785%402download-connector\u0026new=3524785%402download-connector\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-18T17:37:00.000Z",
"value": "Disclosed"
}
],
"title": "2Download Connector for 2DL Hosted Checkout \u003c= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure via \u0027ToDownload_email\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6798",
"datePublished": "2026-06-19T06:51:07.887Z",
"dateReserved": "2026-04-21T14:37:13.586Z",
"dateUpdated": "2026-06-19T06:51:07.887Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3640 (GCVE-0-2026-3640)
Vulnerability from cvelistv5 – Published: 2026-06-19 06:51 – Updated: 2026-06-19 06:51
VLAI
Title
STRABL <= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint
Summary
The STRABL – A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees — all without making a legitimate payment or having any valid credentials.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| strablengineering | STRABL – A checkout solution |
Affected:
0 , ≤ 4.5
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "STRABL \u2013 A checkout solution",
"vendor": "strablengineering",
"versions": [
{
"lessThanOrEqual": "4.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teerachai Somprasong"
}
],
"descriptions": [
{
"lang": "en",
"value": "The STRABL \u2013 A checkout solution plugin for WordPress is vulnerable to Missing Authentication in all versions up to and including 4.5. The plugin registers a REST API webhook endpoint at /wp-json/strabl/webhook/order with a permission_callback of __return_true, which allows all incoming requests without any authentication or authorization checks. No shared secret, signature validation, HMAC verification, or token-based authentication is implemented. This makes it possible for unauthenticated attackers to create fraudulent WooCommerce orders and mark them as completed by supplying paymentStatus=paid, manipulate existing order statuses by providing an externalOrderId, create new WordPress user accounts with the customer role, issue refunds on existing orders, cancel existing orders, and apply chargeback fees \u2014 all without making a legitimate payment or having any valid credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T06:51:07.326Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/04eb82e4-1738-44c7-980e-8e33a7a3a23a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L64"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L64"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L550"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L550"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/OrderWebhookController.php#L199"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/OrderWebhookController.php#L199"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/trunk/src/Orders/CustomerRepository.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/browser/strabl-a-checkout-solution/tags/4.5/src/Orders/CustomerRepository.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3558301"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-09T10:17:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T17:50:04.000Z",
"value": "Disclosed"
}
],
"title": "STRABL \u003c= 4.5 - Unauthenticated Arbitrary Webhook Creation via REST API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3640",
"datePublished": "2026-06-19T06:51:07.326Z",
"dateReserved": "2026-03-06T16:02:29.333Z",
"dateUpdated": "2026-06-19T06:51:07.326Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7515 (GCVE-0-2026-7515)
Vulnerability from cvelistv5 – Published: 2026-06-19 05:33 – Updated: 2026-06-19 05:33
VLAI
Title
BetterDocs Pro <= 3.8.0 - Unauthenticated Local File Inclusion via doc_style
Summary
The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity
9.8 (Critical)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| betterdocs | BetterDocs Pro |
Affected:
0 , ≤ 3.8.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BetterDocs Pro",
"vendor": "betterdocs",
"versions": [
{
"lessThanOrEqual": "3.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Duc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BetterDocs Pro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.8.0 via the `doc_style` parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T05:33:29.949Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/694b67d2-7d60-4764-a2c0-02698c331772?source=cve"
},
{
"url": "https://betterdocs.co/"
},
{
"url": "https://betterdocs.co/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T15:56:47.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T17:00:31.000Z",
"value": "Disclosed"
}
],
"title": "BetterDocs Pro \u003c= 3.8.0 - Unauthenticated Local File Inclusion via doc_style"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7515",
"datePublished": "2026-06-19T05:33:29.949Z",
"dateReserved": "2026-04-30T15:40:25.530Z",
"dateUpdated": "2026-06-19T05:33:29.949Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12430 (GCVE-0-2026-12430)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Blocksy Companion <= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via 'product_description' Parameter
Summary
The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| creativethemeshq | Blocksy Companion |
Affected:
0 , ≤ 2.1.45
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blocksy Companion",
"vendor": "creativethemeshq",
"versions": [
{
"lessThanOrEqual": "2.1.45",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pasindu Dilshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blocksy Companion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:35.196Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fac4ae61-cfc6-4efc-9f57-58fa39e00f07?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.45/framework/extensions/product-reviews/views/single-top.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.45/framework/extensions/product-reviews/extension.php#L709"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.45/framework/extensions/product-reviews/views/single-top.php#L206"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.41/framework/extensions/product-reviews/views/single-top.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.41/framework/extensions/product-reviews/extension.php#L709"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blocksy-companion/tags/2.1.41/framework/extensions/product-reviews/views/single-top.php#L206"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3576066%40blocksy-companion\u0026new=3576066%40blocksy-companion\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-16T17:31:26.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T15:44:31.000Z",
"value": "Disclosed"
}
],
"title": "Blocksy Companion \u003c= 2.1.45 - Authenticated (Editor+) Stored Cross-Site Scripting via \u0027product_description\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12430",
"datePublished": "2026-06-19T04:31:35.196Z",
"dateReserved": "2026-06-16T17:16:16.631Z",
"dateUpdated": "2026-06-19T04:31:35.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10034 (GCVE-0-2026-10034)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters)
Summary
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an arbitrary victim email address and trigger immediate SAR processing via the process_now and is_ajax parameters, receiving tokenized download links (zip_link, pdf_link) in the HTTP response that expose the victim's personal data — including WordPress account details, comment author names, email addresses, IP addresses, and comment content — without any proof of ownership. The nonce used for the CSRF check is publicly rendered by the SAR shortcode form and is shared across all anonymous visitors, meaning any unauthenticated attacker can trivially obtain a valid nonce and bypass this gate entirely.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| legalweb | WP DSGVO Tools (GDPR) |
Affected:
0 , ≤ 3.1.39
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP DSGVO Tools (GDPR)",
"vendor": "legalweb",
"versions": [
{
"lessThanOrEqual": "3.1.39",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "kalomba"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an arbitrary victim email address and trigger immediate SAR processing via the process_now and is_ajax parameters, receiving tokenized download links (zip_link, pdf_link) in the HTTP response that expose the victim\u0027s personal data \u2014 including WordPress account details, comment author names, email addresses, IP addresses, and comment content \u2014 without any proof of ownership. The nonce used for the CSRF check is publicly rendered by the SAR shortcode form and is shared across all anonymous visitors, meaning any unauthenticated attacker can trivially obtain a valid nonce and bypass this gate entirely."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:34.854Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4deb62a-1a75-4951-a0a0-297dd17276d3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.39/public/shortcodes/subject-access-request/subject-access-request-action.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.39/public/shortcodes/subject-access-request/subject-access-request-action.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.39/public/shortcodes/subject-access-request/subject-access-request-action.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.39/includes/class-sp-dsgvo-ajax-action.php#L70"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.39/public/shortcodes/subject-access-request/download-subject-access-request.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/subject-access-request/subject-access-request-action.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/subject-access-request/subject-access-request-action.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/subject-access-request/subject-access-request-action.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/includes/class-sp-dsgvo-ajax-action.php#L70"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.38/public/shortcodes/subject-access-request/download-subject-access-request.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3574362%40shapepress-dsgvo\u0026new=3574362%40shapepress-dsgvo\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T19:16:40.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:02:40.000Z",
"value": "Disclosed"
}
],
"title": "WP DSGVO Tools (GDPR) \u003c= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters)"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10034",
"datePublished": "2026-06-19T04:31:34.854Z",
"dateReserved": "2026-05-28T19:01:31.734Z",
"dateUpdated": "2026-06-19T04:31:34.854Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8713 (GCVE-0-2026-8713)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value
Summary
The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate 'delete' cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction.
Severity
9.1 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themefusion | Avada (Fusion) Builder |
Affected:
0 , ≤ 3.15.3
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Avada (Fusion) Builder",
"vendor": "themefusion",
"versions": [
{
"lessThanOrEqual": "3.15.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Avada (Fusion) Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybe_delete_files function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The attack requires a published Avada form configured to save entries to the database; an unauthenticated attacker submits a path-traversal payload via the wp_ajax_nopriv_fusion_form_submit_ajax handler while also controlling the fusion_privacy_expiration_interval and privacy_expiration_action fields to force an immediate \u0027delete\u0027 cleanup, causing the planted entry to be automatically processed by the Fusion_Form_DB_Privacy shutdown-hook routine without any administrator interaction."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:34.491Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4bfb72e-023b-4bfd-b125-91f6ac2f200f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fusion-builder/trunk/inc/class-fusion-form-db-entries.php#L79"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T20:49:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:14:13.000Z",
"value": "Disclosed"
}
],
"title": "Avada (Fusion) Builder \u003c= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8713",
"datePublished": "2026-06-19T04:31:34.491Z",
"dateReserved": "2026-05-15T20:33:46.821Z",
"dateUpdated": "2026-06-19T04:31:34.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8118 (GCVE-0-2026-8118)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Royal Addons for Elementor – Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source
Summary
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, 'r') on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes it possible for authenticated attackers, with Contributor-level access and above, to save a crafted wpr-data-table widget through Elementor's save_builder endpoint and have the rendered preview return the line-by-line contents of any file readable by the PHP process, including wp-config.php.
Severity
6.5 (Medium)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
1.7.1058 , ≤ 1.7.1059
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1059",
"status": "affected",
"version": "1.7.1058",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Taylor"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, \u0027r\u0027) on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes it possible for authenticated attackers, with Contributor-level access and above, to save a crafted wpr-data-table widget through Elementor\u0027s save_builder endpoint and have the rendered preview return the line-by-line contents of any file readable by the PHP process, including wp-config.php."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:34.131Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7ce047b-3cd3-475b-9a9f-38d15174e7e5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3532747/royal-elementor-addons"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-07T17:13:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:21:26.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor 1.7.1058 - 1.7.1059 - Authenticated (Contributor+) Arbitrary File Read via Data Table Widget CSV File Source"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8118",
"datePublished": "2026-06-19T04:31:34.131Z",
"dateReserved": "2026-05-07T16:50:03.874Z",
"dateUpdated": "2026-06-19T04:31:34.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11989 (GCVE-0-2026-11989)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Bit integrations <= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping
Summary
The Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations.
Severity
6.5 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| bitpressadmin | Bit integrations – Form Integration, Webhook, Spreadsheets, CRM, LMS & Email Automation |
Affected:
0 , ≤ 2.8.7
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bit integrations \u2013 Form Integration, Webhook, Spreadsheets, CRM, LMS \u0026 Email Automation",
"vendor": "bitpressadmin",
"versions": [
{
"lessThanOrEqual": "2.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chris Peterson"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bit integrations \u2013 Form Integration, Webhook, Spreadsheets, CRM, LMS \u0026 Email Automation plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.8.7 via the upload_attachment. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires a form integration to be configured with a field mapped to a WooCommerce product image, product gallery, downloadable files, or Google Contacts attachment field, which is a default use case for these integrations."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:33.792Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdf8d5c2-dbb1-47d5-b858-da6f6e1989f4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L631"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L139"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/WooCommerce/RecordApiHelper.php#L584"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.7/backend/Actions/GoogleContacts/RecordApiHelper.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L631"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L139"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/WooCommerce/RecordApiHelper.php#L584"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bit-integrations/tags/2.8.2/backend/Actions/GoogleContacts/RecordApiHelper.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3571608%40bit-integrations\u0026new=3571608%40bit-integrations\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-11T14:45:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T15:58:38.000Z",
"value": "Disclosed"
}
],
"title": "Bit integrations \u003c= 2.8.7 - Unauthenticated Server-Side Request Forgery via Form Field Upload Mapping"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11989",
"datePublished": "2026-06-19T04:31:33.792Z",
"dateReserved": "2026-06-11T14:30:23.613Z",
"dateUpdated": "2026-06-19T04:31:33.792Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4328 (GCVE-0-2026-4328)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter
Summary
The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The 'demo_file' parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when 'demo_file_type' is set to 'url'. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints.
Severity
6.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| addonspress | Advanced Import |
Affected:
0 , ≤ 1.4.6
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Import",
"vendor": "addonspress",
"versions": [
{
"lessThanOrEqual": "1.4.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "loris lentini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wp_remote_get() to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in the demo_download_and_unzip() function. The \u0027demo_file\u0027 parameter from $_POST is passed through sanitize_text_field() (which only handles XSS-related sanitization) and then directly into wp_remote_get() when \u0027demo_file_type\u0027 is set to \u0027url\u0027. Notably, the plugin uses wp_safe_remote_get() in other locations (theme template libraries) which would provide SSRF protection, but fails to use it in this critical AJAX handler. This makes it possible for authenticated attackers, with Author-level access and above (upload_files capability), to make web requests to arbitrary locations originating from the web application, which can be used to query and view data from internal services, including cloud instance metadata endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:33.421Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/baf55ce7-8a33-426c-a6a4-158a95a13a5c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-import/trunk/admin/class-advanced-import-admin.php#L612"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-import/tags/1.4.5/admin/class-advanced-import-admin.php#L612"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-import/trunk/admin/class-advanced-import-admin.php#L561"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-import/tags/1.4.5/admin/class-advanced-import-admin.php#L561"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3566433%40advanced-import\u0026new=3566433%40advanced-import\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-30T17:54:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T15:57:02.000Z",
"value": "Disclosed"
}
],
"title": "Advanced Import: One-Click Demo Import for WordPress \u003c= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via \u0027demo_file\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4328",
"datePublished": "2026-06-19T04:31:33.421Z",
"dateReserved": "2026-03-17T13:35:59.158Z",
"dateUpdated": "2026-06-19T04:31:33.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9013 (GCVE-0-2026-9013)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Bogo <= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API
Summary
The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site's default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rocklobsterinc | Bogo |
Affected:
0 , ≤ 3.9.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bogo",
"vendor": "rocklobsterinc",
"versions": [
{
"lessThanOrEqual": "3.9.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andrew Lacambra"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated post. This vulnerability is exploitable against posts written in a non-default locale, as authenticated subscribers can request a translation into the site\u0027s default locale to pass the locale-only permission gate. While subscribers can trigger the endpoint, this is only impactful at the Contributor-level as they can actually read the duplicated content."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:33.079Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b04ba117-da4b-445e-99c2-69a5e4f34a65?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bogo/tags/3.9.1/includes/rest-api.php#L202"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bogo/tags/3.9.1/includes/rest-api.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bogo/tags/3.9.1/includes/post.php#L293"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bogo/trunk/includes/rest-api.php#L202"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bogo/trunk/includes/rest-api.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bogo/trunk/includes/post.php#L293"
},
{
"url": "https://github.com/rocklobster-in/bogo/pull/382/changes"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3574263%40bogo\u0026new=3574263%40bogo\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T14:40:58.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:00:47.000Z",
"value": "Disclosed"
}
],
"title": "Bogo \u003c= 3.9.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9013",
"datePublished": "2026-06-19T04:31:33.079Z",
"dateReserved": "2026-05-19T14:25:47.426Z",
"dateUpdated": "2026-06-19T04:31:33.079Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12157 (GCVE-0-2026-12157)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
BetterDocs <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'blockId' Block Attribute
Summary
The BetterDocs - Knowledge Base Docs & FAQ Solution for Elementor & Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient input sanitization and output escaping in the CategorySlateLayout::render() method, which echoes the blockId block attribute directly into an HTML class attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpdevteam | BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot |
Affected:
0 , ≤ 4.5.3
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BetterDocs \u2013 AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "4.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Smidi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BetterDocs - Knowledge Base Docs \u0026 FAQ Solution for Elementor \u0026 Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the blockId attribute of the betterdocs/category-slate-layout Gutenberg block in versions up to, and including, 4.5.3. This is due to insufficient input sanitization and output escaping in the CategorySlateLayout::render() method, which echoes the blockId block attribute directly into an HTML class attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:32.712Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/81f61ef0-b3c7-4c69-bd18-5e5f0ea09abc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.5.3/includes/Editors/BlockEditor/Blocks/CategorySlateLayout.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.5.3/includes/Editors/BlockEditor/Blocks/CategorySlateLayout.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.12/includes/Editors/BlockEditor/Blocks/CategorySlateLayout.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/betterdocs/tags/4.3.12/includes/Editors/BlockEditor/Blocks/CategorySlateLayout.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3576713%40betterdocs\u0026new=3576713%40betterdocs\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T18:42:50.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T15:43:58.000Z",
"value": "Disclosed"
}
],
"title": "BetterDocs \u003c= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027blockId\u0027 Block Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12157",
"datePublished": "2026-06-19T04:31:32.712Z",
"dateReserved": "2026-06-12T18:27:41.912Z",
"dateUpdated": "2026-06-19T04:31:32.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7547 (GCVE-0-2026-7547)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Woosa <= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via 'log_file' Parameter
Summary
The Woosa – Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the render_logs_ui() function, which accepts a base64-encoded file name from the 'log_file' GET parameter and concatenates it directly with the plugin's log directory path without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers, with Administrator-level access, to read the contents of arbitrary files on the server, including wp-config.
Severity
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| teamwsa | Woosa – Marktplaats for WooCommerce |
Affected:
0 , ≤ 2.0.5
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Woosa \u2013 Marktplaats for WooCommerce",
"vendor": "teamwsa",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Woosa \u2013 Marktplaats for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in versions up to and including 2.0.4. This is due to insufficient path sanitization in the render_logs_ui() function, which accepts a base64-encoded file name from the \u0027log_file\u0027 GET parameter and concatenates it directly with the plugin\u0027s log directory path without validating that the resolved path remains within the intended directory. This makes it possible for authenticated attackers, with Administrator-level access, to read the contents of arbitrary files on the server, including wp-config."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:32.329Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3e765e05-9be1-40fa-97f2-a6e57728cb85?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-marktplaats-for-woocommerce/trunk/vendor/woosa/logger/class-module-logger-hook-settings.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-marktplaats-for-woocommerce/tags/2.0.5/vendor/woosa/logger/class-module-logger-hook-settings.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-marktplaats-for-woocommerce/trunk/vendor/woosa/logger/class-module-logger-hook-settings.php#L177"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-marktplaats-for-woocommerce/tags/2.0.5/vendor/woosa/logger/class-module-logger-hook-settings.php#L177"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-marktplaats-for-woocommerce/tags/2.0.4/vendor/woosa/logger/class-module-logger-hook-settings.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integration-marktplaats-for-woocommerce/tags/2.0.4/vendor/woosa/logger/class-module-logger-hook-settings.php#L177"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3576889%40integration-marktplaats-for-woocommerce\u0026new=3576889%40integration-marktplaats-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T10:21:17.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:04:32.000Z",
"value": "Disclosed"
}
],
"title": "Woosa \u003c= 2.0.5 - Authenticated (Administrator+) Arbitrary File Read via \u0027log_file\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7547",
"datePublished": "2026-06-19T04:31:32.329Z",
"dateReserved": "2026-04-30T18:57:45.772Z",
"dateUpdated": "2026-06-19T04:31:32.329Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1856 (GCVE-0-2026-1856)
Vulnerability from cvelistv5 – Published: 2026-06-19 04:31 – Updated: 2026-06-19 04:31
VLAI
Title
Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label
Summary
The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| creavi | Creavi Appointment Booking Calendar |
Affected:
0 , ≤ 1.4.4
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Creavi Appointment Booking Calendar",
"vendor": "creavi",
"versions": [
{
"lessThanOrEqual": "1.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T04:31:31.814Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2618ccde-2bb0-4cd4-b415-68a671507709?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/creavi-booking-service/trunk/assets/js/booking.js#L379"
},
{
"url": "https://plugins.trac.wordpress.org/browser/creavi-booking-service/tags/1.1.0/assets/js/booking.js#L379"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3564451/creavi-booking-service"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T07:37:06.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T16:09:32.000Z",
"value": "Disclosed"
}
],
"title": "Appointment Booking Calendar \u003c= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1856",
"datePublished": "2026-06-19T04:31:31.814Z",
"dateReserved": "2026-02-03T18:42:25.326Z",
"dateUpdated": "2026-06-19T04:31:31.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10779 (GCVE-0-2026-10779)
Vulnerability from cvelistv5 – Published: 2026-06-19 03:41 – Updated: 2026-06-19 03:41
VLAI
Title
Classified Listing <= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers ('listingId'/'id' Parameters)
Summary
The Classified Listing – Classified ads & Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| techlabpro1 | Classified Listing – AI-Powered Classified ads & Business Directory |
Affected:
0 , ≤ 5.4.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "5.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ben Tamam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.4.2. This is due to a missing capability/ownership check on the gallery_image_update_as_feature AJAX handler (action: rtcl_fb_gallery_image_update_as_feature), which accepts a user-supplied listing ID and attachment ID and sets the featured image of a listing while only validating a nonce that is exposed to any logged-in user on the frontend listing-submission form. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the featured image of arbitrary listings they do not own."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T03:41:58.826Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5f7660ba-c3be-44f0-91cb-809d0021759a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L590"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L605"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.4.2/app/Controllers/Ajax/FormBuilderAjax.php#L617"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L590"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L605"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/5.3.8/app/Controllers/Ajax/FormBuilderAjax.php#L617"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3571741%40classified-listing\u0026new=3571741%40classified-listing\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-03T16:15:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T15:38:00.000Z",
"value": "Disclosed"
}
],
"title": "Classified Listing \u003c= 5.4.2 - Missing Authorization to Authenticated (Subscriber+) Feature Modification via Multiple AJAX Handlers (\u0027listingId\u0027/\u0027id\u0027 Parameters)"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10779",
"datePublished": "2026-06-19T03:41:58.826Z",
"dateReserved": "2026-06-03T15:59:20.530Z",
"dateUpdated": "2026-06-19T03:41:58.826Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11775 (GCVE-0-2026-11775)
Vulnerability from cvelistv5 – Published: 2026-06-19 02:29 – Updated: 2026-06-19 02:29
VLAI
Title
User Admin Simplifier <= 3.0.0 - Cross-Site Request Forgery
Summary
The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| adamsilverstein | User Admin Simplifier |
Affected:
0 , ≤ 3.0.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Admin Simplifier",
"vendor": "adamsilverstein",
"versions": [
{
"lessThanOrEqual": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryusei Arima"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user\u0027s stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-19T02:29:39.208Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0920fc70-1c4b-45ff-86f6-14640286b5e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-admin-simplifier/tags/1.0.0/useradminsimplifier.php#L204"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-admin-simplifier/tags/1.0.0/useradminsimplifier.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/browser/user-admin-simplifier/tags/1.0.0/useradminsimplifier.php#L161"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3566637%40user-admin-simplifier\u0026new=3566637%40user-admin-simplifier\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-10T10:40:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-18T13:52:53.000Z",
"value": "Disclosed"
}
],
"title": "User Admin Simplifier \u003c= 3.0.0 - Cross-Site Request Forgery"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11775",
"datePublished": "2026-06-19T02:29:39.208Z",
"dateReserved": "2026-06-09T11:58:37.369Z",
"dateUpdated": "2026-06-19T02:29:39.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2021 (GCVE-0-2026-2021)
Vulnerability from cvelistv5 – Published: 2026-06-18 08:31 – Updated: 2026-06-18 15:53
VLAI
Title
Slideshow Gallery LITE <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'alwaysauto' Shortcode Attribute
Summary
The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| contrid | Slideshow Gallery LITE |
Affected:
0 , ≤ 1.8.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:53:39.270656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:53:49.109Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Slideshow Gallery LITE",
"vendor": "contrid",
"versions": [
{
"lessThanOrEqual": "1.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027alwaysauto\u0027 shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T08:31:45.662Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55d842fc-a750-4b59-a1d6-b3bd427dfe79?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/slideshow-gallery/trunk/views/default/gallery.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/browser/slideshow-gallery/tags/1.8.5/views/default/gallery.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/browser/slideshow-gallery/trunk/slideshow-gallery.php#L558"
},
{
"url": "https://plugins.trac.wordpress.org/browser/slideshow-gallery/tags/1.8.5/slideshow-gallery.php#L558"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3567787%40slideshow-gallery\u0026new=3567787%40slideshow-gallery\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-25T17:15:41.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T20:00:45.000Z",
"value": "Disclosed"
}
],
"title": "Slideshow Gallery LITE \u003c= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027alwaysauto\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2021",
"datePublished": "2026-06-18T08:31:45.662Z",
"dateReserved": "2026-02-05T20:06:46.826Z",
"dateUpdated": "2026-06-18T15:53:49.109Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8039 (GCVE-0-2026-8039)
Vulnerability from cvelistv5 – Published: 2026-06-18 07:48 – Updated: 2026-06-18 13:02
VLAI
Title
Fancy Testimonials <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting
Summary
The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dijitul | Fancy Testimonials |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8039",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:01:53.099731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:02:09.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fancy Testimonials",
"vendor": "dijitul",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zakaria"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027author\u0027 shortcode attribute in the \u0027testimonial\u0027 shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T07:48:29.350Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf7adeb3-4c6b-4181-af07-0acb1fc8cdb0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fancy-testimonials/trunk/testimonials.php#L33"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fancy-testimonials/tags/1.0/testimonials.php#L33"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-18T12:29:12.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T19:25:04.000Z",
"value": "Disclosed"
}
],
"title": "Fancy Testimonials \u003c= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8039",
"datePublished": "2026-06-18T07:48:29.350Z",
"dateReserved": "2026-05-06T15:57:42.436Z",
"dateUpdated": "2026-06-18T13:02:09.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12111 (GCVE-0-2026-12111)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 12:42
VLAI
Title
Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter
Summary
The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() && current_user_can('edit_posts'), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codepeople | Appointment Booking Calendar |
Affected:
0 , ≤ 1.4.01
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12111",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:42:03.307153Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:42:19.850Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar",
"vendor": "codepeople",
"versions": [
{
"lessThanOrEqual": "1.4.01",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabc_appointments_calendar_load2() function, which is reachable via the cpabc_calendar_load2=1 query parameter in wp-admin and only checks is_admin() \u0026\u0026 current_user_can(\u0027edit_posts\u0027), a capability available to Contributor-level users and above. This makes it possible for authenticated attackers with Contributor-level access and above to supply an arbitrary calendar ID via the id parameter and extract customer booking information, including email addresses, names, phone numbers, booking times, and comments, from any calendar managed by the plugin."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:06.952Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1ecc237-87b0-4c4d-94cc-d3af9c6669c5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_go.inc.php#L1018"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_go.inc.php#L1018"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_go.inc.php#L1019"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_go.inc.php#L1019"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/inc/cpabc_apps_go.inc.php#L945"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/inc/cpabc_apps_go.inc.php#L945"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/trunk/cpabc_appointments.php#L142"
},
{
"url": "https://plugins.trac.wordpress.org/browser/appointment-booking-calendar/tags/1.3.99/cpabc_appointments.php#L142"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3570448%40appointment-booking-calendar\u0026new=3570448%40appointment-booking-calendar\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T14:56:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T18:14:36.000Z",
"value": "Disclosed"
}
],
"title": "Appointment Booking Calendar \u003c= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via \u0027id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12111",
"datePublished": "2026-06-18T06:50:06.952Z",
"dateReserved": "2026-06-12T14:40:58.131Z",
"dateUpdated": "2026-06-18T12:42:19.850Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11395 (GCVE-0-2026-11395)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 15:52
VLAI
Title
CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host
Summary
The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mariovalney | CF7 to Webhook |
Affected:
0 , ≤ 5.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T15:52:25.322267Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T15:52:32.717Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CF7 to Webhook",
"vendor": "mariovalney",
"versions": [
{
"lessThanOrEqual": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chris Peterson"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Exploitation requires that the admin-configured webhook URL contains a Contact Form 7 field placeholder in the host segment of the URL, and that the affected form is publicly accessible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:06.521Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/caa5b9aa-e98c-48fc-9e63-0a1380465918?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cf7-to-zapier/tags/5.0.0/modules/zapier/class-module-zapier.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cf7-to-zapier/tags/5.0.0/modules/cf7/class-module-cf7.php#L351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cf7-to-zapier/tags/5.0.0/modules/cf7/class-module-cf7.php#L524"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3562661%40cf7-to-zapier\u0026new=3562661%40cf7-to-zapier\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T17:12:17.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T18:15:54.000Z",
"value": "Disclosed"
}
],
"title": "CF7 to Webhook \u003c= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11395",
"datePublished": "2026-06-18T06:50:06.521Z",
"dateReserved": "2026-06-05T16:22:22.915Z",
"dateUpdated": "2026-06-18T15:52:32.717Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12098 (GCVE-0-2026-12098)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 13:02
VLAI
Title
PowerPress Podcasting plugin by Blubrry <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'embed' Episode Meta Field
Summary
The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core's post content pipeline, meaning kses-on-save filtering is never applied — even for Author-role users who would otherwise lack unfiltered_html — making this path unprotected by WordPress's standard role-based XSS mitigations.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| blubrry | PowerPress Podcasting plugin by Blubrry |
Affected:
0 , ≤ 11.16.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:02:25.321926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:02:35.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PowerPress Podcasting plugin by Blubrry",
"vendor": "blubrry",
"versions": [
{
"lessThanOrEqual": "11.16.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mukhlis Amien"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027embed\u0027 Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The embed value is stored via update_post_meta() rather than through WordPress core\u0027s post content pipeline, meaning kses-on-save filtering is never applied \u2014 even for Author-role users who would otherwise lack unfiltered_html \u2014 making this path unprotected by WordPress\u0027s standard role-based XSS mitigations."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:06.113Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a74e4fb-15a9-4fc9-afa6-396b0f026615?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.16.8/powerpress.php#L659"
},
{
"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.16.8/powerpress.php#L420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.16.8/powerpressadmin.php#L2984"
},
{
"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.16.4/powerpress.php#L659"
},
{
"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.16.4/powerpress.php#L420"
},
{
"url": "https://plugins.trac.wordpress.org/browser/powerpress/tags/11.16.4/powerpressadmin.php#L2984"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3575897%40powerpress\u0026new=3575897%40powerpress\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T14:33:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T18:12:12.000Z",
"value": "Disclosed"
}
],
"title": "PowerPress Podcasting plugin by Blubrry \u003c= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027embed\u0027 Episode Meta Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12098",
"datePublished": "2026-06-18T06:50:06.113Z",
"dateReserved": "2026-06-12T14:18:22.451Z",
"dateUpdated": "2026-06-18T13:02:35.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12137 (GCVE-0-2026-12137)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 18:13
VLAI
Title
SysBasics Customize My Account for WooCommerce <= 4.3.6 - Reflected Cross-Site Scripting via 'tab' Parameter
Summary
The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| phppoet | SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager |
Affected:
0 , ≤ 4.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12137",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T18:13:32.186408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T18:13:47.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SysBasics Customize My Account for WooCommerce \u2013 Dashboard, Endpoints, Avatar \u0026 Menu Manager",
"vendor": "phppoet",
"versions": [
{
"lessThanOrEqual": "4.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SysBasics Customize My Account for WooCommerce \u2013 Dashboard, Endpoints, Avatar \u0026 Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027tab\u0027 parameter in all versions up to, and including, 4.3.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Because the vulnerable plugin_options_page() function is only rendered within the WordPress admin dashboard, successful exploitation requires the targeted victim to be logged in with Shop Manager-level access or higher."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:05.723Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74c1bc1d-27f1-4953-8ebd-9396fce0f834?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/admin/admin_settings.php#L702"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/admin/admin_settings.php#L622"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3571110%40customize-my-account-for-woocommerce\u0026new=3571110%40customize-my-account-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T17:20:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T17:36:34.000Z",
"value": "Disclosed"
}
],
"title": "SysBasics Customize My Account for WooCommerce \u003c= 4.3.6 - Reflected Cross-Site Scripting via \u0027tab\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12137",
"datePublished": "2026-06-18T06:50:05.723Z",
"dateReserved": "2026-06-12T17:00:40.214Z",
"dateUpdated": "2026-06-18T18:13:47.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12102 (GCVE-0-2026-12102)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 13:53
VLAI
Title
UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter
Summary
The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'user_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| stiofansisland | UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP |
Affected:
0 , ≤ 1.2.63
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:21:07.179981Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:53:27.642Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP",
"vendor": "stiofansisland",
"versions": [
{
"lessThanOrEqual": "1.2.63",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pasindu Dilshan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The UsersWP \u2013 Front-end login form, User Registration, User Profile \u0026 Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the \u0027user_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with editor-level access and above, to reset and permanently delete the avatar or banner image of any arbitrary user, including administrators, by clearing their avatar_thumb or banner_thumb metadata in the uwp_usermeta table."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:05.344Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7115756e-69fa-42fe-bde3-a36e34d4bae3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-forms.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-userswp.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.63/includes/class-profile.php#L1739"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L389"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-forms.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-userswp.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/userswp/tags/1.2.61/includes/class-profile.php#L1739"
},
{
"url": "https://github.com/AyeCode/userswp/commit/0e69f967578904cc26fadd0206270d50b7420298"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T14:42:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T18:09:44.000Z",
"value": "Disclosed"
}
],
"title": "UsersWP \u003c= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via \u0027user_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12102",
"datePublished": "2026-06-18T06:50:05.344Z",
"dateReserved": "2026-06-12T14:27:14.482Z",
"dateUpdated": "2026-06-18T13:53:27.642Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12136 (GCVE-0-2026-12136)
Vulnerability from cvelistv5 – Published: 2026-06-18 06:50 – Updated: 2026-06-18 12:31
VLAI
Title
SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| phppoet | SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager |
Affected:
0 , ≤ 4.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-12136",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T12:31:10.891035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T12:31:19.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SysBasics Customize My Account for WooCommerce \u2013 Dashboard, Endpoints, Avatar \u0026 Menu Manager",
"vendor": "phppoet",
"versions": [
{
"lessThanOrEqual": "4.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chloe Chamberland"
},
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027sysbasics_user_avatar\u0027 shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes (min_height, min_width, max_height, max_width) in the wcmamtx_get_avatar_default() function, which are concatenated unescaped into the get_avatar() extra_attr style attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T06:50:04.743Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/44d041ca-caa6-410d-b2d1-7a63208cc512?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/wcmamtx_extra_functions.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/sysbasics-avatar-upload.php#L524"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.3.6/include/sysbasics-avatar-upload.php#L573"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3571110%40customize-my-account-for-woocommerce\u0026new=3571110%40customize-my-account-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T17:20:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T17:37:13.000Z",
"value": "Disclosed"
}
],
"title": "SysBasics Customize My Account for WooCommerce \u003c= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12136",
"datePublished": "2026-06-18T06:50:04.743Z",
"dateReserved": "2026-06-12T16:46:25.607Z",
"dateUpdated": "2026-06-18T12:31:19.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11358 (GCVE-0-2026-11358)
Vulnerability from cvelistv5 – Published: 2026-06-18 05:34 – Updated: 2026-06-18 13:53
VLAI
Title
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter
Summary
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More |
Affected:
0 , ≤ 3.0.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-18T13:21:22.036842Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T13:53:33.659Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More",
"vendor": "themeisle",
"versions": [
{
"lessThanOrEqual": "3.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Meher Sudhakar Abbireddi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-18T05:34:26.440Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb1268c-b680-4ebe-8fe2-65f656390038?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L296"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L296"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3574306%40themeisle-companion\u0026new=3574306%40themeisle-companion\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T11:50:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-17T16:48:45.000Z",
"value": "Disclosed"
}
],
"title": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More \u003c= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027menu-item-icon\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11358",
"datePublished": "2026-06-18T05:34:26.440Z",
"dateReserved": "2026-06-05T11:35:00.908Z",
"dateUpdated": "2026-06-18T13:53:33.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}