Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-27
CVE-2026-42746 - Smart Online Order for Clover Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through
PLUGIN
Smart Online Order for Clover
CVE-2026-42746
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42754 - Favicon Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through
PLUGIN
Favicon
CVE-2026-42754
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42749 - Disable Comments for Any Post Types (Remove comments Plugin
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through
PLUGIN
Disable Comments for Any Post Types (Remove comments
CVE-2026-42749
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42737 - VikBooking Hotel Booking Engine & PMS Plugin
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through
PLUGIN
VikBooking Hotel Booking Engine & PMS
CVE-2026-42737
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42735 - KiviCare Plugin
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through
PLUGIN
KiviCare
CVE-2026-42735
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42736 - BP Better Messages Plugin
Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through
PLUGIN
BP Better Messages
CVE-2026-42736
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42745 - Smart Online Order for Clover Plugin
Authentication Bypass Using an Alternate Path or Channel vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Authentication Bypass.This issue affects Smart Online Order for Clover: from n/a through
PLUGIN
Smart Online Order for Clover
CVE-2026-42745
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42739 - Advanced IP Blocker Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through
PLUGIN
Advanced IP Blocker
CVE-2026-42739
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42738 - Smart Online Order for Clover Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Stored XSS.This issue affects Smart Online Order for Clover: from n/a through
PLUGIN
Smart Online Order for Clover
CVE-2026-42738
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42730 - MasterStudy LMS Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through
PLUGIN
MasterStudy LMS
CVE-2026-42730
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42734 - Geo Mashup Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from n/a through
PLUGIN
Geo Mashup
CVE-2026-42734
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42733 - WPCS Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through
PLUGIN
WPCS
CVE-2026-42733
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42729 - PropertyHive Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through
PLUGIN
PropertyHive
CVE-2026-42729
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42728 - Contact Form 7 Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through
PLUGIN
Contact Form 7
CVE-2026-42728
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8832 - Insert Headers And Footers Plugin
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via…
PLUGIN
Insert Headers And Footers
CVE-2026-8832
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8143 - Hbook Plugin
The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hb_country_iso', 'hb_usa_state_iso', and 'hb_canada_province_iso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the HBook Customers admin page).
PLUGIN
Hbook
CVE-2026-8143
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-6169 - Affiliate Toolkit Starter Plugin
The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString() method which compiles user-supplied template content into PHP code and executes it via eval() without sanitization or sandboxing. This makes it possible for authenticated attackers, with Editor-level access and above, to execute arbitrary code on the server by injecting PHP into a plugin template.
PLUGIN
Affiliate Toolkit Starter
CVE-2026-6169
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3375 - Litespeed Cache Plugin
The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/litespeed/v1/notify_ccss and /wp-json/litespeed/v1/notify_ucss REST API endpoints in all versions up to, and including, 7.7. These endpoints accept CSS content from QUIC.cloud callback notifications and store it to disk without sanitization. The stored content is later rendered inline frontend page loads without output escaping. The access control protecting these endpoints is IP-based validation that can potentially be bypassed when the WordPress site is deployed behind a reverse proxy, load balancer, or CDN with certain configurations. This makes…
PLUGIN
Litespeed Cache
CVE-2026-3375
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-9200 - Query Shortcode Plugin
The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Query Shortcode
CVE-2026-9200
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8994 - Near Login Plugin
The Login with NEAR plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.3.3. The `ajaxLoginWithNear()` function — registered as a `wp_ajax_nopriv` action and therefore reachable by unauthenticated users — accepts an attacker-supplied `account` POST parameter and issues a valid WordPress authentication cookie based solely on a substring check for `.near`, with no nonce verification, cryptographic signature validation, challenge-response exchange, or any proof that the requester controls the corresponding NEAR wallet. This makes it possible for unauthenticated attackers to log in as any existing…
PLUGIN
Near Login
CVE-2026-8994
Risk Score