{"ok":true,"count":50,"totals":{"critical":18,"high":60,"medium":150,"low":2},"threats":[{"id":230,"plugin_slug":"woopayments-integrated-woocommerce-payments","plugin_name":"Woopayments Integrated Woocommerce Payments","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2026-1710","title":"The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in","description":"The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1710","vuln_type":"Remote Code Execution","published_date":"2026-03-31 05:16:10"},{"id":229,"plugin_slug":"gravity-smtp","plugin_name":"Gravity Smtp","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.5","cve":"CVE-2026-4020","title":"The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp","description":"The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4020","vuln_type":"Other","published_date":"2026-03-31 02:15:59"},{"id":228,"plugin_slug":"everest-forms-pro","plugin_name":"Everest Forms Pro","affected_versions":"","fixed_version":"","severity":"critical","cvss_score":"9.8","cve":"CVE-2026-3300","title":"The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_fi","description":"The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted value in any string-type form field (text, email, URL, select, radio) when a form uses the \"Complex Calculation\" feature.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3300","vuln_type":"Remote Code Execution","published_date":"2026-03-31 02:15:59"},{"id":227,"plugin_slug":"debugger-troubleshooter","plugin_name":"Debugger Troubleshooter","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.8","cve":"CVE-2026-5130","title":"The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troub","description":"The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5130","vuln_type":"Privilege Escalation","published_date":"2026-03-30 23:17:04"},{"id":226,"plugin_slug":"contact-form-by-supsystic","plugin_name":"Contact Form By Supsystic","affected_versions":"","fixed_version":"","severity":"critical","cvss_score":"9.8","cve":"CVE-2026-4257","title":"The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is d","description":"The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4257","vuln_type":"Remote Code Execution","published_date":"2026-03-30 22:16:20"},{"id":225,"plugin_slug":"download-monitor","plugin_name":"Download Monitor","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.5","cve":"CVE-2026-3124","title":"The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a","description":"The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3124","vuln_type":"Other","published_date":"2026-03-30 02:16:15"},{"id":224,"plugin_slug":"twentig","plugin_name":"Twentig","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.4","cve":"CVE-2026-2602","title":"The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization ","description":"The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2602","vuln_type":"Cross-Site Scripting","published_date":"2026-03-29 02:16:16"},{"id":223,"plugin_slug":"quads-ads-manager-for-google-adsense","plugin_name":"Quads Ads Manager For Google Adsense","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"5.4","cve":"CVE-2026-2595","title":"The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output ","description":"The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2595","vuln_type":"Cross-Site Scripting","published_date":"2026-03-28 12:16:03"},{"id":222,"plugin_slug":"page-builder-pagelayer-drag-and-drop-website-builder","plugin_name":"Page Builder Pagelayer Drag And Drop Website Builder","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"5.3","cve":"CVE-2026-2442","title":"The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2","description":"The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2442","vuln_type":"Other","published_date":"2026-03-28 10:16:30"},{"id":221,"plugin_slug":"ninja-forms-the-contact-form-builder-that-grows-with-you","plugin_name":"Ninja Forms The Contact Form Builder That Grows With You","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2026-1307","title":"The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function","description":"The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1307","vuln_type":"Other","published_date":"2026-03-28 07:15:55"},{"id":220,"plugin_slug":"sureforms-contact-form-payment-form-other-custom-form-builder","plugin_name":"Sureforms Contact Form Payment Form Other Custom Form Builder","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.5","cve":"CVE-2026-4987","title":"The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the cre","description":"The SureForms \u2013 Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4987","vuln_type":"Other","published_date":"2026-03-28 02:16:14"},{"id":219,"plugin_slug":"ultimate-member","plugin_name":"Ultimate Member","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.0","cve":"CVE-2026-4248","title":"The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag ","description":"The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4248","vuln_type":"Other","published_date":"2026-03-27 23:17:14"},{"id":218,"plugin_slug":"unknown","plugin_name":"Unknown","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"5.4","cve":"CVE-2026-33559","title":"WordPress Plugin \"OpenStreetMap\" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/edit","description":"WordPress Plugin \"OpenStreetMap\" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user accesses this page, the script may be executed in the user's web browser.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33559","vuln_type":"Cross-Site Scripting","published_date":"2026-03-27 06:16:39"},{"id":217,"plugin_slug":"smart-slider-3","plugin_name":"Smart Slider 3","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2026-3098","title":"The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated","description":"The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3098","vuln_type":"Arbitrary File Upload","published_date":"2026-03-27 04:16:03"},{"id":216,"plugin_slug":"js-help-desk-ai-powered-support-ticketing-system","plugin_name":"Js Help Desk Ai Powered Support Ticketing System","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.5","cve":"CVE-2026-2511","title":"The JS Help Desk \u2013 AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, a","description":"The JS Help Desk \u2013 AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3.0.4. This is due to the user-supplied `multiformid` value being passed to `esc_sql()` without enclosing the result in quotes in the SQL query, rendering the escaping ineffective against payloads that do not contain quote characters. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2511","vuln_type":"SQL Injection","published_date":"2026-03-26 14:16:10"},{"id":215,"plugin_slug":"complianz-gdpr-ccpa-cookie-consent","plugin_name":"Complianz Gdpr Ccpa Cookie Consent","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.9","cve":"CVE-2026-2389","title":"The Complianz \u2013 GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` ","description":"The Complianz \u2013 GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `&#8221;` HTML entities with literal double-quote characters (`\"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this vulnerability.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2389","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 14:16:09"},{"id":214,"plugin_slug":"fluent-booking","plugin_name":"Fluent Booking","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.2","cve":"CVE-2026-2231","title":"The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and out","description":"The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2231","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 14:16:09"},{"id":213,"plugin_slug":"conditional-menus","plugin_name":"Conditional Menus","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.3","cve":"CVE-2026-1032","title":"The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to missing nonce validation on the 'save_options' functi","description":"The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to missing nonce validation on the 'save_options' function. This makes it possible for unauthenticated attackers to modify conditional menu assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1032","vuln_type":"CSRF","published_date":"2026-03-26 14:16:08"},{"id":212,"plugin_slug":"before","plugin_name":"Before","affected_versions":"< 3.0.22","fixed_version":"","severity":"medium","cvss_score":"5.3","cve":"CVE-2026-1890","title":"The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data","description":"The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1890","vuln_type":"Other","published_date":"2026-03-26 07:16:19"},{"id":211,"plugin_slug":"before","plugin_name":"Before","affected_versions":"< 3.0.7","fixed_version":"","severity":"medium","cvss_score":"4.8","cve":"CVE-2026-1430","title":"The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks e","description":"The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1430","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 07:16:19"},{"id":210,"plugin_slug":"before","plugin_name":"Before","affected_versions":"< 3.4.3","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2025-15488","title":"The Responsive Plus  WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_","description":"The Responsive Plus  WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the update_responsive_woo_free_shipping_left_shortcode AJAX action that does not properly validate the content_rech_data parameter before processing it as a shortcode.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15488","vuln_type":"Other","published_date":"2026-03-26 07:16:19"},{"id":209,"plugin_slug":"before","plugin_name":"Before","affected_versions":"< 1.7.58","fixed_version":"","severity":"medium","cvss_score":"6.8","cve":"CVE-2025-15433","title":"The Shared Files  WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector","description":"The Shared Files  WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server (such as wp-config.php) via a path traversal vector","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-15433","vuln_type":"Path Traversal","published_date":"2026-03-26 07:16:19"},{"id":208,"plugin_slug":"elementor-website-builder","plugin_name":"Elementor Website Builder","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.3","cve":"CVE-2026-1206","title":"The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error","description":"The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1206","vuln_type":"Other","published_date":"2026-03-26 06:16:09"},{"id":207,"plugin_slug":"dsgvo-snippet-for-leaflet-map-and-its-extensions","plugin_name":"Dsgvo Snippet For Leaflet Map And Its Extensions","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.4","cve":"CVE-2026-4389","title":"The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versi","description":"The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4389","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 05:16:40"},{"id":206,"plugin_slug":"blog2social-social-media-auto-post-scheduler","plugin_name":"Blog2social Social Media Auto Post Scheduler","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.3","cve":"CVE-2026-4331","title":"The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() f","description":"The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all _b2s_post_meta records from the wp_postmeta table, permanently removing all custom social media meta tags for every post on the site.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4331","vuln_type":"Other","published_date":"2026-03-26 05:16:40"},{"id":205,"plugin_slug":"blackhole-for-bad-bots","plugin_name":"Blackhole For Bad Bots","affected_versions":"75 - 83","fixed_version":"","severity":"high","cvss_score":"7.2","cve":"CVE-2026-4329","title":"The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input s","description":"The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4329","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 05:16:40"},{"id":204,"plugin_slug":"formlift-for-infusionsoft-web-forms","plugin_name":"Formlift For Infusionsoft Web Forms","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"5.3","cve":"CVE-2026-4281","title":"The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connec","description":"The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4281","vuln_type":"Broken Access Control","published_date":"2026-03-26 05:16:40"},{"id":203,"plugin_slug":"simple-download-counter","plugin_name":"Simple Download Counter","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.4","cve":"CVE-2026-4278","title":"The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input ","description":"The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4278","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 05:16:39"},{"id":202,"plugin_slug":"amelia-booking","plugin_name":"Amelia Booking","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.8","cve":"CVE-2026-2931","title":"The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to object","description":"The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2931","vuln_type":"Remote Code Execution","published_date":"2026-03-26 05:16:39"},{"id":201,"plugin_slug":"shortpixel-image-optimizer","plugin_name":"Shortpixel Image Optimizer","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"5.4","cve":"CVE-2026-4335","title":"The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient ","description":"The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4335","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 04:17:12"},{"id":200,"plugin_slug":"bwl-advanced-faq-manager-lite","plugin_name":"Bwl Advanced Faq Manager Lite","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.4","cve":"CVE-2026-4075","title":"The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient ","description":"The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4075","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 04:17:12"},{"id":199,"plugin_slug":"frontend-admin-by-dynamiapps","plugin_name":"Frontend Admin By Dynamiapps","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.2","cve":"CVE-2026-3328","title":"The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31.","description":"The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3328","vuln_type":"Remote Code Execution","published_date":"2026-03-26 04:17:11"},{"id":198,"plugin_slug":"floristpress-for-woo-customize-your-ecommerce-store-for-your-florist","plugin_name":"Floristpress For Woo Customize Your Ecommerce Store For Your Florist","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.1","cve":"CVE-2026-1986","title":"The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, a","description":"The FloristPress for Woo \u2013 Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-1986","vuln_type":"Cross-Site Scripting","published_date":"2026-03-26 04:17:03"},{"id":197,"plugin_slug":"masteriyo-lms","plugin_name":"Masteriyo Lms","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.8","cve":"CVE-2026-4484","title":"The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the ","description":"The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4484","vuln_type":"Privilege Escalation","published_date":"2026-03-26 02:16:07"},{"id":196,"plugin_slug":"wp-job-portal","plugin_name":"Wp Job Portal","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.8","cve":"CVE-2026-4758","title":"The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up ","description":"The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4758","vuln_type":"Remote Code Execution","published_date":"2026-03-26 00:16:41"},{"id":195,"plugin_slug":"through","plugin_name":"Through","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"5.3","cve":"CVE-2026-2343","title":"The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably makin","description":"The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2343","vuln_type":"Remote Code Execution","published_date":"2026-03-25 06:16:28"},{"id":194,"plugin_slug":"easy-image-gallery","plugin_name":"Easy Image Gallery","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.4","cve":"CVE-2026-4766","title":"The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insuffici","description":"The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4766","vuln_type":"Cross-Site Scripting","published_date":"2026-03-25 02:16:06"},{"id":193,"plugin_slug":"jetengine","plugin_name":"Jetengine","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.5","cve":"CVE-2026-4662","title":"The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter b","description":"The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, provided the site has a JetEngine Listing Grid with Load More enabled that uses a SQL Query Builder query.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4662","vuln_type":"SQL Injection","published_date":"2026-03-24 05:16:25"},{"id":192,"plugin_slug":"wp-dsgvo-tools-gdpr","plugin_name":"Wp Dsgvo Tools Gdpr","affected_versions":"","fixed_version":"","severity":"critical","cvss_score":"9.1","cve":"CVE-2026-4283","title":"The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accept","description":"The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4283","vuln_type":"Other","published_date":"2026-03-24 05:16:24"},{"id":191,"plugin_slug":"product-filter-for-woocommerce-by-wbw","plugin_name":"Product Filter For Woocommerce By Wbw","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2026-3138","title":"The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the","description":"The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3138","vuln_type":"Remote Code Execution","published_date":"2026-03-24 05:16:23"},{"id":190,"plugin_slug":"learndash-lms","plugin_name":"Learndash Lms","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2026-3079","title":"The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to","description":"The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3079","vuln_type":"SQL Injection","published_date":"2026-03-24 02:16:05"},{"id":189,"plugin_slug":"unknown","plugin_name":"Unknown","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.3","cve":"CVE-2026-33290","title":"WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero cap","description":"WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.\n\n### Details\n\nIn WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:\n\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation capability.\n- plugins/wp-graphql/src/Data/CommentMutation.php:94:94 maps GraphQL input status directly to WordPress comment_approved.\n- plugins/wp-graphql/src/Mutation/CommentUpdate.php:120:120 persists that value via wp_update_comment.\n- plugins/wp-graphql/src/Type/Enum/CommentStatusEnum.php:22:22 exposes moderation states (APPROVE, HOLD, SPAM, TRASH).\n\nThis means a non-moderator owner can submit status during update and transition moderation state.\n\n### PoC\n\nTested in local wp-env (Docker) with WPGraphQL 2.9.1.\n\n1. Start environment:\n\n  npm install\n  npm run wp-env start\n\n2. Run this PoC:\n\n```\n  npm run wp-env run cli -- wp eval '\n  add_role(\"no_caps\",\"No Caps\",[]);\n  $user_id = username_exists(\"poc_nocaps\");\n  if ( ! $user_id ) {\n    $user_id = wp_create_user(\"poc_nocaps\",\"Passw0rd!\",\"poc_nocaps@example.com\");\n  }\n  $user = get_user_by(\"id\",$user_id);\n  $user->set_role(\"no_caps\");\n\n  $post_id = wp_insert_post([\n    \"post_title\" => \"PoC post\",\n    \"post_status\" => \"publish\",\n    \"post_type\" => \"post\",\n    \"comment_status\" => \"open\",\n  ]);\n\n  $comment_id = wp_insert_comment([\n    \"comment_post_ID\" => $post_id,\n    \"comment_content\" => \"pending comment\",\n    \"user_id\" => $user_id,\n    \"comment_author\" => $user->display_name,\n    \"comment_author_email\" => $user->user_email,\n    \"comment_approved\" => \"0\",\n  ]);\n\n  wp_set_current_user($user_id);\n\n  $result = graphql([\n    \"query\" => \"mutation U(\\$id:ID!){ updateComment(input:{id:\\$id,status:APPROVE}){ success comment{ databaseId status } } }\",\n    \"variables\" => [ \"id\" => (string)$comment_id ],\n  ]);\n\n  echo wp_json_encode([\n    \"role_caps\" => array_keys(array_filter((array)$user->allcaps)),\n    \"status\" => $result[\"data\"][\"updateComment\"][\"comment\"][\"status\"] ?? null,\n    \"db_comment_approved\" => get_comment($comment_id)->comment_approved ?? null,\n    \"comment_id\" => $comment_id\n  ]);\n  '\n```\n\n3. Observe result:\n\n- role_caps is empty (or no moderate_comments)\n- mutation returns status: APPROVE\n- DB value becomes comment_approved = 1\n\n### Impact\n\nThis is an authorization bypass / broken access control issue in comment moderation state transitions. Any deployment using WPGraphQL comment mutations where low-privileged users can make comments is impacted. Moderation policy can be bypassed by self-approving content.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33290","vuln_type":"Broken Access Control","published_date":"2026-03-24 01:17:01"},{"id":188,"plugin_slug":"user-registration-membership","plugin_name":"User Registration Membership","affected_versions":"5.0.1 - 5.1.4.","fixed_version":"","severity":"medium","cvss_score":"5.4","cve":"CVE-2026-4056","title":"The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions ","description":"The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Content Access Rules REST API endpoints in versions 5.0.1 through 5.1.4. This is due to the `check_permissions()` method only checking for `edit_posts` capability instead of an administrator-level capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to list, create, modify, toggle, duplicate, and delete site-wide content restriction rules, potentially exposing restricted content or denying legitimate user access.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4056","vuln_type":"Other","published_date":"2026-03-24 00:16:31"},{"id":187,"plugin_slug":"contest-gallery","plugin_name":"Contest Gallery","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.1","cve":"CVE-2026-4021","title":"The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation","description":"The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin account takeover in all versions up to, and including, 28.1.5. This is due to the email confirmation handler in `users-registry-check-after-email-or-pin-confirmation.php` using the user's email string in a `WHERE ID = %s` clause instead of the numeric user ID, combined with an unauthenticated key-based login endpoint in `ajax-functions-frontend.php`. When the non-default `RegMailOptional=1` setting is enabled, an attacker can register with a crafted email starting with the target user ID (e.g., `1poc@example.test`), trigger the confirmation flow to overwrite the admin's `user_activation_key` via MySQL integer coercion, and then use the `post_cg1l_login_user_by_key` AJAX action to authenticate as the admin without any credentials. This makes it possible for unauthenticated attackers to take over any WordPress administrator account and gain full site control.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4021","vuln_type":"Authentication Bypass","published_date":"2026-03-24 00:16:31"},{"id":186,"plugin_slug":"woocommerce-custom-product-addons-pro","plugin_name":"Woocommerce Custom Product Addons Pro","affected_versions":"","fixed_version":"","severity":"critical","cvss_score":"9.8","cve":"CVE-2026-4001","title":"The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_c","description":"The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. This is due to insufficient sanitization and validation of user-submitted field values before passing them to PHP's eval() function. The sanitize_values() method strips HTML tags but does not escape single quotes or prevent PHP code injection. This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: \"custom\" with {this.value}).","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4001","vuln_type":"Remote Code Execution","published_date":"2026-03-24 00:16:31"},{"id":185,"plugin_slug":"jupiter-x-core","plugin_name":"Jupiter X Core","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"8.8","cve":"CVE-2026-3533","title":"The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the uplo","description":"The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3533","vuln_type":"Cross-Site Scripting","published_date":"2026-03-24 00:16:30"},{"id":184,"plugin_slug":"wp-job-portal","plugin_name":"Wp Job Portal","affected_versions":"","fixed_version":"","severity":"high","cvss_score":"7.5","cve":"CVE-2026-4306","title":"The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter","description":"The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4306","vuln_type":"SQL Injection","published_date":"2026-03-23 23:17:13"},{"id":183,"plugin_slug":"smart-custom-fields","plugin_name":"Smart Custom Fields","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.3","cve":"CVE-2026-4066","title":"The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and includi","description":"The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the relational_posts_search() function in all versions up to, and including, 5.0.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to read private and draft post content from other authors via the smart-cf-relational-posts-search AJAX action. The function queries posts with post_status=any and returns full WP_Post objects including post_content, but only checks the generic edit_posts capability instead of verifying whether the requesting user has permission to read each individual post.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4066","vuln_type":"Other","published_date":"2026-03-23 23:17:13"},{"id":182,"plugin_slug":"learnpress-wordpress-lms-plugin","plugin_name":"Learnpress Wordpress Lms Plugin","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"4.3","cve":"CVE-2026-3225","title":"The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function ","description":"The LearnPress \u2013 WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-3225","vuln_type":"Other","published_date":"2026-03-23 23:17:13"},{"id":181,"plugin_slug":"quiz-and-survey-master-qsm","plugin_name":"Quiz And Survey Master Qsm","affected_versions":"","fixed_version":"","severity":"medium","cvss_score":"6.5","cve":"CVE-2026-2412","title":"The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanit","description":"The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","source":"nvd","source_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-2412","vuln_type":"SQL Injection","published_date":"2026-03-23 23:17:11"}],"updated_at":"2026-04-22T12:13:04+00:00"}