Threat Entry Updated 2026-04-15

CVE-2026-0722 - Shield: Blocks Bots, Protects Users, and Prevents Security Breaches Plugin

The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

CVE-2026-0722

MEDIUM CVSS 6.5 2026-02-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-0561 - Shield: Blocks Bots, Protects Users, and Prevents Security Breaches Plugin

The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

PLUGIN Shield: Blocks Bots, Protects Users, and Prevents Security Breaches

CVE-2026-0561

MEDIUM CVSS 6.1 2026-02-19

Risk Score

Open Full Technical Breakdown