Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-24
CVE-2026-39619 - Busiprof Plugin
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Busiprof busiprof allows Upload a Web Shell to a Web Server.This issue affects Busiprof: from n/a through
PLUGIN
Busiprof
CVE-2026-39619
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39617 - Bluestreet Plugin
Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through
PLUGIN
Bluestreet
CVE-2026-39617
Risk Score
Threat Entry
Updated 2026-04-27
CVE-2026-3535 - Dsgvo Google Web Fonts Gdpr Plugin
The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. The function is exposed via a `wp_ajax_nopriv_` hook, requiring no authentication. It fetches a user-supplied URL as a CSS file, extracts URLs from its content, and downloads those files to a publicly accessible directory without validating the file type. This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code…
PLUGIN
Dsgvo Google Web Fonts Gdpr
CVE-2026-3535
Risk Score
Threat Entry
Updated 2026-04-27
CVE-2026-4003 - Userspn Plugin
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce')…
PLUGIN
Userspn
CVE-2026-4003
Risk Score
Threat Entry
Updated 2026-04-27
CVE-2026-3296 - Everest Forms Plugin
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table.…
PLUGIN
Everest Forms
CVE-2026-3296
Risk Score
Threat Entry
Updated 2026-04-27
CVE-2026-0740 - Ninja Forms File Uploads Plugin
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. Note: The vulnerability was partially patched in version 3.3.25 and fully patched in version 3.3.27.
PLUGIN
Ninja Forms File Uploads
CVE-2026-0740
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-3300 - Everest Forms Plugin
The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. This is due to the Calculation Addon's process_filter() function concatenating user-submitted form field values into a PHP code string without proper escaping before passing it to eval(). The sanitize_text_field() function applied to input does not escape single quotes or other PHP code context characters. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code on the server by submitting a crafted…
PLUGIN
Everest Forms
CVE-2026-3300
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-4257 - Contact Form By Supsystic Plugin
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register…
PLUGIN
Contact Form By Supsystic
CVE-2026-4257
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-4484 - Learning Management System Plugin
The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator.
PLUGIN
Learning Management System
CVE-2026-4484
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32573 - Nelio AB Testing Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through
PLUGIN
Nelio AB Testing
CVE-2026-32573
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32536 - Green Downloads Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through
PLUGIN
Green Downloads
CVE-2026-32536
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32539 - PublishPress Revisions Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PublishPress PublishPress Revisions revisionary allows Blind SQL Injection.This issue affects PublishPress Revisions: from n/a through
PLUGIN
PublishPress Revisions
CVE-2026-32539
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32525 - JetFormBuilder Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through
PLUGIN
JetFormBuilder
CVE-2026-32525
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32523 - WPJAM Basic Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in denishua WPJAM Basic wpjam-basic allows Using Malicious Files.This issue affects WPJAM Basic: from n/a through
PLUGIN
WPJAM Basic
CVE-2026-32523
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32524 - Photo Engine Plugin
Unrestricted Upload of File with Dangerous Type vulnerability in Jordy Meow Photo Engine wplr-sync allows Upload a Web Shell to a Web Server.This issue affects Photo Engine: from n/a through
PLUGIN
Photo Engine
CVE-2026-32524
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32520 - RewardsWP Plugin
Incorrect Privilege Assignment vulnerability in Andrew Munro / AffiliateWP RewardsWP rewardswp allows Privilege Escalation.This issue affects RewardsWP: from n/a through
PLUGIN
RewardsWP
CVE-2026-32520
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32519 - Bit SMTP Plugin
Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through
PLUGIN
Bit SMTP
CVE-2026-32519
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32512 - Pelicula Plugin
Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.
PLUGIN
Pelicula
CVE-2026-32512
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32502 - Borgholm Plugin
Deserialization of Untrusted Data vulnerability in Select-Themes Borgholm borgholm-marketing-agency-theme allows Object Injection.This issue affects Borgholm: from n/a through < 1.6.
PLUGIN
Borgholm
CVE-2026-32502
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-32499 - ChatBot Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through
PLUGIN
ChatBot
CVE-2026-32499
Risk Score