Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-12
CVE-2026-6710 - Skysa Text Ticker App Plugin
The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps_Admin_AppPage function. This makes it possible for unauthenticated attackers to trick a site administrator into making a forged request to modify the plugin's settings, including the scrolling message text and URL, via a forged cross-site request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Skysa Text Ticker App
CVE-2026-6710
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6709 - Coinbase Commerce For Contact Form 7 Plugin
The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save_settings() function, which is registered on the admin_post_cccf7_save_settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) via a crafted POST request to /wp-admin/admin-post.
PLUGIN
Coinbase Commerce For Contact Form 7
CVE-2026-6709
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6690 - Lifepress Plugin
The LifePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'n' parameter of the lp_update_mds AJAX action in all versions up to, and including, 2.2.2. This is due to the `wp_ajax_nopriv_lp_update_mds` action being registered without nonce verification or capability checks, combined with insufficient input sanitization and output escaping when the series name is rendered in the admin settings page. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Lifepress
CVE-2026-6690
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6256 - Source Shortcode Plugin
The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Source Shortcode
CVE-2026-6256
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6247 - Scratchblocks For Wp Plugin
The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Scratchblocks For Wp
CVE-2026-6247
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6237 - Quick Table Plugin
The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Quick Table
CVE-2026-6237
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5715 - Voyage Plus Plugin
The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Voyage Plus
CVE-2026-5715
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6663 - Graphic Web Design Inc Plugin
The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.
PLUGIN
Graphic Web Design Inc
CVE-2026-6663
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5028 - Eight Day Week Print Workflow Plugin
The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Eight Day Week Print Workflow
CVE-2026-5028
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5340 - Fancy Image Show Plugin
The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fancy Image Show
CVE-2026-5340
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-4920 - Next Date Plugin
The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Next Date
CVE-2026-4920
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-4859 - Sp Blog Designer Plugin
The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sp Blog Designer
CVE-2026-4859
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5693 - Smart Appointment Booking Plugin
The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.
PLUGIN
Smart Appointment Booking
CVE-2026-5693
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-4301 - Rate Star Review Plugin
The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content,…
PLUGIN
Rate Star Review
CVE-2026-4301
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-2993 - Ai Copilot Content Generator Plugin
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.4.17 due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query in the getListForTbl() function. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This issue is partially mitigated by a patch in version 1.4.11 that adds a nonce check for…
PLUGIN
Ai Copilot Content Generator
CVE-2026-2993
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-3604 - Wp Seo Structured Data Schema Plugin
The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Seo Structured Data Schema
CVE-2026-3604
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-2300 - Bj Lazy Load Plugin
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user…
PLUGIN
Bj Lazy Load
CVE-2026-2300
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6433 - Custom Css Js Php Plugin
The Custom css-js-php WordPress plugin through 2.0.7 does not properly sanitize user input before using it in a SQL query, and the result is passed to eval(), allowing unauthenticated users to execute arbitrary PHP code on the server.
PLUGIN
Custom Css Js Php
CVE-2026-6433
Risk Score
Threat Entry
Updated 2026-05-11
CVE-2026-8198 - Multisite Activity Log From Logtivity Plugin
The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used…
PLUGIN
Multisite Activity Log From Logtivity
CVE-2026-8198
Risk Score
Threat Entry
Updated 2026-05-11
CVE-2026-7652 - Latepoint Plugin
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that…
PLUGIN
Latepoint
CVE-2026-7652
Risk Score