Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-23
CVE-2026-3506 - Wp Chatbot For Messenger Plugin
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the site's MobileMonkey API token and company ID options, which can be used to hijack chatbot configuration and redirect visitor conversations to an attacker-controlled MobileMonkey account.
PLUGIN
Wp Chatbot For Messenger
CVE-2026-3506
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3478 - Content Syndication Toolkit Plugin
The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is accessible to unauthenticated users. The proxy() method in the Redux_P class takes a URL directly from $_GET['url'] without any validation (the regex is set to /.*/ which matches all URLs) and passes it to wp_remote_request(), which does not have built-in SSRF protection like wp_safe_remote_request(). There is no authentication check, no…
PLUGIN
Content Syndication Toolkit
CVE-2026-3478
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3460 - Rest Api To Miniprogram Plugin
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary…
PLUGIN
Rest Api To Miniprogram
CVE-2026-3460
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3354 - Wikilookup Plugin
The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Width' setting in all versions up to, and including, 1.1.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wikilookup
CVE-2026-3354
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3347 - Multi Functional Flexi Lightbox Plugin
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback returning user input without any sanitization, and the stored `message` value being output in the `genLB()` function without escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page or post with…
PLUGIN
Multi Functional Flexi Lightbox
CVE-2026-3347
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3353 - Comment Spam Wiper Plugin
The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Comment Spam Wiper
CVE-2026-3353
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3334 - Cms Commander Client Plugin
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Cms Commander Client
CVE-2026-3334
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3333 - Minhnhut Link Gateway Plugin
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Minhnhut Link Gateway
CVE-2026-3333
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3335 - Canto Plugin
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from…
PLUGIN
Canto
CVE-2026-3335
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3332 - Xhanch – My Advanced Settings Plugin
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_setting()` function on the settings update handler. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Settings that can be modified include favicon URL, Google Analytics account ID, and various WordPress behavior toggles. The `favicon_url`…
PLUGIN
Xhanch – My Advanced Settings
CVE-2026-3332
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3331 - Lobot Slider Administrator Plugin
The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourty_slider_options_page function. This makes it possible for unauthenticated attackers to modify plugin slider-page configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Lobot Slider Administrator
CVE-2026-3331
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3003 - Vagaro Booking Widget Plugin
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Vagaro Booking Widget
CVE-2026-3003
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2941 - Linksy Search And Replace Plugin
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.
PLUGIN
Linksy Search And Replace
CVE-2026-2941
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2723 - Post Snippits Plugin
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Post Snippits
CVE-2026-2723
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2837 - Ricerca – advanced search Plugin
The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Ricerca – advanced search
CVE-2026-2837
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2720 - Hr Press Lite Plugin
The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive employee information including names, email addresses, phone numbers, salary/pay rates, employment dates, and employment status.
PLUGIN
Hr Press Lite
CVE-2026-2720
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2503 - Element Camp Plugin
The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query without validation against an allowlist of comparison operators. The value is passed through esc_sql(), but since the payload operates as an operator (not inside quotes), esc_sql() has no effect on payloads that don't contain quote characters. This makes it possible for authenticated attackers, with Author-level…
PLUGIN
Element Camp
CVE-2026-2503
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2501 - Ed's Social Share Plugin
The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ed's Social Share
CVE-2026-2501
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2496 - Ed's Font Awesome Plugin
The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ed's Font Awesome
CVE-2026-2496
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2468 - Quentn Wp Plugin
The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `get_user_access()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Quentn Wp
CVE-2026-2468
Risk Score