Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-18
CVE-2026-4268 - Wp Google Maps Plugin
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza_custom_js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Google Maps
CVE-2026-4268
Risk Score
Threat Entry
Updated 2026-03-17
CVE-2026-2373 - Addons And Templates Kit For Elementor Plugin
The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.
PLUGIN
Addons And Templates Kit For Elementor
CVE-2026-2373
Risk Score
Threat Entry
Updated 2026-03-17
CVE-2026-2579 - Product Blocks Plugin
The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Product Blocks
CVE-2026-2579
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2233 - User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration Plugin
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
PLUGIN
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
CVE-2026-2233
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1947 - NEX-Forms – Ultimate Forms Plugin for WordPress
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
PLUGIN
NEX-Forms – Ultimate Forms Plugin for WordPress
CVE-2026-1947
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1948 - NEX-Forms – Ultimate Forms Plugin for WordPress
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
PLUGIN
NEX-Forms – Ultimate Forms Plugin for WordPress
CVE-2026-1948
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1883 - And Custom Post Types Plugin
The Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.1.0 via the delete_folders() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders created by other users.
PLUGIN
And Custom Post Types
CVE-2026-1883
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1870 - Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor Plugin
The Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor plugin for WordPress is vulnerable to unauthorized access of data due to a missing validation checks on the 'thim-ekit/archive-course/get-courses' REST endpoint callback function in all versions up to, and including, 1.3.7. This makes it possible for unauthenticated attackers to disclose private or draft LearnPress course content by supplying post_status in the params_url payload.
PLUGIN
Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor
CVE-2026-1870
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-4063 - Social Icons Widget & Block – Social Media Icons & Share Buttons Plugin
The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which…
PLUGIN
Social Icons Widget & Block – Social Media Icons & Share Buttons
CVE-2026-4063
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-3986 - Calculated Fields Form Plugin
The Calculated Fields Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form settings in all versions up to, and including, 5.4.5.0. This is due to insufficient capability checks on the form settings save handler and insufficient input sanitization of the `fcontent` field in `fhtml` field types. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Calculated Fields Form
CVE-2026-3986
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-3891 - Pix For Woocommerce Plugin
The Pix for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing capability check and missing file type validation in the 'lkn_pix_for_woocommerce_c6_save_settings' function in all versions up to, and including, 1.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Pix For Woocommerce
CVE-2026-3891
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-3045 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator…
PLUGIN
Simply Schedule Appointments
CVE-2026-3045
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-32412 - Gift Up Gift Cards for WordPress and WooCommerce Plugin
Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through
PLUGIN
Gift Up Gift Cards for WordPress and WooCommerce
CVE-2026-32412
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-32409 - Forminator Plugin
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through
PLUGIN
Forminator
CVE-2026-32409
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2890 - Formidable Forms Plugin
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a…
PLUGIN
Formidable Forms
CVE-2026-2890
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2879 - GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools Plugin
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite…
PLUGIN
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools
CVE-2026-2879
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2888 - Formidable Forms Plugin
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before…
PLUGIN
Formidable Forms
CVE-2026-2888
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2257 - GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools Plugin
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
PLUGIN
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools
CVE-2026-2257
Risk Score
Threat Entry
Updated 2026-03-17
CVE-2026-22210 - Wpdiscuz Plugin
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
PLUGIN
Wpdiscuz
CVE-2026-22210
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1704 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the…
PLUGIN
Simply Schedule Appointments
CVE-2026-1704
Risk Score