Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-27
CVE-2026-8787 - Admin Chat Box Plugin
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user — including an Administrator — by submitting that user's email address to the…
PLUGIN
Admin Chat Box
CVE-2026-8787
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-6268 - Before 22 Theme
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
THEME
Before 22
CVE-2026-6268
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-39661 - SW Core Plugin
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Magentech SW Core allows PHP Local File Inclusion. This issue affects SW Core: from n/a through 1.7.18.
PLUGIN
SW Core
CVE-2026-39661
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-45216 - Smart Manager Plugin
Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation. This issue affects Smart Manager: from n/a through 8.85.0.
PLUGIN
Smart Manager
CVE-2026-45216
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-48837 - Elementor Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Unlimited Elements For Elementor allows Blind SQL Injection. This issue affects Unlimited Elements For Elementor: from n/a through 2.0.8.
PLUGIN
Elementor
CVE-2026-48837
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-45438 - Smart Coupons for WooCommerce Plugin
Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0.
PLUGIN
Smart Coupons for WooCommerce
CVE-2026-45438
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-45209 - MyCryptoCheckout Plugin
Missing Authorization vulnerability in edward_plainview MyCryptoCheckout allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MyCryptoCheckout: from n/a through 2.161.
PLUGIN
MyCryptoCheckout
CVE-2026-45209
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-24937 - Broadcast Live Video Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in VideoWhisper.Com Broadcast Live Video allows Code Injection. This issue affects Broadcast Live Video: from n/a before 7.1.3.
PLUGIN
Broadcast Live Video
CVE-2026-24937
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-39436 - CformsII Plugin
Cross-Site Request Forgery (CSRF) vulnerability in bgermann CformsII allows Cross Site Request Forgery. This issue affects CformsII: from n/a through 15.1.3.
PLUGIN
CformsII
CVE-2026-39436
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-6898 - Wishlist Member Plugin
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3_Hooks::generate_api_key' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
PLUGIN
Wishlist Member
CVE-2026-6898
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-6897 - Wishlist Member Plugin
The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\Team_Accounts::save_settings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin options, includes the REST API Secret Key, which can be used to create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
PLUGIN
Wishlist Member
CVE-2026-6897
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-6895 - Wishlist Member Plugin
The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'export_settings' function. This function returns the REST API Secret Key to the attacker in the AJAX JSON response. An attacker who obtains this key can authenticate to the WishList Member API, create a new membership level assigned the administrator WordPress role, and register an arbitrary administrator-level user account, resulting in complete site takeover.
PLUGIN
Wishlist Member
CVE-2026-6895
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-6419 - Wishlist Member Plugin
The WishList Member plugin for WordPress is vulnerable to Privilege Escalation via Missing Authorization in versions up to and including 3.30.1. This is due to the missing capability and nonce check in the ajax_get_screen() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to supply an arbitrary admin screen identifier via the data[url] parameter, causing the plugin to load and execute the administrative API configuration template without authorization. The rendered HTML, which contains the plugin's plaintext REST API Secret Key, is returned directly to the attacker…
PLUGIN
Wishlist Member
CVE-2026-6419
Risk Score
Threat Entry
Updated 2026-05-26
CVE-2026-9284 - Woocommerce Paypal Payments Plugin
The WooCommerce PayPal Payments plugin for WordPress is vulnerable to unauthorized order manipulation and information disclosure due to missing authorization checks on the `ppc-create-order` and `ppc-get-order` WC-AJAX endpoints in all versions up to, and including, 4.0.1. The `ppc-create-order` endpoint accepts an arbitrary WooCommerce order ID in the `pay-now` context without validating order ownership, allowing attackers to create PayPal orders for any WC order and write PayPal metadata to it. The `ppc-get-order` endpoint returns full PayPal order details for any PayPal order ID without binding to the requester's session. This makes…
PLUGIN
Woocommerce Paypal Payments
CVE-2026-9284
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-9011 - Ditty News Ticker Plugin
The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve the full item content of non-public Dittys — including drafts, pending, scheduled, and disabled entries — by enumerating integer post IDs against the ditty_init AJAX endpoint. Unlike the non-AJAX init() counterpart, init_ajax() does not verify that the requested…
PLUGIN
Ditty News Ticker
CVE-2026-9011
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-8679 - AudioIgniter Music Player Plugin
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playlist_id query var or the /audioigniter/playlist/{id}/ rewrite rule and returning playlist track data without performing any authentication, capability, or post_status check — only the post_type is validated. This makes it possible for unauthenticated attackers to view track metadata (titles, artists, audio URLs, buy links, download URLs, and cover images) of any playlist on the…
PLUGIN
AudioIgniter Music Player
CVE-2026-8679
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-9018 - Easy Elements Plugin
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register…
PLUGIN
Easy Elements
CVE-2026-9018
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-4834 - Wp Erp Pro Plugin
The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Wp Erp Pro
CVE-2026-4834
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7613 - Cost Of Goods By Pixelyoursite Plugin
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cost Of Goods By Pixelyoursite
CVE-2026-7613
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-42383 - YITH WooCommerce Product Add-Ons Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YITH YITH WooCommerce Product Add-Ons allows Blind SQL Injection. This issue affects YITH WooCommerce Product Add-Ons: from n/a through 4.29.0.
PLUGIN
YITH WooCommerce Product Add-Ons
CVE-2026-42383
Risk Score