Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-24
CVE-2026-6393 - Betterdocs Plugin
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.
PLUGIN
Betterdocs
CVE-2026-6393
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-2028 - MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites Plugin
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.
PLUGIN
MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites
CVE-2026-2028
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-5464 - ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce…
PLUGIN
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
CVE-2026-5464
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-4106 - Ht Mega Addons For Elementor Plugin
The HT Mega Addons for Elementor WordPress plugin before 3.0.7 contains an unauthenticated AJAX action returning some PII (such as full name, city, state and country) of customers who placed orders in the last 7 days
PLUGIN
Ht Mega Addons For Elementor
CVE-2026-4106
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-4512 - Recaptcha By Webdesignby Plugin
The reCaptcha by WebDesignBy WordPress plugin before 2.0 does not sanitize or escape the Site Key setting before outputting it in a JavaScript string context via the grecaptcha_js() function. This allows administrators on multisite installations (who do not have the unfiltered_html capability) to inject arbitrary JavaScript that executes for all visitors to the WordPress login page.
PLUGIN
Recaptcha By Webdesignby
CVE-2026-4512
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-3361 - Wp Store Locator Plugin
The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.
PLUGIN
Wp Store Locator
CVE-2026-3361
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-3844 - Breeze Cache Plugin
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
PLUGIN
Breeze Cache
CVE-2026-3844
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-2951 - Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor Plugin
The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
CVE-2026-2951
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-1923 - Social Rocket – Social Sharing Plugin
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Social Rocket – Social Sharing Plugin
CVE-2026-1923
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1930 - Emailchef Plugin
The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.
PLUGIN
Emailchef
CVE-2026-1930
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1913 - Gallagher Website Design Plugin
The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gallagher Website Design
CVE-2026-1913
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1395 - Gutentools Plugin
The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutentools
CVE-2026-1395
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6235 - Sendmachine For Wordpress Plugin
The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).
PLUGIN
Sendmachine For Wordpress
CVE-2026-6235
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6246 - Simple Random Posts Shortcode Plugin
The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Random Posts Shortcode
CVE-2026-6246
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6236 - Posts Map Plugin
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Posts Map
CVE-2026-6236
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6041 - Buzz Comments Plugin
The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' (buzz_comments_avatar_image) setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin settings page.
PLUGIN
Buzz Comments
CVE-2026-6041
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6396 - Fast & Fancy Filter – 3F Plugin
The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields() function, which handles the fff_save_settins AJAX action. This makes it possible for unauthenticated attackers to modify plugin filter settings, update arbitrary options, or create new filter posts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Fast & Fancy Filter – 3F
CVE-2026-6396
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6294 - Google Pagerank Display Plugin
The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style…
PLUGIN
Google Pagerank Display
CVE-2026-6294
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-4280 - Breaking News Wp Plugin
The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwp_ajax_form AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwp_theme option value is passed directly to an include() statement in the brnwp_show_breaking_news_wp() shortcode handler. While sanitize_text_field() is applied to user input, it does not strip directory traversal sequences (../). This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the brnwp_theme option…
PLUGIN
Breaking News Wp
CVE-2026-4280
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5820 - Zypento Blocks Plugin
The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via `innerText` and inserting it into the page using `innerHTML` without proper sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Zypento Blocks
CVE-2026-5820
Risk Score