Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-20
CVE-2026-5200 - An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
PLUGIN
An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
CVE-2026-5200
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7522 - Advanced Database Cleaner – Premium Plugin
The Advanced Database Cleaner – Premium plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.1.0 via the 'template' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
PLUGIN
Advanced Database Cleaner – Premium
CVE-2026-7522
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-9010 - Boost Plugin
The Boost plugin for WordPress is vulnerable to time-based SQL Injection via the 'current_url' and 'user_name' parameters in versions up to, and including, 2.0.3 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Boost
CVE-2026-9010
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7467 - Expand Maker Plugin
The Read More & Accordion plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.7. This is due to the 'RadMoreAjax::importData' function not restricting which database tables can be written to during import and not properly validating the imported data. This makes it possible for authenticated attackers, with permission granted by the site owner through the plugin's role settings, to insert arbitrary rows into the 'wp_users' and 'wp_usermeta' tables, including the 'wp_capabilities' field, allowing them to create a new administrator account and gain administrator…
PLUGIN
Expand Maker
CVE-2026-7467
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6456 - Account Switcher Plugin
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`'' != ''`…
PLUGIN
Account Switcher
CVE-2026-6456
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-3985 - Creative Mail By Constant Contact Plugin
The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Creative Mail By Constant Contact
CVE-2026-3985
Risk Score
Threat Entry
Updated 2026-05-19
CVE-2026-8073 - Kirki – Freeform Page Builder, Website Builder & Customizer Theme
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
THEME
Kirki – Freeform Page Builder, Website Builder & Customizer
CVE-2026-8073
Risk Score
Threat Entry
Updated 2026-05-19
CVE-2026-47100 - Changeset Plugin
Funnel Builder for WooCommerce Checkout prior to 3.15.0.3 contains a missing authorization vulnerability in the public checkout endpoint that allows unauthenticated attackers to invoke internal methods and write arbitrary data to the plugin's External Scripts global setting. Attackers can inject malicious JavaScript through the External Scripts setting that executes in the browsers of all checkout page visitors.
PLUGIN
Changeset
CVE-2026-47100
Risk Score
Threat Entry
Updated 2026-05-19
CVE-2026-8912 - Contest Gallery Plugin
The Contest Gallery plugin for WordPress is vulnerable to SQL Injection via the 'form_input' parameter in versions up to, and including, 28.1.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query inside the unauthenticated 'post_cg_gallery_form_upload' AJAX action (specifically the 'cb' branch of the included users-upload-check.php, where $f_input_id is concatenated unquoted into 'SELECT Field_Content FROM ... WHERE id = $f_input_id'). The endpoint is gated only by a public frontend nonce ('cg1l_action' / 'cg_nonce') that is exposed in the page…
PLUGIN
Contest Gallery
CVE-2026-8912
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-3220 - Clearfy Cache Plugin
The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulnerable to unauthenticated Stored Cross-Site Scripting (XSS) due to a predictable replacement hash used during the HTML minification process and abusing a regular expression. This allows an attacker to inject arbitrary HTML attributes in the final HTML output by anticipating the placeholder format.
PLUGIN
Clearfy Cache
CVE-2026-3220
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-6379 - Wp Photo Album Plus Plugin
The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing unauthenticated users to perform SQL injection attacks.
PLUGIN
Wp Photo Album Plus
CVE-2026-6379
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-6381 - Wp Maps Plugin
The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks.
PLUGIN
Wp Maps
CVE-2026-6381
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-6495 - Ajax Load More Plugin
The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
PLUGIN
Ajax Load More
CVE-2026-6495
Risk Score
Threat Entry
Updated 2026-05-18
CVE-2026-8719 - For Wordpress Is Vulnerable To Privilege Escalation In Version 3 Plugin
The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated (Subscriber+) attackers to invoke admin-level MCP tools and escalate privileges to Administrator.
PLUGIN
For Wordpress Is Vulnerable To Privilege Escalation In Version 3
CVE-2026-8719
Risk Score
Threat Entry
Updated 2026-05-15
CVE-2026-6228 - Acf Frontend Form Element Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the admin_form post type. The admin_form custom post type uses 'capability_type' => 'page', which grants editors the ability to create and edit forms. When an editor creates an edit_user form, they can manipulate the form configuration to include 'administrator' in the role_options array by directly submitting POST data to wp-admin/post.php, bypassing…
PLUGIN
Acf Frontend Form Element
CVE-2026-6228
Risk Score
Threat Entry
Updated 2026-05-15
CVE-2026-6403 - Quick Playground Plugin
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in versions up to and including 1.3.3. This is due to insufficient path validation in the qckply_zip_theme() function, which appends a user-controlled 'stylesheet' parameter directly to the theme root directory path without sanitizing directory traversal sequences. This makes it possible for unauthenticated attackers to trigger the creation of a ZIP archive containing arbitrary files from the server's filesystem — including wp-config.
PLUGIN
Quick Playground
CVE-2026-6403
Risk Score
Threat Entry
Updated 2026-05-15
CVE-2026-4094 - Currency Switcher Professional For Woocommerce Plugin
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if…
PLUGIN
Currency Switcher Professional For Woocommerce
CVE-2026-4094
Risk Score
Threat Entry
Updated 2026-05-14
CVE-2026-4030 - Database Backup For Wordpress Plugin
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup directory parameter. This makes it possible for unauthenticated attackers to read and delete arbitrary files on the server, leading to Sensitive Information Exposure and potential site takeover. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
PLUGIN
Database Backup For Wordpress
CVE-2026-4030
Risk Score
Threat Entry
Updated 2026-05-14
CVE-2026-4031 - Database Backup For Wordpress Plugin
The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wp_db_temp_dir parameter, which controls where database backups are written. This makes it possible for unauthenticated attackers to send a request to wp-cron.php with a poisoned wp_db_temp_dir value pointing to a publicly accessible directory (e.g., wp-content/uploads/), and if a scheduled backup is due, intercept the backup file before it is cleaned up. The backup file has a predictable name…
PLUGIN
Database Backup For Wordpress
CVE-2026-4031
Risk Score
Threat Entry
Updated 2026-05-14
CVE-2026-4029 - Database Backup For Wordpress Plugin
The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized database export in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check. This makes it possible for unauthenticated attackers to export database tables, leading to Sensitive Information Exposure. Note: This vulnerability is only exploitable in WordPress Multisite environments where the deprecated is_site_admin() function exists.
PLUGIN
Database Backup For Wordpress
CVE-2026-4029
Risk Score