Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-06-06
CVE-2026-9851 - Booking Package Plugin
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level…
PLUGIN
Booking Package
CVE-2026-9851
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-9829 - Mobile Friendly Image Gallery Plugin
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX…
PLUGIN
Mobile Friendly Image Gallery
CVE-2026-9829
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-9016 - Debug Log Manager Plugin
The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log…
PLUGIN
Debug Log Manager
CVE-2026-9016
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-8839 - Mappress Google Maps For Wordpress Plugin
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`,…
PLUGIN
Mappress Google Maps For Wordpress
CVE-2026-8839
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-9594 - Wp Google Map Plugin
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged…
PLUGIN
Wp Google Map
CVE-2026-9594
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-8611 - Klamra Paycal For Aspaclaria Plugin
The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
PLUGIN
Klamra Paycal For Aspaclaria
CVE-2026-8611
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7624 - Squirrly Seo Plugin
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site's Google Search Console and Google Analytics integrations via `api/gsc/revoke` and `api/ga/revoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability.
PLUGIN
Squirrly Seo
CVE-2026-7624
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7796 - Embedpress Plugin
The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page
PLUGIN
Embedpress
CVE-2026-7796
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-9280 - Ad Inserter Plugin
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the…
PLUGIN
Ad Inserter
CVE-2026-9280
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-8502 - Wordpress Lms Plugin For Create And Sell Online Courses
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe…
PLUGIN
Wordpress Lms Plugin For Create And Sell Online Courses
CVE-2026-8502
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-9197 - Smart Slider 3 Plugin
The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Smart Slider 3
CVE-2026-9197
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-8978 - Popup Builder For Wordpress Plugin
The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Popup Builder For Wordpress
CVE-2026-8978
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-8991 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2026-8991
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7795 - Click To Chat For Whatsapp Plugin
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single…
PLUGIN
Click To Chat For Whatsapp
CVE-2026-7795
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7792 - Wpforms Lite Plugin
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers…
PLUGIN
Wpforms Lite
CVE-2026-7792
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7665 - Essential Addons For Elementor Lite Plugin
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
Essential Addons For Elementor Lite
CVE-2026-7665
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7566 - Learnpress Import Export Plugin
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Learnpress Import Export
CVE-2026-7566
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7565 - Learnpress Import Export Plugin
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Learnpress Import Export
CVE-2026-7565
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-7537 - Mobile Dj Manager Plugin
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
PLUGIN
Mobile Dj Manager
CVE-2026-7537
Risk Score
Threat Entry
Updated 2026-06-06
CVE-2026-2500 - Quick Playground Plugin
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is…
PLUGIN
Quick Playground
CVE-2026-2500
Risk Score