Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-22
CVE-2026-6960 - BookingPress Appointment Booking Pro Plugin
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability can only be exploited if a signature custom field is added to the booking form.
PLUGIN
BookingPress Appointment Booking Pro
CVE-2026-6960
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-4843 - Gsheet For Woo Importer Plugin
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.
PLUGIN
Gsheet For Woo Importer
CVE-2026-4843
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-5118 - Divi Form Builder Plugin
The Divi Form Builder plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 5.1.2. This is due to the plugin accepting a user-controlled 'role' parameter from POST data during user registration without validating it against the form's configured default_user_role setting. This makes it possible for unauthenticated attackers to create administrator accounts by tampering with the role parameter during registration.
PLUGIN
Divi Form Builder
CVE-2026-5118
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-6279 - Fusion Builder Plugin
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically…
PLUGIN
Fusion Builder
CVE-2026-6279
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-1543 - Builder Plugin
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
PLUGIN
Builder
CVE-2026-1543
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-4811 - Wpb Floating Menu Or Categories Plugin
The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpb Floating Menu Or Categories
CVE-2026-4811
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-1881 - Broadstreet Plugin
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
PLUGIN
Broadstreet
CVE-2026-1881
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7613 - Cost Of Goods By Pixelyoursite Plugin
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cost Of Goods By Pixelyoursite
CVE-2026-7613
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-45443 - Elementor Plugin
Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.
PLUGIN
Elementor
CVE-2026-45443
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6728 - Slider Revolution Plugin
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, and product content.
PLUGIN
Slider Revolution
CVE-2026-6728
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6405 - Anomaly Detection And Alerting Plugin
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote…
PLUGIN
Anomaly Detection And Alerting
CVE-2026-6405
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-5200 - AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
PLUGIN
AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
CVE-2026-5200
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7385 - Decent Comments Plugin
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
PLUGIN
Decent Comments
CVE-2026-7385
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6566 - Nextgen Gallery Plugin
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well…
PLUGIN
Nextgen Gallery
CVE-2026-6566
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-5776 - Email Encoder Plugin
The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks
PLUGIN
Email Encoder
CVE-2026-5776
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-2955 - AI Chatbot & Workflow Automation by AIWU Plugin
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' header in versions up to, and including, 1.4.14 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: Practical exploitation is constrained due to a 20-character storage limit.
PLUGIN
AI Chatbot & Workflow Automation by AIWU
CVE-2026-2955
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7522 - Advanced Database Cleaner – Premium Plugin
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Advanced Database Cleaner – Premium
CVE-2026-7522
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-5075 - All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
PLUGIN
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
CVE-2026-5075
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-9010 - Boost Plugin
The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Boost
CVE-2026-9010
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7637 - Boost Plugin
The Boost plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.0.3 via deserialization of untrusted input in the STYXKEY-BOOST_USER_LOCATION cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow…
PLUGIN
Boost
CVE-2026-7637
Risk Score