Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-29
CVE-2026-4290 - Wp Travel Pro Plugin
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
PLUGIN
Wp Travel Pro
CVE-2026-4290
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-3655 - Login With Phone Number Plugin
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number…
PLUGIN
Login With Phone Number
CVE-2026-3655
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-8732 - Wp Maps Pro Plugin
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which…
PLUGIN
Wp Maps Pro
CVE-2026-8732
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-8809 - Acf Extended Plugin
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing…
PLUGIN
Acf Extended
CVE-2026-8809
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-38707 - WordPress component
A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
UNKNOWN
WordPress component
CVE-2026-38707
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-38704 - WordPress component
A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
UNKNOWN
WordPress component
CVE-2026-38704
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-38703 - WordPress component
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
UNKNOWN
WordPress component
CVE-2026-38703
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-38702 - WordPress component
A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
UNKNOWN
WordPress component
CVE-2026-38702
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42757 - WebinarIgnition Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253.
PLUGIN
WebinarIgnition
CVE-2026-42757
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42756 - QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly: from n/a through
PLUGIN
QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly
CVE-2026-42756
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42758 - WebinarIgnition Plugin
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253.
PLUGIN
WebinarIgnition
CVE-2026-42758
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42761 - Active Products Tables for WooCommerce Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through
PLUGIN
Active Products Tables for WooCommerce
CVE-2026-42761
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42748 - WPify Woo Czech Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through
PLUGIN
WPify Woo Czech
CVE-2026-42748
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42755 - TableOn Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 TableOn posts-table-filterable allows Blind SQL Injection.This issue affects TableOn: from n/a through
PLUGIN
TableOn
CVE-2026-42755
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42747 - Easy Form Builder Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through
PLUGIN
Easy Form Builder
CVE-2026-42747
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42740 - Tainacan Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through
PLUGIN
Tainacan
CVE-2026-42740
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42731 - miniorange otp verification Plugin
Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through
PLUGIN
miniorange otp verification
CVE-2026-42731
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42727 - Active Products Tables for WooCommerce Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through
PLUGIN
Active Products Tables for WooCommerce
CVE-2026-42727
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8760 - Otp Login Plugin
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout check added to `otpl_login_action()` was placed only inside the OTP-generation branch and is never evaluated on the OTP-validation branch, and the generated 6-digit OTP additionally has no expiration. This makes it possible for unauthenticated attackers to brute-force the 900,000-value OTP space for any user account (including administrators) and obtain a valid `wp_set_auth_cookie()` session, leading to full site compromise.
PLUGIN
Otp Login
CVE-2026-8760
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-42774 - JetEngine Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Crocoblock JetEngine allows SQL Injection. This issue affects JetEngine: from n/a through 3.8.8.1.
PLUGIN
JetEngine
CVE-2026-42774
Risk Score