Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-13
CVE-2026-3358 - WordPress Core
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized private course enrollment in all versions up to, and including, 3.9.7. This is due to missing post_status validation in the `enroll_now()` and `course_enrollment()` functions. Both enrollment endpoints verify the nonce, user authentication, and whether the course is purchasable, but fail to check if the course has a `private` post_status. This makes it possible for authenticated attackers with Subscriber-level access or above to enroll in private courses by sending a crafted POST request with the…
CORE
WordPress Core
CVE-2026-3358
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-34424 - WordPress Core
Smart Slider 3 Pro version 3.5.1.35 for WordPress and Joomla contains a multi-stage remote access toolkit injected through a compromised update system that allows unauthenticated attackers to execute arbitrary code and commands. Attackers can trigger pre-authentication remote shell execution via HTTP headers, establish authenticated backdoors accepting arbitrary PHP code or OS commands, create hidden administrator accounts, exfiltrate credentials and access keys, and maintain persistence through multiple injection points including must-use plugins and core file modifications.
CORE
WordPress Core
CVE-2026-34424
Risk Score
Threat Entry
Updated 2026-04-13
CVE-2026-39614 - WordPress Core
Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through
CORE
WordPress Core
CVE-2026-39614
Risk Score
Threat Entry
Updated 2026-04-13
CVE-2026-39466 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through
CORE
WordPress Core
CVE-2026-39466
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-23806 - WordPress Core
Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through
CORE
WordPress Core
CVE-2026-23806
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-22523 - WordPress Core
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Ultra WordPress Admin ultra-admin allows Reflected XSS.This issue affects Ultra WordPress Admin: from n/a through
CORE
WordPress Core
CVE-2026-22523
Risk Score
Threat Entry
Updated 2026-03-24
CVE-2026-33290 - WordPress Core
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch. ### Details In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based: - plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators. - plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack moderation…
CORE
WordPress Core
CVE-2026-33290
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-32412 - WordPress Core
Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through
CORE
WordPress Core
CVE-2026-32412
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-32409 - WordPress Core
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through
CORE
WordPress Core
CVE-2026-32409
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-3906 - WordPress Core
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any…
CORE
WordPress Core
CVE-2026-3906
Risk Score
Threat Entry
Updated 2026-04-01
CVE-2026-22459 - WordPress Core
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through
CORE
WordPress Core
CVE-2026-22459
Risk Score
Threat Entry
Updated 2026-03-10
CVE-2026-22390 - WordPress Core
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through
CORE
WordPress Core
CVE-2026-22390
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-27938 - WordPress Core
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
CORE
WordPress Core
CVE-2026-27938
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-22383 - WordPress Core
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through
CORE
WordPress Core
CVE-2026-22383
Risk Score
Threat Entry
Updated 2026-02-25
CVE-2025-68837 - WordPress Core
Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through
CORE
WordPress Core
CVE-2025-68837
Risk Score
Threat Entry
Updated 2026-02-25
CVE-2025-68028 - WordPress Core
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through
CORE
WordPress Core
CVE-2025-68028
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-27052 - WordPress Core
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion.This issue affects Sales Countdown Timer for WooCommerce and WordPress: from n/a through < 1.1.9.
CORE
WordPress Core
CVE-2026-27052
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-25392 - WordPress Core
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in KaizenCoders Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress update-urls allows Phishing.This issue affects Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress: from n/a through
CORE
WordPress Core
CVE-2026-25392
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-25325 - WordPress Core
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through
CORE
WordPress Core
CVE-2026-25325
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-25315 - WordPress Core
Improperly implemented security check vulnerability in KAGG hCaptcha for WP allows CAPTCHA Functionality Bypass.This issue affects hCaptcha for WP: from n/a through 4.21.1. The vulnerability is limited to the CAPTCHA mechanism intended to protect a publicly accessible form from automated abuse. It does not impact WordPress-level authentication or authorization controls.
CORE
WordPress Core
CVE-2026-25315
Risk Score