Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-23
CVE-2026-3641 - Appmax Plugin
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism to authenticate that incoming webhook requests genuinely originate from the legitimate Appmax payment service. The plugin directly processes untrusted attacker-controlled input from the 'event' and 'data' parameters without verifying the webhook's authenticity. This makes it possible for unauthenticated attackers to craft malicious webhook payloads that can…
PLUGIN
Appmax
CVE-2026-3641
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3619 - Sheets2table Plugin
The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, the 'titles' attribute value from the shortcode is passed through S2T_Functions::trim_array_values() (which only trims whitespace) and then echoed directly into HTML via `echo $header` inside a tag in the display_table_header() function without any escaping such as esc_html(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject…
PLUGIN
Sheets2table
CVE-2026-3619
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3617 - Paypal Shortcodes Plugin
The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The swer_paypal_shortcode() function extracts shortcode attributes using extract() and shortcode_atts() at line 89, then directly concatenates the $name and $amount values into HTML input element value attributes at lines 105-106 without applying esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and…
PLUGIN
Paypal Shortcodes
CVE-2026-3617
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3570 - Smarter Analytics Plugin
The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for unauthenticated attackers to reset all plugin configuration and delete all per-page/per-post analytics settings via the 'reset' parameter.
PLUGIN
Smarter Analytics
CVE-2026-3570
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3554 - Sherk Custom Post Type Displays Plugin
The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of the 'sherkcptdisplays' shortcode. Specifically, in the sherkcptdisplays_func() function in includes/SherkCPTDisplaysShortcode.php, the 'title' attribute value is extracted from shortcode_atts() on line 19 and directly concatenated into an HTML tag on line 31 without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to…
PLUGIN
Sherk Custom Post Type Displays
CVE-2026-3554
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3546 - E Shot Form Builder Plugin
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
PLUGIN
E Shot Form Builder
CVE-2026-3546
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3506 - Wp Chatbot For Messenger Plugin
The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the site's MobileMonkey API token and company ID options, which can be used to hijack chatbot configuration and redirect visitor conversations to an attacker-controlled MobileMonkey account.
PLUGIN
Wp Chatbot For Messenger
CVE-2026-3506
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3478 - Content Syndication Toolkit Plugin
The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework library. The plugin registers a proxy endpoint (wp_ajax_nopriv_redux_p) that is accessible to unauthenticated users. The proxy() method in the Redux_P class takes a URL directly from $_GET['url'] without any validation (the regex is set to /.*/ which matches all URLs) and passes it to wp_remote_request(), which does not have built-in SSRF protection like wp_safe_remote_request(). There is no authentication check, no…
PLUGIN
Content Syndication Toolkit
CVE-2026-3478
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3460 - Rest Api To Miniprogram Plugin
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary…
PLUGIN
Rest Api To Miniprogram
CVE-2026-3460
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3354 - Wikilookup Plugin
The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Width' setting in all versions up to, and including, 1.1.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wikilookup
CVE-2026-3354
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3347 - Multi Functional Flexi Lightbox Plugin
The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback returning user input without any sanitization, and the stored `message` value being output in the `genLB()` function without escaping. This makes it possible for authenticated attackers, with Administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page or post with…
PLUGIN
Multi Functional Flexi Lightbox
CVE-2026-3347
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3353 - Comment Spam Wiper Plugin
The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Comment Spam Wiper
CVE-2026-3353
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3334 - Cms Commander Client Plugin
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Cms Commander Client
CVE-2026-3334
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3333 - Minhnhut Link Gateway Plugin
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Minhnhut Link Gateway
CVE-2026-3333
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3335 - Canto Plugin
The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and the `fbc_flight_domain` and `fbc_app_api` URL components being accepted as user-supplied POST parameters rather than read from admin-configured options. Since the attacker controls both the destination server and the `fbc_app_token` value, the entire fetch-and-upload chain is attacker-controlled — the server never contacts Canto's legitimate API, and the uploaded file originates entirely from…
PLUGIN
Canto
CVE-2026-3335
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3332 - Xhanch – My Advanced Settings Plugin
The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_setting()` function on the settings update handler. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Settings that can be modified include favicon URL, Google Analytics account ID, and various WordPress behavior toggles. The `favicon_url`…
PLUGIN
Xhanch – My Advanced Settings
CVE-2026-3332
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3331 - Lobot Slider Administrator Plugin
The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourty_slider_options_page function. This makes it possible for unauthenticated attackers to modify plugin slider-page configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Lobot Slider Administrator
CVE-2026-3331
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3003 - Vagaro Booking Widget Plugin
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Vagaro Booking Widget
CVE-2026-3003
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2941 - Linksy Search And Replace Plugin
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.
PLUGIN
Linksy Search And Replace
CVE-2026-2941
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2723 - Post Snippits Plugin
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Post Snippits
CVE-2026-2723
Risk Score