Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1280 - Frontend File Manager Plugin
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
PLUGIN
Frontend File Manager Plugin
CVE-2026-1280
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14386 - Integrated Ai Optimization Plugin
The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account.
PLUGIN
Integrated Ai Optimization
CVE-2025-14386
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1400 - AI Engine – The Chatbot and AI Framework for WordPress Plugin
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP…
PLUGIN
AI Engine – The Chatbot and AI Framework for WordPress
CVE-2026-1400
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0702 - Shoppable Videos For Woocommerce Plugin
The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Shoppable Videos For Woocommerce
CVE-2026-0702
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0832 - New User Approve Plugin
The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users.
PLUGIN
New User Approve
CVE-2026-0832
Risk Score
Threat Entry
Updated 2026-01-29
CVE-2025-14610 - Tablemaster For Elementor Plugin
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter.
PLUGIN
Tablemaster For Elementor
CVE-2025-14610
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14316 - Ahachat Messenger Marketing Plugin
The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Ahachat Messenger Marketing
CVE-2025-14316
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0911 - Hustle – Email Marketing, Lead Generation, Optins, Popups Plugin
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site's server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access…
PLUGIN
Hustle – Email Marketing, Lead Generation, Optins, Popups
CVE-2026-0911
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0800 - Enable Users To Submit Posts From The Front End Plugin
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Enable Users To Submit Posts From The Front End
CVE-2026-0800
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1257 - Administrative Shortcodes Plugin
The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in…
PLUGIN
Administrative Shortcodes
CVE-2026-1257
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0807 - Frontis Blocks Plugin
The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the 'url' parameter in the 'template_proxy' function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the '/template-proxy/' and '/proxy-image/' endpoint.
PLUGIN
Frontis Blocks
CVE-2026-0807
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24635 - EduBlink Core Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion.This issue affects EduBlink Core: from n/a through
PLUGIN
EduBlink Core
CVE-2026-24635
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24624 - Neoforum Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection.This issue affects Neoforum: from n/a through
PLUGIN
Neoforum
CVE-2026-24624
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24609 - Laurent Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion.This issue affects Laurent: from n/a through
PLUGIN
Laurent
CVE-2026-24609
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24608 - Laurent Core Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion.This issue affects Laurent Core: from n/a through
PLUGIN
Laurent Core
CVE-2026-24608
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24572 - Nelio Content Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through
PLUGIN
Nelio Content
CVE-2026-24572
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24534 - Booter Plugin
Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booter: from n/a through
PLUGIN
Booter
CVE-2026-24534
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24538 - Omnipress Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion.This issue affects Omnipress: from n/a through
PLUGIN
Omnipress
CVE-2026-24538
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24536 - Webpushr Plugin
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data.This issue affects Webpushr: from n/a through
PLUGIN
Webpushr
CVE-2026-24536
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-24524 - Tablesome Plugin
Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through
PLUGIN
Tablesome
CVE-2026-24524
Risk Score