Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-23
CVE-2026-3003 - Vagaro Booking Widget Plugin
The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vagaro_code’ parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Vagaro Booking Widget
CVE-2026-3003
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2941 - Linksy Search And Replace Plugin
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.
PLUGIN
Linksy Search And Replace
CVE-2026-2941
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2468 - Quentn Wp Plugin
The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `get_user_access()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Quentn Wp
CVE-2026-2468
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2440 - SurveyJS: Drag & Drop Form Builder Plugin
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.
PLUGIN
SurveyJS: Drag & Drop Form Builder
CVE-2026-2440
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2279 - Mylinksdump Plugin
The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Mylinksdump
CVE-2026-2279
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-1800 - Fonts Manager | Custom Fonts Plugin
The Fonts Manager | Custom Fonts plugin for WordPress is vulnerable to time-based SQL Injection via the ‘fmcfIdSelectedFnt’ parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Fonts Manager | Custom Fonts
CVE-2026-1800
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-1648 - Performance Monitor Plugin
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
PLUGIN
Performance Monitor
CVE-2026-1648
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-1313 - Mimetypes Link Icons Plugin
The MimeTypes Link Icons plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.2.20. This is due to the plugin making outbound HTTP requests to user-controlled URLs without proper validation when the "Show file size" option is enabled. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services via crafted links in post content.
PLUGIN
Mimetypes Link Icons
CVE-2026-1313
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-4302 - Next Gen Popup Maker Plugin
The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly accessible REST API endpoint (optn/v1/integration-action) with a permission_callback of __return_true that passes user-supplied URLs directly to wp_remote_get() and wp_remote_post() in the Webhook::add_subscriber() method without any URL validation or restriction. The plugin does not use wp_safe_remote_get/post which provide built-in SSRF protection. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application,…
PLUGIN
Next Gen Popup Maker
CVE-2026-4302
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-3368 - Injection Guard Plugin
The Injection Guard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via malicious query parameter names in all versions up to and including 1.2.9. This is due to insufficient input sanitization in the sanitize_ig_data() function which only sanitizes array values but not array keys, combined with missing output escaping in the ig_settings.php template where stored parameter keys are echoed directly into HTML. When a request is made to the site, the plugin captures the query string via $_SERVER['QUERY_STRING'], applies esc_url_raw() (which preserves URL-encoded special characters like %22, %3E, %3C),…
PLUGIN
Injection Guard
CVE-2026-3368
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-3658 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, including usernames, email addresses, and password hashes.
PLUGIN
Simply Schedule Appointments
CVE-2026-3658
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-27096 - Allows Object Injection Theme
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
THEME
Allows Object Injection
CVE-2026-27096
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-1238 - Slimstat Analytics Plugin
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slimstat Analytics
CVE-2026-1238
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-1463 - Nextgen Gallery Plugin
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded…
PLUGIN
Nextgen Gallery
CVE-2026-1463
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-3090 - Mobile App Plugin
The Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘event_type’ parameter in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when the Post SMTP Pro plugin is also installed and its Reporting and…
PLUGIN
Mobile App
CVE-2026-3090
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-2992 - Kivicare Clinic Management System Plugin
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.
PLUGIN
Kivicare Clinic Management System
CVE-2026-2992
Risk Score
Threat Entry
Updated 2026-03-17
CVE-2026-2579 - Product Blocks Plugin
The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Product Blocks
CVE-2026-2579
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1947 - NEX-Forms – Ultimate Forms Plugin for WordPress
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submit_nex_form() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to to overwrite arbitrary form entries via the 'nf_set_entry_update_id' parameter.
PLUGIN
NEX-Forms – Ultimate Forms Plugin for WordPress
CVE-2026-1947
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-3045 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator…
PLUGIN
Simply Schedule Appointments
CVE-2026-3045
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2890 - Formidable Forms Plugin
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a…
PLUGIN
Formidable Forms
CVE-2026-2890
Risk Score