Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1391 - Vzaar Media Management Plugin
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Vzaar Media Management
CVE-2026-1391
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1399 - WP Google Ad Manager Plugin
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
WP Google Ad Manager Plugin
CVE-2026-1399
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1398 - Change Wp Url Plugin
The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Change Wp Url
CVE-2026-1398
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0844 - Simple User Registration Plugin
The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.
PLUGIN
Simple User Registration
CVE-2026-0844
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1280 - Frontend File Manager Plugin
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
PLUGIN
Frontend File Manager Plugin
CVE-2026-1280
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1380 - Bitcoin Donate Button Plugin
The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Bitcoin Donate Button
CVE-2026-1380
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1377 - Imwptip Plugin
The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Imwptip
CVE-2026-1377
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-15511 - Rupantorpay Plugin
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
PLUGIN
Rupantorpay
CVE-2025-15511
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14616 - Recooty Plugin
The Recooty – Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Recooty
CVE-2025-14616
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14386 - Integrated Ai Optimization Plugin
The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account.
PLUGIN
Integrated Ai Optimization
CVE-2025-14386
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14283 - Blockart Blocks Plugin
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Blockart Blocks
CVE-2025-14283
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14063 - Seo Links Interlinking Plugin
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Seo Links Interlinking
CVE-2025-14063
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1400 - AI Engine – The Chatbot and AI Framework for WordPress Plugin
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP…
PLUGIN
AI Engine – The Chatbot and AI Framework for WordPress
CVE-2026-1400
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1381 - Order Minimum Amount For Woocommerce Plugin
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Order Minimum Amount For Woocommerce
CVE-2026-1381
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0702 - Shoppable Videos For Woocommerce Plugin
The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Shoppable Videos For Woocommerce
CVE-2026-0702
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1053 - Add Search To Menu Plugin
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Add Search To Menu
CVE-2026-1053
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1389 - Document Embedder – Embed PDFs, Word, Excel, and Other Files Plugin
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
PLUGIN
Document Embedder – Embed PDFs, Word, Excel, and Other Files
CVE-2026-1389
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1054 - Custom Registration Form Builder With Submission Manager Plugin
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
PLUGIN
Custom Registration Form Builder With Submission Manager
CVE-2026-1054
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0832 - New User Approve Plugin
The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users.
PLUGIN
New User Approve
CVE-2026-0832
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1295 - Buy Now Plus Plugin
The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buynowplus' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Buy Now Plus
CVE-2026-1295
Risk Score