CVE-2025-15565 - The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing

CVE-2026-4109 - The Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) plugin for WordPres

CVE-2026-2582 - The The Germanized for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode executi

CVE-2026-3017 - The Smart Post Show – Post Grid, Post Carousel & Slider, and List Category Posts plugin for WordPres

CVE-2026-4479 - The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to

CVE-2026-4059 - The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_q

CVE-2026-1607 - The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-6227 - The BackWPup plugin for WordPress is vulnerable to Local File Inclusion via the `block_name` paramet

CVE-2026-4388 - The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Ma

CVE-2026-4365 - The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing cap

CVE-2026-4352 - The JetEngine plugin for WordPress is vulnerable to SQL Injection via the Custom Content Type (CCT)

CVE-2026-6203 - The User Registration & Membership plugin for WordPress is vulnerable to Open Redirect in versions u

CVE-2026-3830 - The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape

CVE-2025-15441 - The Form Maker by 10Web WordPress plugin before 1.15.38 does not properly prepare SQL queries when

CVE-2026-5809 - The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and

CVE-2026-5226 - The Optimole – Optimize Images in Real Time plugin for WordPress is vulnerable to Reflected Cross-Si

CVE-2026-5217 - The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin f

CVE-2026-5207 - The LifterLMS plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all v

CVE-2026-5144 - The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions

CVE-2026-4979 - The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for W

CVE-2026-4895 - The GreenShift - Animation and Page Builder Blocks plugin for WordPress is vulnerable to Stored Cros

CVE-2026-3498 - The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clien

CVE-2026-3371 - The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure

CVE-2026-3358 - The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthori

CVE-2026-4162 - The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and

CVE-2026-4432 - The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist own

CVE-2025-14545 - The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via

CVE-2026-2305 - The AddFunc Head & Footer Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4977 - The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for W

CVE-2026-4664 - The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in

CVE-2026-4351 - The Perfmatters plugin for WordPress is vulnerable to arbitrary file overwrite via path traversal in

CVE-2026-4305 - The Royal WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to Reflected Cross-Si

CVE-2026-4057 - The Download Manager plugin for WordPress is vulnerable to unauthorized modification of data due to

CVE-2026-3360 - The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to an Insecu

CVE-2026-2712 - The WP-Optimize plugin for WordPress is vulnerable to unauthorized access of functionality due to mi

CVE-2026-1263 - The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to,

CVE-2026-34424 - Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access to

CVE-2023-54359 - WordPress adivaha Travel Plugin 2.3 contains a time-based blind SQL injection vulnerability that all

CVE-2023-54358 - WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that all

CVE-2026-3005 - The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2026-2519 - The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to

CVE-2026-5742 - The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and

CVE-2026-4336 - The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ

CVE-2026-1830 - The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up

CVE-2026-5357 - The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid'

CVE-2026-4429 - The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'm

CVE-2026-4124 - The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and in

CVE-2026-3574 - The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Script

CVE-2026-3568 - The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versio

CVE-2026-4326 - The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all v

CVE-2026-5711 - The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 's

CVE-2026-5451 - The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-5436 - The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to

CVE-2026-2942 - The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missin

CVE-2026-0814 - The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due

CVE-2026-0811 - The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in a

CVE-2026-2509 - The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2026-3243 - The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to in

CVE-2026-2481 - The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable t

CVE-2026-1865 - The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, Us

CVE-2026-1673 - The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for

CVE-2026-1672 - The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for

CVE-2026-4303 - The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Sit

CVE-2026-4300 - The Robo Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Loading

CVE-2026-4073 - The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' short

CVE-2026-4025 - The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'a

CVE-2026-39614 - Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exp

CVE-2026-39466 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i

CVE-2026-1396 - The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scr

CVE-2026-4655 - The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Script

CVE-2026-4654 - The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Inse

CVE-2026-4330 - The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorizat

CVE-2026-5508 - The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wow

CVE-2026-5506 - The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` s

CVE-2026-5169 - The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-5167 - The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vul

CVE-2026-4871 - The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-4808 - The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads d

CVE-2026-4338 - The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowe

CVE-2026-4141 - The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versi

CVE-2026-3781 - The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' para

CVE-2026-3618 - The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-3594 - The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in

CVE-2026-3480 - The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to an

CVE-2026-3477 - The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions

CVE-2026-3142 - The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored C

CVE-2026-2838 - The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scrip

CVE-2025-1794 - The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded S

CVE-2026-3311 - The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCom

CVE-2026-4785 - The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerab

CVE-2026-4341 - The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scri

CVE-2026-4333 - The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Script

CVE-2026-4299 - The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions

CVE-2026-4003 - The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User

CVE-2026-3646 - The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authoriz

CVE-2026-3600 - The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-annou

CVE-2026-3513 - The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Si

CVE-2026-3239 - The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the pl

CVE-2026-4379 - The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `g

CVE-2026-2988 - The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'po

CVE-2026-3499 - The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPres

CVE-2026-3296 - The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to,

CVE-2025-14732 - The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to

CVE-2026-4406 - The Gravity Forms plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `form

CVE-2026-4401 - The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `action

CVE-2026-4394 - The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit C

CVE-2026-2263 - The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to

CVE-2026-4065 - The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of dat

CVE-2025-14944 - The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up

CVE-2026-3177 - The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin

CVE-2026-5465 - The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Inse

CVE-2026-4079 - The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is con

CVE-2026-1900 - The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that all

CVE-2025-15611 - The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_po

CVE-2026-0740 - The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to m

CVE-2026-3666 - The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to

CVE-2026-3309 - The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C

CVE-2026-2936 - The Visitor Traffic Real Time Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scr

CVE-2026-1233 - The Text to Speech for WP (AI Voices by Mementor) plugin for WordPress is vulnerable to sensitive in

CVE-2026-0626 - The WPFunnels – Easy Funnel Builder To Optimize Buyer Journeys And Get More Leads & Sales plugin for

CVE-2025-14938 - The Listeo Core plugin for WordPress is vulnerable to unauthenticated arbitrary media upload in all

CVE-2026-5425 - The Widgets for Social Photo Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-3445 - The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict C

CVE-2026-2826 - The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to

CVE-2026-2437 - The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerab

CVE-2026-4896 - The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plu

CVE-2026-2600 - The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Si

CVE-2026-0738 - The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Si

CVE-2026-0737 - The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Si

CVE-2026-0664 - The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-0552 - The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the p

CVE-2025-15064 - The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Mem

CVE-2025-13368 - The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site

CVE-2026-2949 - The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site

CVE-2026-2924 - The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable

CVE-2026-3571 - The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnera

CVE-2026-4350 - The Perfmatters plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in

CVE-2026-5032 - The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to,

CVE-2026-0688 - The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up

CVE-2026-0686 - The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up

CVE-2026-4347 - The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file

CVE-2026-1540 - The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, whi

CVE-2025-13535 - The King Addons for Elementor plugin for WordPress is vulnerable to multiple Contributor+ DOM-Based

CVE-2026-2696 - The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS (inclu

CVE-2025-15484 - The Order Notification for WooCommerce WordPress plugin before 3.6.3 overrides WooCommerce's permis

CVE-2026-3831 - The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unau

CVE-2026-4668 - The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL

CVE-2026-2480 - The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Si

CVE-2026-4267 - The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Re

CVE-2026-3191 - The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up

CVE-2026-3139 - The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugi

CVE-2026-3881 - The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a

CVE-2026-1877 - The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all vers

CVE-2026-1834 - The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scrip

CVE-2026-4146 - The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘upd

CVE-2026-1797 - The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sens

CVE-2026-1710 - The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized

CVE-2026-4020 - The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all version

CVE-2026-3300 - The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injec

CVE-2026-5130 - The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escal

CVE-2026-4257 - The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (

CVE-2026-3124 - The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all v

CVE-2026-2602 - The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImage

CVE-2026-2442 - The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Im

CVE-2026-1307 - The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to

CVE-2025-15445 - The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without n

CVE-2025-12886 - The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up

CVE-2026-4987 - The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulne

CVE-2026-4248 - The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all vers

CVE-2026-33559 - WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On

CVE-2026-3098 - The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to,

CVE-2026-2511 - The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL I

CVE-2026-2389 - The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scr

CVE-2026-2231 - The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple pa

CVE-2026-1032 - The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versio

CVE-2026-1890 - The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowi

CVE-2026-1430 - The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, w

CVE-2025-15488 - The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution du

CVE-2025-15433 - The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to d

CVE-2026-1206 - The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensi

CVE-2026-4389 - The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cr

CVE-2026-4331 - The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthoriz

CVE-2026-4329 - The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-4281 - The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization

CVE-2026-4278 - The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2026-2931 - The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versio

CVE-2026-4335 - The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4075 - The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting

CVE-2026-3328 - The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via dese

CVE-2026-1986 - The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is v

CVE-2026-4484 - The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to,

CVE-2026-4758 - The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient

CVE-2026-25334 - Incorrect Privilege Assignment vulnerability in wordpresschef Salon Booking System Pro salon-booking

CVE-2026-23806 - Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allo

CVE-2026-22523 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i

CVE-2026-2343 - The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action tha

CVE-2026-4766 - The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gal

CVE-2026-4662 - The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX a

CVE-2026-4283 - The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in

CVE-2026-3138 - The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data lo

CVE-2026-3079 - The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filt

CVE-2026-33290 - WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw

CVE-2026-4056 - The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification o

CVE-2026-4021 - The Contest Gallery plugin for WordPress is vulnerable to an authentication bypass leading to admin

CVE-2026-4001 - The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Executio

CVE-2026-4306 - The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in

CVE-2026-4066 - The Smart Custom Fields plugin for WordPress is vulnerable to unauthorized access of data due to a m

CVE-2026-3225 - The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of

CVE-2026-2412 - The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged

CVE-2025-6229 - The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Fo

CVE-2026-1969 - The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its A

CVE-2026-4314 - The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege E

CVE-2026-3427 - The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnera

CVE-2026-3629 - The Import and export users and customers plugin for WordPress is vulnerable to privilege escalation

CVE-2026-4373 - The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in a

CVE-2026-4261 - The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, a

CVE-2026-4161 - The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4143 - The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in

CVE-2026-4127 - The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions

CVE-2026-4087 - The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids'

CVE-2026-4086 - The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat'

CVE-2026-4084 - The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via th

CVE-2026-4077 - The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4072 - The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via

CVE-2026-4069 - The Alfie – Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n

CVE-2026-4067 - The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcod

CVE-2026-4022 - The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cr

CVE-2026-4004 - The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search

CVE-2026-3997 - The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' sh

CVE-2026-3996 - The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game]

CVE-2026-3651 - The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to

CVE-2026-3645 - The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all

CVE-2026-3641 - The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, an

CVE-2026-3619 - The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles'

CVE-2026-3617 - The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amou

CVE-2026-3570 - The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up t

CVE-2026-3554 - The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-3546 - The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all

CVE-2026-3506 - The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versi

CVE-2026-3478 - The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in

CVE-2026-3460 - The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference i

CVE-2026-3354 - The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Widt

CVE-2026-3353 - The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'AP

CVE-2026-3347 - The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scriptin

CVE-2026-3335 - The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and inc

CVE-2026-3334 - The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blo

CVE-2026-3333 - The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-3331 - The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in v

CVE-2026-3003 - The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the

CVE-2026-2941 - The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of dat