Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-30
CVE-2026-1032 - Conditional Menus Plugin
The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to missing nonce validation on the 'save_options' function. This makes it possible for unauthenticated attackers to modify conditional menu assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Conditional Menus
CVE-2026-1032
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1890 - Before 3 Plugin
The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data
PLUGIN
Before 3
CVE-2026-1890
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1430 - Wp Lightbox 2 Plugin
The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wp Lightbox 2
CVE-2026-1430
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-1206 - Elementor Website Builder Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.
PLUGIN
Elementor Website Builder
CVE-2026-1206
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4329 - Blackhole Bad Bots Plugin
The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into…
PLUGIN
Blackhole Bad Bots
CVE-2026-4329
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4389 - Dsgvo Leaflet Map Plugin
The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dsgvo Leaflet Map
CVE-2026-4389
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4281 - Formlift For Infusionsoft Web Forms Plugin
The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication…
PLUGIN
Formlift For Infusionsoft Web Forms
CVE-2026-4281
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4331 - Blog2Social: Social Media Auto Post & Scheduler Plugin
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
PLUGIN
Blog2Social: Social Media Auto Post & Scheduler
CVE-2026-4331
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-2931 - Amelia Booking Plugin
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with customer-level permissions or above to change user passwords and potentially take over administrator accounts. The vulnerability is in the pro plugin, which has the same slug.
PLUGIN
Amelia Booking
CVE-2026-2931
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4278 - Simple Download Counter Plugin
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and…
PLUGIN
Simple Download Counter
CVE-2026-4278
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4075 - Bwl Advanced Faq Manager Lite Plugin
The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever…
PLUGIN
Bwl Advanced Faq Manager Lite
CVE-2026-4075
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4335 - Shortpixel Image Optimiser Plugin
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment…
PLUGIN
Shortpixel Image Optimiser
CVE-2026-4335
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-3328 - Acf Frontend Form Element Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. This makes it possible for authenticated attackers, with Editor-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to achieve remote code execution.
PLUGIN
Acf Frontend Form Element
CVE-2026-3328
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-1986 - Bakkbone Florist Companion Plugin
The FloristPress for Woo – Customize your eCommerce store for your Florist plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'noresults' parameter in all versions up to, and including, 7.8.2 due to insufficient input sanitization and output escaping on the user supplied 'noresults' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Bakkbone Florist Companion
CVE-2026-1986
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-4484 - Learning Management System Plugin
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Learning Management System
CVE-2026-4484
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4758 - Wp Job Portal Plugin
The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
PLUGIN
Wp Job Portal
CVE-2026-4758
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2343 - Peprodev Ultimate Invoice Plugin
The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII.
PLUGIN
Peprodev Ultimate Invoice
CVE-2026-2343
Risk Score
Threat Entry
Updated 2026-03-25
CVE-2026-4766 - Easy Image Gallery Plugin
The Easy Image Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Gallery shortcode post meta field in all versions up to, and including, 1.5.3. This is due to insufficient input sanitization and output escaping on user-supplied gallery shortcode values. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Image Gallery
CVE-2026-4766
Risk Score
Threat Entry
Updated 2026-03-24
CVE-2026-4662 - Jet Engine Plugin
The JetEngine plugin for WordPress is vulnerable to SQL Injection via the `listing_load_more` AJAX action in all versions up to, and including, 3.8.6.1. This is due to the `filtered_query` parameter being excluded from the HMAC signature validation (allowing attacker-controlled input to bypass security checks) combined with the `prepare_where_clause()` method in the SQL Query Builder not sanitizing the `compare` operator before concatenating it into SQL statements. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from…
PLUGIN
Jet Engine
CVE-2026-4662
Risk Score
Threat Entry
Updated 2026-03-24
CVE-2026-4283 - Shapepress Dsgvo Plugin
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly…
PLUGIN
Shapepress Dsgvo
CVE-2026-4283
Risk Score