Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2471 - Wp Mail Logging Plugin
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on all properties retrieved from the database without validation. This makes it possible for unauthenticated attackers to inject a PHP Object by submitting a double-serialized payload through any public-facing form that sends email (e.g., Contact Form 7). When the email is logged and subsequently viewed by an administrator,…
PLUGIN
Wp Mail Logging
CVE-2026-2471
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1542 - Super Stage Wp Plugin
The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.
PLUGIN
Super Stage Wp
CVE-2026-1542
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-27759 - Featured Image From Content Plugin
Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 contain an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations to retrieve sensitive internal data and store it in web-accessible upload directories.
PLUGIN
Featured Image From Content
CVE-2026-27759
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-3327 - Commit Plugin
Authenticated Iframe Injection in Dato CMS Web Previews plugin. This vulnerability permits a malicious authenticated user to circumvent the restriction enforced on the configured frontend URL, enabling the loading of arbitrary external resources or origins. This issue affects Web Previews < v1.0.31.
PLUGIN
Commit
CVE-2026-3327
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-2751 - Centreon Web On Central Server Plugin
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.
PLUGIN
Centreon Web On Central Server
CVE-2026-2751
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2831 - Mailarchiver Plugin
The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Mailarchiver
CVE-2026-2831
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-14142 - Electric Enquiries Plugin
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Electric Enquiries
CVE-2025-14142
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1305 - Japanized For Woocommerce Plugin
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.
PLUGIN
Japanized For Woocommerce
CVE-2026-1305
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2024-10938 - Ovri Payment Plugin
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.
PLUGIN
Ovri Payment
CVE-2024-10938
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2383 - Simple Download Monitor Plugin
The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Download Monitor
CVE-2026-2383
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2362 - Wp Accessibility Plugin
The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.…
PLUGIN
Wp Accessibility
CVE-2026-2362
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-14149 - Widgets For Elementor Plugin
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widgets For Elementor
CVE-2025-14149
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1558 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
PLUGIN
Wp Recipe Maker
CVE-2026-1558
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2428 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2428
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1565 - User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration Plugin
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
CVE-2026-1565
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28131 - Elementor Addon Elements Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through
PLUGIN
Elementor Addon Elements
CVE-2026-28131
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28132 - WooCommerce Plugin
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through
PLUGIN
WooCommerce
CVE-2026-28132
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1311 - Worry Proof Backup Plugin
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.
PLUGIN
Worry Proof Backup
CVE-2026-1311
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2356 - User Registration Plugin
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
PLUGIN
User Registration
CVE-2026-2356
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1779 - User Registration Plugin
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
PLUGIN
User Registration
CVE-2026-1779
Risk Score