Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-23
CVE-2026-1390 - Redirect Countdown Plugin
The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `countdown_settings_content()` function. This makes it possible for unauthenticated attackers to update the plugin settings including the countdown timeout, redirect URL, and custom text, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Redirect Countdown
CVE-2026-1390
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-1378 - Wp Posts Re Order Plugin
The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the `cpt_plugin_options()` function. This makes it possible for unauthenticated attackers to update the plugin settings including capability, autosort, and adminsort settings, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Posts Re Order
CVE-2026-1378
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-1093 - Accordion Plugin For Gutenberg
The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Accordion Plugin For Gutenberg
CVE-2026-1093
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-0609 - Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin
The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider' shortcode. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin
CVE-2026-0609
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-1247 - Survey Plugin
The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Survey
CVE-2026-1247
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-4302 - Next Gen Popup Maker Plugin
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application,…
PLUGIN
Next Gen Popup Maker
CVE-2026-4302
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-4083 - Scoreboard For Html5 Game Lite Plugin
The Scoreboard for HTML5 Games Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'scoreboard' shortcode in all versions up to, and including, 1.2. The shortcode function sfhg_shortcode() allows arbitrary HTML attributes to be added to the rendered element, with only a small blacklist of four attribute names (same_height_as, onload, onpageshow, onclick) being blocked. While the attribute names are passed through esc_html() and values through esc_attr(), this does not prevent injection of JavaScript event handler attributes like onfocus, onmouseover, onmouseenter, etc., because these attribute names and simple…
PLUGIN
Scoreboard For Html5 Game Lite
CVE-2026-4083
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3368 - Injection Guard Plugin
The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C),…
PLUGIN
Injection Guard
CVE-2026-3368
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3516 - Contact List Plugin
The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_cl_map_iframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFields() function in class-contact-list-custom-fields.php uses a regex to extract tags from user input but does not validate or sanitize the iframe's attributes, allowing event handlers like 'onload' to be included. The extracted iframe HTML is stored via update_post_meta() and later rendered on the front-end in class-cl-public-card.php without…
PLUGIN
Contact List
CVE-2026-3516
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3572 - Itracker360 Plugin
The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
PLUGIN
Itracker360
CVE-2026-3572
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3567 - Computer Repair Shop Plugin
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability…
PLUGIN
Computer Repair Shop
CVE-2026-3567
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3474 - EmailKit – Email Customizer for WooCommerce & WP Plugin
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action() function in the TemplateData class passing user-supplied input from the 'emailkit-editor-template' REST API parameter directly to file_get_contents() without any path validation, sanitization, or restriction to an allowed directory. This makes it possible for authenticated attackers, with Administrator-level access, to read arbitrary files on the server (such as /etc/passwd or wp-config.php) by supplying a traversal path.…
PLUGIN
EmailKit – Email Customizer for WooCommerce & WP
CVE-2026-3474
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3577 - Keep Backup Daily Plugin
The Keep Backup Daily plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the backup title alias (`val` parameter) in the `update_kbd_bkup_alias` AJAX action in all versions up to, and including, 2.1.2. This is due to insufficient input sanitization and output escaping. While `sanitize_text_field()` strips HTML tags on save, it does not encode double quotes. The backup titles are output in HTML attribute contexts without `esc_attr()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via attribute injection that will execute…
PLUGIN
Keep Backup Daily
CVE-2026-3577
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3350 - Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI Plugin
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI
CVE-2026-3350
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3339 - Keep Backup Daily Plugin
The Keep Backup Daily plugin for WordPress is vulnerable to Limited Path Traversal in all versions up to, and including, 2.1.1 via the `kbd_open_upload_dir` AJAX action. This is due to insufficient validation of the `kbd_path` parameter, which is only sanitized with `sanitize_text_field()` - a function that does not strip path traversal sequences. This makes it possible for authenticated attackers, with Administrator-level access and above, to list the contents of arbitrary directories on the server outside of the intended uploads directory.
PLUGIN
Keep Backup Daily
CVE-2026-3339
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2430 - Autoptimize Plugin
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lazy-loading image processing in all versions up to, and including, 3.1.14. This is due to the use of an overly permissive regular expression in the `add_lazyload` function that replaces all occurrences of `\ssrc=` in image tags without limiting to the actual attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by crafting an image tag where…
PLUGIN
Autoptimize
CVE-2026-2430
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2352 - Autoptimize Plugin
The Autoptimize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ao_post_preload' meta value in all versions up to, and including, 3.1.14. This is due to insufficient input sanitization in the `ao_metabox_save()` function and missing output escaping when the value is rendered into a `` tag in `autoptimizeImages.php`. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, granted the "Image optimization" or "Lazy-load images" setting is enabled in…
PLUGIN
Autoptimize
CVE-2026-2352
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3584 - Kali Forms — Contact Form & Drag-and-Drop Builder Plugin
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
PLUGIN
Kali Forms — Contact Form & Drag-and-Drop Builder
CVE-2026-3584
Risk Score
Threat Entry
Updated 2026-03-20
CVE-2026-3550 - Ft Rockpress Plugin
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify…
PLUGIN
Ft Rockpress
CVE-2026-3550
Risk Score
Threat Entry
Updated 2026-03-20
CVE-2026-2421 - Ilghera Carta Docente For Woocommerce Plugin
The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. This is due to insufficient file path validation before performing a file deletion. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible.
PLUGIN
Ilghera Carta Docente For Woocommerce
CVE-2026-2421
Risk Score