Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1097 - Assign Multiple Writers To Posts Plugin
The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Assign Multiple Writers To Posts
CVE-2026-1097
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1103 - Aiktp Plugin
The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files,…
PLUGIN
Aiktp
CVE-2026-1103
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1095 - Canto Testimonials Plugin
The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Canto Testimonials
CVE-2026-1095
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1084 - Cookie Consent For Developers Plugin
The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Cookie Consent For Developers
CVE-2026-1084
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1088 - Login Page Editor Plugin
The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Login Page Editor
CVE-2026-1088
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1081 - Set Bulk Post Categories Plugin
The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Set Bulk Post Categories
CVE-2026-1081
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1076 - Star Review Manager Plugin
The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Star Review Manager
CVE-2026-1076
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0807 - Frontis Blocks Plugin
The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint.
PLUGIN
Frontis Blocks
CVE-2026-0807
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0806 - Wp Clanwars Plugin
The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Clanwars
CVE-2026-0806
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1075 - Zt Captcha Plugin
The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Zt Captcha
CVE-2026-1075
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1070 - User Counter Plugin
The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
User Counter
CVE-2026-1070
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14985 - Alpha Blocks Plugin
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Alpha Blocks
CVE-2025-14985
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14941 - Gzseo Plugin
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page.
PLUGIN
Gzseo
CVE-2025-14941
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14843 - Wizit Gateway For Woocommerce Plugin
The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID.
PLUGIN
Wizit Gateway For Woocommerce
CVE-2025-14843
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14906 - Wp Youtube Video Gallery Plugin
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Youtube Video Gallery
CVE-2025-14906
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14903 - Simple Crypto Shortcodes Plugin
The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Simple Crypto Shortcodes
CVE-2025-14903
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-13374 - Kalrav Ai Agent Plugin
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Kalrav Ai Agent
CVE-2025-13374
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-13676 - Justclick Subscriber Plugin
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Justclick Subscriber
CVE-2025-13676
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14797 - Same Category Posts Plugin
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Same Category Posts
CVE-2025-14797
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14629 - Alchemist Ajax Upload Plugin
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments.
PLUGIN
Alchemist Ajax Upload
CVE-2025-14629
Risk Score