Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-05
CVE-2026-3459 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2026-3459
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-1720 - Create Stunning Popups And Optins For Lead Generation Plugin
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.
PLUGIN
Create Stunning Popups And Optins For Lead Generation
CVE-2026-1720
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-1321 - Restrict Content Plugin
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles…
PLUGIN
Restrict Content
CVE-2026-1321
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27342 - TopFit - Fitness and Gym WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit allows PHP Local File Inclusion.This issue affects TopFit - Fitness and Gym WordPress Theme: from n/a through
THEME
TopFit - Fitness and Gym WordPress Theme
CVE-2026-27342
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2026-27341 - TopScorer - Sports WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through
THEME
TopScorer - Sports WordPress Theme
CVE-2026-27341
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27340 - Apollo | Night Club, DJ Event WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through
THEME
Apollo | Night Club, DJ Event WordPress Theme
CVE-2026-27340
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-27339 - Buzz Stone | Magazine & Viral Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone allows PHP Local File Inclusion.This issue affects Buzz Stone | Magazine & Viral Blog WordPress Theme: from n/a through
THEME
Buzz Stone | Magazine & Viral Blog WordPress Theme
CVE-2026-27339
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27337 - Chronicle - Lifestyle Magazine & Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through
THEME
Chronicle - Lifestyle Magazine & Blog WordPress Theme
CVE-2026-27337
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27336 - Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through
THEME
Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
CVE-2026-27336
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27326 - AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme: from n/a through
THEME
AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
CVE-2026-27326
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27097 - CasaMia | Property Rental Real Estate WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through
THEME
CasaMia | Property Rental Real Estate WordPress Theme
CVE-2026-27097
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2365 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2365
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2025 - Before 1 Plugin
The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog
PLUGIN
Before 1
CVE-2026-2025
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1945 - Wpbookit Plugin
The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpb_user_name' and 'wpb_user_email' parameters in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpbookit
CVE-2026-1945
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1273 - Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX Plugin
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the `/ultp/v3/starter_dummy_post/` and `/ultp/v3/starter_import_content/` REST API endpoints. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX
CVE-2026-1273
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2026-2568 - Formidable And Ninja Forms Plugin
The WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form submission data in all versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Formidable And Ninja Forms
CVE-2026-2568
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2026-2448 - Page Builder By Siteorigin Plugin
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
PLUGIN
Page Builder By Siteorigin
CVE-2026-2448
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2026-2269 - Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.0.0.3 via the download_url() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. Additionally, the plugin stores the contents of the remote files on the server, which can be leveraged to upload arbitrary files…
PLUGIN
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
CVE-2026-2269
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2026-1566 - Calendar Booking Plugin For Appointments And Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
PLUGIN
Calendar Booking Plugin For Appointments And Events
CVE-2026-1566
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-3180 - Contest Gallery Plugin
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability's ’cgLostPasswordEmail’ parameter was patched…
PLUGIN
Contest Gallery
CVE-2026-3180
Risk Score