Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-06
CVE-2026-1105 - EasyCMS Plugin
A vulnerability was identified in EasyCMS up to 1.6. This vulnerability affects unknown code of the file /UserAction.class.php. Such manipulation of the argument _order leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
EasyCMS
CVE-2026-1105
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1066 - Kodbox Plugin
A vulnerability was detected in kalcaddle kodbox up to 1.61.10. This issue affects some unknown processing of the file /?explorer/index/zip of the component Compression Handler. The manipulation results in command injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Kodbox
CVE-2026-1066
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1064 - Bastillion Plugin
A vulnerability was found in bastillion-io Bastillion up to 4.0.1. This issue affects some unknown processing of the file src/main/java/io/bastillion/manage/control/SystemKtrl.java of the component System Management Module. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Bastillion
CVE-2026-1064
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1062 - TMS Plugin
A flaw has been found in xiweicheng TMS up to 2.28.0. This affects the function Summary of the file src/main/java/com/lhjz/portal/util/HtmlUtil.java. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been published and may be used.
PLUGIN
TMS
CVE-2026-1062
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1063 - Bastillion Plugin
A vulnerability has been found in bastillion-io Bastillion up to 4.0.1. This vulnerability affects unknown code of the file src/main/java/io/bastillion/manage/control/AuthKeysKtrl.java of the component Public Key Management System. Such manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Bastillion
CVE-2026-1063
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-1061 - TMS Plugin
A vulnerability was detected in xiweicheng TMS up to 2.28.0. Affected by this issue is the function Upload of the file src/main/java/com/lhjz/portal/controller/FileController.java. The manipulation of the argument filename results in unrestricted upload. The attack may be performed from remote. The exploit is now public and may be used.
PLUGIN
TMS
CVE-2026-1061
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-1059 - Wms Plugin
A security vulnerability has been detected in FeMiner wms up to 9cad1f1b179a98b9547fd003c23b07c7594775fa. Affected by this vulnerability is an unknown functionality of the file /src/chkuser.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
Wms
CVE-2026-1059
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-1050 - Digital-Infrastructure Plugin
A flaw has been found in risesoft-y9 Digital-Infrastructure up to 9.6.7. This affects an unknown function of the file source-code/src/main/java/net/risesoft/util/Y9PlatformUtil.java of the component REST Authenticate Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
PLUGIN
Digital-Infrastructure
CVE-2026-1050
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1049 - LigeroSmart Plugin
A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. Such manipulation of the argument TicketID leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
PLUGIN
LigeroSmart
CVE-2026-1049
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-1048 - LigeroSmart Plugin
A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. This manipulation of the argument TicketID causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
PLUGIN
LigeroSmart
CVE-2026-1048
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0725 - Integrate Dynamics 365 Crm Plugin
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Integrate Dynamics 365 Crm
CVE-2026-0725
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-8615 - Cubewp Framework Plugin
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cubewp Framework
CVE-2025-8615
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14078 - Woocommerce For Paygent Payment Main Plugin
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint.
PLUGIN
Woocommerce For Paygent Payment Main
CVE-2025-14078
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-10484 - Login With Mobile Phone Number For Woocommerce Plugin
The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.
PLUGIN
Login With Mobile Phone Number For Woocommerce
CVE-2025-10484
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14478 - Demo Importer Plus Plugin
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.
PLUGIN
Demo Importer Plus
CVE-2025-14478
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12129 - All In One Dynamic Content Framework Plugin
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
PLUGIN
All In One Dynamic Content Framework
CVE-2025-12129
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0833 - Team Section Plugin
The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Team Section
CVE-2026-0833
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0808 - Spin Wheel Plugin
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
PLUGIN
Spin Wheel
CVE-2026-0808
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0691 - CM E-Mail Blacklist – Simple email filtering for safer registration Plugin
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
CM E-Mail Blacklist – Simple email filtering for safer registration
CVE-2026-0691
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12984 - Advanced Ads Plugin
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Advanced Ads
CVE-2025-12984
Risk Score