Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-24
CVE-2026-39679 - Freeio Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through
PLUGIN
Freeio
CVE-2026-39679
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39677 - Emphires Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Creatives_Planet Emphires emphires allows PHP Local File Inclusion.This issue affects Emphires: from n/a through
PLUGIN
Emphires
CVE-2026-39677
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-39671 - Extra Fees Plugin for WooCommerce
Cross-Site Request Forgery (CSRF) vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through
PLUGIN
Extra Fees Plugin for WooCommerce
CVE-2026-39671
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39621 - SpicePress Plugin
Cross-Site Request Forgery (CSRF) vulnerability in spicethemes SpicePress spicepress allows Upload a Web Shell to a Web Server.This issue affects SpicePress: from n/a through
PLUGIN
SpicePress
CVE-2026-39621
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39623 - Biolife Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through
PLUGIN
Biolife
CVE-2026-39623
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39613 - Boutique Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes Boutique kute-boutique allows PHP Local File Inclusion.This issue affects Boutique: from n/a through
PLUGIN
Boutique
CVE-2026-39613
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39611 - KuteShop Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through
PLUGIN
KuteShop
CVE-2026-39611
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39544 - LabtechCO Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through
PLUGIN
LabtechCO
CVE-2026-39544
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39538 - Mikado Core Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through
PLUGIN
Mikado Core
CVE-2026-39538
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39497 - FOX Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through
PLUGIN
FOX
CVE-2026-39497
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39495 - Simply Schedule Appointments Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This issue affects Simply Schedule Appointments: from n/a through
PLUGIN
Simply Schedule Appointments
CVE-2026-39495
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-39486 - Download Monitor Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through
PLUGIN
Download Monitor
CVE-2026-39486
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39496 - YayMail Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through
PLUGIN
YayMail
CVE-2026-39496
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39487 - Amelia Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through
PLUGIN
Amelia
CVE-2026-39487
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39479 - OttoKit Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through
PLUGIN
OttoKit
CVE-2026-39479
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-39475 - User Feedback Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Feedback: from n/a through
PLUGIN
User Feedback
CVE-2026-39475
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-39466 - WordPress Core
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through
CORE
WordPress Core
CVE-2026-39466
Risk Score
Threat Entry
Updated 2026-04-14
CVE-2026-4338 - Before 8 Plugin
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
PLUGIN
Before 8
CVE-2026-4338
Risk Score
Threat Entry
Updated 2026-04-27
CVE-2026-4808 - Gerador De Certificados Devapps Plugin
The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Gerador De Certificados Devapps
CVE-2026-4808
Risk Score
Threat Entry
Updated 2026-04-27
CVE-2026-3499 - Product Feeds For Woocommerce Plugin
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administrator into performing…
PLUGIN
Product Feeds For Woocommerce
CVE-2026-3499
Risk Score