Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1128 - Wp Ecommerce Plugin
The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack
PLUGIN
Wp Ecommerce
CVE-2026-1128
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2589 - Animation And Page Builder Blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12.8.3 via the automated Settings Backup stored in a publicly accessible file. This makes it possible for unauthenticated attackers to extract sensitive data including the configured OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile API keys.
PLUGIN
Animation And Page Builder Blocks
CVE-2026-2589
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2593 - Greenshift – animation and page builder blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Greenshift – animation and page builder blocks
CVE-2026-2593
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3459 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2026-3459
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-1720 - Create Stunning Popups And Optins For Lead Generation Plugin
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.
PLUGIN
Create Stunning Popups And Optins For Lead Generation
CVE-2026-1720
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2599 - Contact Form Entries Plugin
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Contact Form Entries
CVE-2026-2599
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2893 - Page And Post Clone Plugin
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as…
PLUGIN
Page And Post Clone
CVE-2026-2893
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-1321 - Restrict Content Plugin
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles…
PLUGIN
Restrict Content
CVE-2026-1321
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3072 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.
PLUGIN
Media Library Assistant
CVE-2026-3072
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2418 - Login With Salesforce Plugin
The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email
PLUGIN
Login With Salesforce
CVE-2026-2418
Risk Score
Threat Entry
Updated 2026-04-01
CVE-2026-22459 - WordPress CTA Plugin
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through
PLUGIN
WordPress CTA
CVE-2026-22459
Risk Score
Threat Entry
Updated 2026-03-10
CVE-2026-22390 - Builderall Builder for WordPress Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through
PLUGIN
Builderall Builder for WordPress
CVE-2026-22390
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3523 - Apocalypse Meow Plugin
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line…
PLUGIN
Apocalypse Meow
CVE-2026-3523
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2899 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter. Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for…
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2899
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3034 - Ooohboi Steroids For Elementor Plugin
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
PLUGIN
Ooohboi Steroids For Elementor
CVE-2026-3034
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2365 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2365
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-2355 - My Calendar – Accessible Event Manager Plugin
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `
PLUGIN
My Calendar – Accessible Event Manager
CVE-2026-2355
Risk Score
Threat Entry
Updated 2026-03-31
CVE-2026-3058 - Seraphinite Accelerator Plugin
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.
PLUGIN
Seraphinite Accelerator
CVE-2026-3058
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-3056 - Seraphinite Accelerator Plugin
The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.
PLUGIN
Seraphinite Accelerator
CVE-2026-3056
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1674 - And Custom Form Builder Plugin
The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or…
PLUGIN
And Custom Form Builder
CVE-2026-1674
Risk Score