Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2419 - Wp Downloadmanager Plugin
The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'download_path' configuration parameter. This is due to insufficient validation of the download path setting, which allows directory traversal sequences to bypass the WP_CONTENT_DIR prefix check. This makes it possible for authenticated attackers, with Administrator-level access and above, to configure the plugin to list and access arbitrary files on the server by exploiting the file browser functionality.
PLUGIN
Wp Downloadmanager
CVE-2026-2419
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1655 - Eventprime Event Calendar Management Plugin
The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_event_submission function accepting a user-controlled event_id parameter and updating the corresponding event post without enforcing ownership or capability checks. This makes it possible for authenticated (Customer+) attackers to modify posts created by administrators by manipulating the event_id parameter granted they can obtain a valid nonce.
PLUGIN
Eventprime Event Calendar Management
CVE-2026-1655
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1831 - YayMail – WooCommerce Email Customizer Plugin
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
PLUGIN
YayMail – WooCommerce Email Customizer
CVE-2026-1831
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1937 - Woocommerce Email Customizer Plugin
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
PLUGIN
Woocommerce Email Customizer
CVE-2026-1937
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2296 - Woo Custom Product Addons Plugin
The Product Addons for Woocommerce – Product Options with Custom Fields plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 3.1.0. This is due to insufficient input validation of the 'operator' field in conditional logic rules within the evalConditions() function, which passes unsanitized user input directly to PHP's eval() function. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to inject and execute arbitrary PHP code on the server via the conditional logic 'operator' parameter when saving addon form field…
PLUGIN
Woo Custom Product Addons
CVE-2026-2296
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2019 - Cart All In One For Woocommerce Plugin
The Cart All In One For WooCommerce plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.1.21. This is due to insufficient input validation on the 'Assign page' field which is passed directly to the eval() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server.
PLUGIN
Cart All In One For Woocommerce
CVE-2026-2019
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2281 - Private Comment Plugin
The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Private Comment
CVE-2026-2281
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2633 - Kadence Blocks Plugin
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJAX action. The function's authorization check via `verify_ajax_call()` only validates `edit_posts` capability but fails to check for the `upload_files` capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary images from remote URLs to the WordPress Media Library, bypassing the standard WordPress capability restriction…
PLUGIN
Kadence Blocks
CVE-2026-2633
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1807 - Interactivecalculator For Wordpress Plugin
The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Interactivecalculator For Wordpress
CVE-2026-1807
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1666 - Download Manager Plugin
The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the login form shortcode. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Download Manager
CVE-2026-1666
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1857 - Kadence Blocks Plugin
The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint's permission check only requires `edit_posts` capability (Contributor role) rather than `manage_options` (Administrator). This makes it possible for authenticated attackers, with Contributor-level access and above, to make server-side requests to arbitrary endpoints on the configured GetResponse API server, retrieving sensitive data such as contacts,…
PLUGIN
Kadence Blocks
CVE-2026-1857
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1640 - Task Management Plugin
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment). This makes it possible for authenticated attackers, with subscriber-level access and above, to create comments on any project or task (including private projects they cannot view or are not assigned to), and inject arbitrary HTML and CSS via the insufficiently sanitized comment_body parameter.
PLUGIN
Task Management
CVE-2026-1640
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2023 - Wp Plugin Info Card
The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Plugin Info Card
CVE-2026-2023
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1368 - Video Conferencing With Zoom Plugin
The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK signatures for any meeting ID and retrieve the site's Zoom SDK key.
PLUGIN
Video Conferencing With Zoom
CVE-2026-1368
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1639 - Task Management Plugin
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, and including, 5.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Task Management
CVE-2026-1639
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1304 - Restrict Content Plugin
The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Restrict Content
CVE-2026-1304
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1906 - PDF Invoices & Packing Slips for WooCommerce Plugin
The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership validation. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify Peppol/EDI endpoint identifiers (`peppol_endpoint_id`, `peppol_endpoint_eas`) for any customer by specifying an arbitrary `order_id` parameter on systems using Peppol invoicing. This can affect order routing on the Peppol network and may result in payment disruptions and data…
PLUGIN
PDF Invoices & Packing Slips for WooCommerce
CVE-2026-1906
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-12122 - Easily Create Wordpress Popups Plugin
The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easily Create Wordpress Popups
CVE-2025-12122
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1072 - Keybase.io Verification Plugin
The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification text via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Keybase.io Verification
CVE-2026-1072
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-12356 - Tickera Event Ticketing System Plugin
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.
PLUGIN
Tickera Event Ticketing System
CVE-2025-12356
Risk Score