Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-13
CVE-2026-5371 - Google Analytics For Wordpress Plugin
The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability checks on the get_ads_access_token() and reset_experience() functions in all versions up to, and including, 10.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve live Google OAuth access tokens and reset Plugins's Google Ads integration.
PLUGIN
Google Analytics For Wordpress
CVE-2026-5371
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-1250 - Court Reservation Plugin
The Court Reservation – Manage Your Court Bookings Online plugin for WordPress is vulnerable to generic SQL Injection via the ‘id’ parameter in all versions up to, and including, 1.10.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Court Reservation
CVE-2026-1250
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-45214 - Elementor Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Blind SQL Injection.This issue affects Xpro Elementor Addons: from n/a through
PLUGIN
Elementor
CVE-2026-45214
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-42742 - WPForms Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aman Views for WPForms views-for-wpforms-lite allows Blind SQL Injection.This issue affects Views for WPForms: from n/a through
PLUGIN
WPForms
CVE-2026-42742
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6813 - Continually Plugin
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Continually
CVE-2026-6813
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6800 - Fastbots Ai Chatbots Plugin
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fastbots Ai Chatbots
CVE-2026-6800
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-1934 - Classified Listings Plugin
The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stm_save_user_extra_fields() function updating sensitive user meta fields from POST data without verifying that the current user should have permission to modify those fields. The function hooks into the 'personal_options_update' action and only checks current_user_can('edit_user', $user_id), which passes for any user editing their own profile. This makes it possible for authenticated attackers, with Subscriber-level access and above,…
PLUGIN
Classified Listings
CVE-2026-1934
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7661 - Bootstrap Shortcode Plugin
The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `box` shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bootstrap Shortcode
CVE-2026-7661
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7659 - Advanced Social Media Icons Plugin
The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Social Media Icons
CVE-2026-7659
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7561 - Tm Wordpress Redirection Plugin
The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tm Wordpress Redirection
CVE-2026-7561
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7464 - Wp Google Maps Integration Plugin
The WP Google Maps Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Wp Google Maps Integration
CVE-2026-7464
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7437 - Azonpost Plugin
The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `editpos_hidden` parameter in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Azonpost
CVE-2026-7437
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7626 - Slek Gateway For Woocommerce Plugin
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the…
PLUGIN
Slek Gateway For Woocommerce
CVE-2026-7626
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7616 - Zawgyi Embed Plugin
The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyi_adminpage function. This makes it possible for unauthenticated attackers to update the plugin's zawgyi_forceCSS setting by submitting a forged POST request to options-general.php?page=zawgyi_embed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Zawgyi Embed
CVE-2026-7616
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7562 - Wp Redirection Plugin
The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the…
PLUGIN
Wp Redirection
CVE-2026-7562
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6913 - Shortcodely Plugin
The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widget_area' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodely
CVE-2026-6913
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6808 - Awesome Pricing Tables Lite By Optimalplugins
The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Awesome Pricing Tables Lite By Optimalplugins
CVE-2026-6808
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6708 - Hel Online Classroom Plugin
The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.
PLUGIN
Hel Online Classroom
CVE-2026-6708
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7050 - Forms Rb Plugin
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own.
PLUGIN
Forms Rb
CVE-2026-7050
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6932 - Woo Commerce Min Weight Plugin
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
PLUGIN
Woo Commerce Min Weight
CVE-2026-6932
Risk Score