Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-27052 - WooCommerce Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer allows PHP Local File Inclusion.This issue affects Sales Countdown Timer for WooCommerce and WordPress: from n/a through < 1.1.9.
PLUGIN
WooCommerce
CVE-2026-27052
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25416 - Elementor Plugin
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons news-kit-elementor-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Kit Elementor Addons: from n/a through
PLUGIN
Elementor
CVE-2026-25416
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-25392 - Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress Plugin
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in KaizenCoders Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress update-urls allows Phishing.This issue affects Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress: from n/a through
PLUGIN
Update URLs – Quick and Easy way to search old links and replace them with new links in WordPress
CVE-2026-25392
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25386 - Ally Plugin
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through
PLUGIN
Ally
CVE-2026-25386
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-25387 - Image Optimizer by Elementor Plugin
Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through
PLUGIN
Image Optimizer by Elementor
CVE-2026-25387
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-25325 - rtMedia for WordPress, BuddyPress and bbPress Plugin
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through
PLUGIN
rtMedia for WordPress, BuddyPress and bbPress
CVE-2026-25325
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25320 - Elementor Contact Form DB Plugin
Missing Authorization vulnerability in Cool Plugins Elementor Contact Form DB sb-elementor-contact-form-db allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Contact Form DB: from n/a through
PLUGIN
Elementor Contact Form DB
CVE-2026-25320
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25319 - Zita Elementor Site Library Plugin
Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through
PLUGIN
Zita Elementor Site Library
CVE-2026-25319
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25318 - WiserReview Product Reviews for WooCommerce Plugin
Missing Authorization vulnerability in Wisernotify team WiserReview Product Reviews for WooCommerce wiser-review allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WiserReview Product Reviews for WooCommerce: from n/a through
PLUGIN
WiserReview Product Reviews for WooCommerce
CVE-2026-25318
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-24999 - Alma Plugin
Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through
PLUGIN
Alma
CVE-2026-24999
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-24375 - Ultimate Gift Cards For WooCommerce Plugin
Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Gift Cards For WooCommerce: from n/a through
PLUGIN
Ultimate Gift Cards For WooCommerce
CVE-2026-24375
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23543 - Essential Addons for Elementor Plugin
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through
PLUGIN
Essential Addons for Elementor
CVE-2026-23543
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-22333 - WooCommerce Plugin
Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through
PLUGIN
WooCommerce
CVE-2026-22333
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2502 - Xmlrpc Attacks Blocker Plugin
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
PLUGIN
Xmlrpc Attacks Blocker
CVE-2026-2502
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2284 - News Element Plugin
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss.
PLUGIN
News Element
CVE-2026-2284
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2282 - Slidorion Plugin
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Slidorion
CVE-2026-2282
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2504 - Dealia – Request a quote Plugin
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
PLUGIN
Dealia – Request a quote
CVE-2026-2504
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1994 - s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Plugin
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
CVE-2026-1994
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1646 - Advance Block Extend Plugin
The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advance Block Extend
CVE-2026-1646
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1455 - Whatsiplus Scheduled Notification For Woocommerce Plugin
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Whatsiplus Scheduled Notification For Woocommerce
CVE-2026-1455
Risk Score