Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-30
CVE-2026-7465 - Ultimate Addons For Gutenberg Plugin
The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.19.25. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. Exploitation requires a two-block payload embedded in post content: the first block registers a fake uagb/-prefixed block type with an attacker-specified render_callback, and the second block of the same fake type triggers invocation of that callback via call_user_func() during sequential block rendering in the…
PLUGIN
Ultimate Addons For Gutenberg
CVE-2026-7465
Risk Score
Threat Entry
Updated 2026-05-30
CVE-2026-9757 - Geo My Wp Plugin
The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing WordPress's wp_magic_quotes protection, which only covers $_POST/$_GET/$_COOKIE/$_REQUEST), then each is split on ',' via explode() and the resulting fragments are interpolated directly into a SQL BETWEEN clause in gmw_get_locations_within_boundaries_sql() without is_numeric() validation, (float) casting, esc_sql(), or $wpdb->prepare(). This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can…
PLUGIN
Geo My Wp
CVE-2026-9757
Risk Score
Threat Entry
Updated 2026-05-30
CVE-2026-7459 - Simple History Plugin
The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated (Subscriber+) account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints (react_to_event() / unreact_to_event()). The endpoints register get_items_permissions_check() as their permission_callback, which only verifies the requester is logged in and does not enforce the per-logger capability checks normally applied by Log_Query. As a result, a Subscriber-level user can POST to /wp-json/simple-history/v1/events//react with the _fields=context query parameter and read the full context of any Simple History event — including…
PLUGIN
Simple History
CVE-2026-7459
Risk Score
Threat Entry
Updated 2026-05-29
CVE-2026-6075 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
PLUGIN
Media Library Assistant
CVE-2026-6075
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-6226 - Acf Frontend Form Element Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields']…
PLUGIN
Acf Frontend Form Element
CVE-2026-6226
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-9227 - Gutenberg Blocks Plugin
The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a flawed strpos() substring check that only verifies whether the filename contains the string '.json' rather than confirming the filename ends with a .json extension, allowing double-extension filenames like shell.json.php to bypass validation. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible.
PLUGIN
Gutenberg Blocks
CVE-2026-9227
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7862 - Eupago Gateway For Woocommerce Plugin
The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account.
PLUGIN
Eupago Gateway For Woocommerce
CVE-2026-7862
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7797 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission…
PLUGIN
Simply Schedule Appointments
CVE-2026-7797
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-6455 - Wp Contact Form 7 Db Handler Plugin
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID)…
PLUGIN
Wp Contact Form 7 Db Handler
CVE-2026-6455
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7634 - Wp Slimstat Plugin
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The show_complete_user_agent_tooltip setting must be explicitly enabled by an administrator (disabled by default) for the stored payload to be rendered and executed.
PLUGIN
Wp Slimstat
CVE-2026-7634
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7052 - Ht Contactform Plugin
The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via…
PLUGIN
Ht Contactform
CVE-2026-7052
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-9009 - Crawlomatic Multipage Scraper Post Generator Plugin
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback'…
PLUGIN
Crawlomatic Multipage Scraper Post Generator
CVE-2026-9009
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7802 - Acf Frontend Form Element Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have…
PLUGIN
Acf Frontend Form Element
CVE-2026-7802
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-2374 - Login Recaptcha Plugin
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator…
PLUGIN
Login Recaptcha
CVE-2026-2374
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49046 - Duplicate Page and Post Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through 2.9.5.
PLUGIN
Duplicate Page and Post
CVE-2026-49046
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-48972 - SeedProd Pro Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeedProd LLC SeedProd Pro allows PHP Local File Inclusion. This issue affects SeedProd Pro: from n/a before 6.19.5.
PLUGIN
SeedProd Pro
CVE-2026-48972
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42760 - Backup and Staging by WP Time Capsule Plugin
Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through
PLUGIN
Backup and Staging by WP Time Capsule
CVE-2026-42760
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42762 - VikBooking Hotel Booking Engine & PMS Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through
PLUGIN
VikBooking Hotel Booking Engine & PMS
CVE-2026-42762
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42759 - Affiliate Super Assistent Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Timo Affiliate Super Assistent amazonsimpleadmin allows Stored XSS.This issue affects Affiliate Super Assistent: from n/a through
PLUGIN
Affiliate Super Assistent
CVE-2026-42759
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42753 - WCFM Membership Plugin
Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through
PLUGIN
WCFM Membership
CVE-2026-42753
Risk Score