Threat Entry Updated 2026-04-15

CVE-2026-1844 - PixelYourSite Pro – Your smart PIXEL (TAG) Manager Plugin

The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN PixelYourSite Pro – Your smart PIXEL (TAG) Manager

CVE-2026-1844

HIGH CVSS 7.2 2026-02-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1841 - PixelYourSite – Your smart PIXEL (TAG) & API Manager Plugin

The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. CVE-2026-27072 is likely a duplicate of this issue.

PLUGIN PixelYourSite – Your smart PIXEL (TAG) & API Manager

CVE-2026-1841

HIGH CVSS 7.2 2026-02-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-18

CVE-2025-15157 - Starfish Reviews Plugin

The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srm_restore_options_defaults' function in all versions up to, and including, 3.1.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

PLUGIN Starfish Reviews

CVE-2025-15157

HIGH CVSS 8.8 2026-02-13

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1104 - FastDup – Fastest WordPress Migration & Duplicator Plugin

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.

PLUGIN FastDup – Fastest WordPress Migration & Duplicator

CVE-2026-1104

HIGH CVSS 8.8 2026-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1320 - Secure Copy Content Protection And Content Locking Plugin

The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up to, and including, 4.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Secure Copy Content Protection And Content Locking

CVE-2026-1320

HIGH CVSS 7.2 2026-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1316 - Customer Reviews For Woocommerce Plugin

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'media[].href' parameter in all versions up to, and including, 5.97.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers (if 'Enable for Guests' is enabled) to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Customer Reviews For Woocommerce

CVE-2026-1316

HIGH CVSS 7.2 2026-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-0910 - Wpforo Forum Plugin

The wpForo Forum plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.13 via deserialization of untrusted input in the 'wpforo_display_array_data' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed…

PLUGIN Wpforo Forum

CVE-2026-0910

HIGH CVSS 8.8 2026-02-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-11

CVE-2025-15096 - WordPress Core

The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

CORE WordPress Core

CVE-2025-15096

HIGH CVSS 8.8 2026-02-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1560 - Custom Block Builder – Lazy Blocks Plugin

The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

PLUGIN Custom Block Builder – Lazy Blocks

CVE-2026-1560

HIGH CVSS 8.8 2026-02-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-11

CVE-2025-15440 - Ione360 Configurator Plugin

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Ione360 Configurator

CVE-2025-15440

HIGH CVSS 7.2 2026-02-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-11

CVE-2025-14541 - Lucky Wheel Giveaway Plugin

The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server.

PLUGIN Lucky Wheel Giveaway

CVE-2025-14541

HIGH CVSS 7.2 2026-02-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-2268 - Ninja Forms – The Contact Form Builder That Grows With You Plugin

The Ninja Forms plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.0. This is due to the unsafe application of the `ninja_forms_merge_tags` filter to user-supplied input within repeater fields, which allows the resolution of `{post_meta:KEY}` merge tags without authorization checks. This makes it possible for unauthenticated attackers to extract arbitrary post metadata from any post on the site, including sensitive data such as WooCommerce billing emails, API keys, private tokens, and customer personal information via the `nf_ajax_submit` AJAX action.

PLUGIN Ninja Forms – The Contact Form Builder That Grows With You

CVE-2026-2268

HIGH CVSS 7.5 2026-02-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1866 - Name Directory Plugin

The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via double HTML-entity encoding in all versions up to, and including, 1.32.0. This is due to the plugin's sanitization function calling `html_entity_decode()` before `wp_kses()`, and then calling `html_entity_decode()` again on output. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via the 'name_directory_name' and 'name_directory_description' parameters in the public submission form granted they can trick the site administrator into approving their submission or…

PLUGIN Name Directory

CVE-2026-1866

HIGH CVSS 7.2 2026-02-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-0845 - Tend Manager For Woocommerce Along With Bookings Subscription Listings Compatible Plugin

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFM_Settings_Controller::processing' function in all versions up to, and including, 6.7.24. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative…

PLUGIN Tend Manager For Woocommerce Along With Bookings Subscription Listings Compatible

CVE-2026-0845

HIGH CVSS 7.2 2026-02-10

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-09

CVE-2025-15100 - Jay Login Register Plugin

The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the 'jay_panel_ajax_update_profile' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.

PLUGIN Jay Login Register

CVE-2025-15100

HIGH CVSS 8.8 2026-02-08

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1294 - Image Viewer Plugin

The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

PLUGIN Image Viewer

CVE-2026-1294

HIGH CVSS 7.2 2026-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-05

CVE-2025-13192 - Popup Builder Block Plugin

The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users,…

PLUGIN Popup Builder Block

CVE-2025-13192

HIGH CVSS 8.2 2026-02-05

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-04

CVE-2025-15368 - Sportspress Plugin

The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes 'template_name' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

PLUGIN Sportspress

CVE-2025-15368

HIGH CVSS 8.8 2026-02-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-04

CVE-2025-15285 - Lupsonline Link Netwerk Plugin

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories.

PLUGIN Lupsonline Link Netwerk

CVE-2025-15285

HIGH CVSS 7.5 2026-02-04

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-04

CVE-2025-15268 - Infility Global Plugin

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Infility Global

CVE-2025-15268

HIGH CVSS 7.5 2026-02-04

Risk Score

Open Full Technical Breakdown