Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-05
CVE-2026-6702 - Publish 2 Pingfm Plugin
The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Publish 2 Pingfm
CVE-2026-6702
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-6696 - Zingaya Click To Call Plugin
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Zingaya Click To Call
CVE-2026-6696
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-6701 - Addfreespace Plugin
The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Addfreespace
CVE-2026-6701
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-6700 - Dx Sources Plugin
The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_build function. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a forged request that modifies the plugin's configuration options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Dx Sources
CVE-2026-6700
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-5100 - Another Wordpress Classifieds Plugin
The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Another Wordpress Classifieds
CVE-2026-5100
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-4409 - Subscribe To Comments Reloaded Plugin
The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up to, and including, 240119. This makes it possible for unauthenticated attackers to extract the global key from any public post page, forge authorization keys and manage comment subscription preferences for arbitrary users
PLUGIN
Subscribe To Comments Reloaded
CVE-2026-4409
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-4730 - Charts Ninja Graphs And Charts Plugin
The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Charts Ninja Graphs And Charts
CVE-2026-4730
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-2868 - Ecosystem Plugin
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and including, 3.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ecosystem
CVE-2026-2868
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-5247 - Post Expirator Plugin
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to, and including, 4.10.0. This is due to insufficient input sanitization on the wrapper attribute. The plugin uses esc_html() to escape the value, but esc_html() only encodes HTML entities and does not prevent attribute injection when the value is used as an HTML tag name in a sprintf() call. An attacker can inject event handler attributes via spaces in the wrapper value.…
PLUGIN
Post Expirator
CVE-2026-5247
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-1921 - Loco Translate Plugin
The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method normalizing user-supplied `ref` paths containing `../` directory traversal sequences without validating that the resolved path remains within the intended bundle or content directory. This makes it possible for authenticated attackers, with Translator-level access and above (custom `loco_admin` capability required, granted to the `translator` role and administrators by default), to read arbitrary `.php`, `.js`, `.json`, and `.twig` files from the…
PLUGIN
Loco Translate
CVE-2026-1921
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-5722 - Smart Wishlist For More Convert Plugin
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.
PLUGIN
Smart Wishlist For More Convert
CVE-2026-5722
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-25863 - Cf7 Conditional Fields Plugin
Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hide_hidden_mail_fields_regex_callback() method reads an iteration count directly from user-supplied POST parameters without validation or upper bound enforcement. Unauthenticated attackers can supply an arbitrarily large integer value through the REST API endpoint to cause unbounded loop execution with multiple preg_replace() operations, exhausting server memory and crashing the PHP process.
PLUGIN
Cf7 Conditional Fields
CVE-2026-25863
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-41471 - Easy Paypal Events Tickets Plugin
The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers.
PLUGIN
Easy Paypal Events Tickets
CVE-2026-41471
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-32834 - Easy Paypal Events Tickets Plugin
Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID.
PLUGIN
Easy Paypal Events Tickets
CVE-2026-32834
Risk Score
Threat Entry
Updated 2026-05-04
CVE-2026-5335 - Before 1 Plugin
The Magic Export & Import WordPress plugin before 1.2.0 stores exported CSV files at a publicly accessible location, making it possible for any visitors to leak sensitive user information.
PLUGIN
Before 1
CVE-2026-5335
Risk Score
Threat Entry
Updated 2026-05-04
CVE-2026-5337 - This Vulnerability Exists Because The Frontend File Manager Plugin
During the analysis, it was identified that authenticated attackers with Subscriber-level access or higher are able to perform an Insecure Direct Object Reference (IDOR) attack. This vulnerability exists because the Frontend File Manager Plugin WordPress plugin through 23.6 does not properly validate user authorization for the requested uploaded file when processing download requests. By modifying the value of the 'file_id' parameter in the download endpoint (e.g., http://localhost/?do=wpfm_download&file_id=40&nm_file_nonce=a36fb893f1), an attacker can access files belonging to other users, including privileged users such as administrators. This allows unauthorized access/read to sensitive data stored…
PLUGIN
This Vulnerability Exists Because The Frontend File Manager
CVE-2026-5337
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-5063 - Ultimate Forms Plugin
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ultimate Forms
CVE-2026-5063
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-2554 - Tend Manager For Woocommerce Along With Bookings Subscription Listings Compatible Plugin
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.
PLUGIN
Tend Manager For Woocommerce Along With Bookings Subscription Listings Compatible
CVE-2026-2554
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-0703 - Thank You Page For Woocommerce Plugin
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Thank You Page For Woocommerce
CVE-2026-0703
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-3504 - Ai Powered Woocommerce Multivendor Marketplace Solution Plugin
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor's store. The Pro version of the plugin must be installed and activated, with store reviews enabled,…
PLUGIN
Ai Powered Woocommerce Multivendor Marketplace Solution
CVE-2026-3504
Risk Score