Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-04
CVE-2025-15285 - Lupsonline Link Netwerk Plugin
The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.
PLUGIN
Lupsonline Link Netwerk
CVE-2025-15285
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-15268 - Infility Global Plugin
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Infility Global
CVE-2025-15268
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-15260 - Loyalty Points And Rewards For Woocommerce Plugin
The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'ajax' function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values.
PLUGIN
Loyalty Points And Rewards For Woocommerce
CVE-2025-15260
Risk Score
Threat Entry
Updated 2026-02-04
CVE-2025-14461 - Woo Xendit Virtual Accounts Plugin
The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit's payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern…
PLUGIN
Woo Xendit Virtual Accounts
CVE-2025-14461
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1756 - Wp Foft Loader Plugin
The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Wp Foft Loader
CVE-2026-1756
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1755 - Menu Icons Plugin
The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Menu Icons
CVE-2026-1755
Risk Score
Threat Entry
Updated 2026-02-05
CVE-2026-25028 - Elementor Plugin
Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ElementInvader Addons for Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-25028
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-24998 - Hustle Plugin
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV - Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data.This issue affects Hustle: from n/a through
PLUGIN
Hustle
CVE-2026-24998
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24992 - WooCommerce Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through
PLUGIN
WooCommerce
CVE-2026-24992
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24958 - Elementor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through
PLUGIN
Elementor
CVE-2026-24958
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24945 - Contact Form 7 Plugin
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-24945
Risk Score
Threat Entry
Updated 2026-02-03
CVE-2026-24947 - Elementor Plugin
Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.
PLUGIN
Elementor
CVE-2026-24947
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1730 - Os Datahub Maps Plugin
The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Os Datahub Maps
CVE-2026-1730
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1375 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests.
PLUGIN
Elearning And Online Course Solution
CVE-2026-1375
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1371 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications.
PLUGIN
Elearning And Online Course Solution
CVE-2026-1371
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1210 - Happy Addons For Elementor Plugin
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Happy Addons For Elementor
CVE-2026-1210
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1447 - Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Plugin
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
PLUGIN
Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more
CVE-2026-1447
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1065 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
PLUGIN
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE-2026-1065
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0617 - LatePoint – Calendar Booking Plugin for Appointments and Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.
PLUGIN
LatePoint – Calendar Booking Plugin for Appointments and Events
CVE-2026-0617
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1058 - Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder Plugin
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions…
PLUGIN
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder
CVE-2026-1058
Risk Score