Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-02
CVE-2026-3132 - Master Addons Plugin
The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.
PLUGIN
Master Addons
CVE-2026-3132
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-28562 - Wpforo Plugin
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
PLUGIN
Wpforo
CVE-2026-28562
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-28557 - Wpforo Plugin
wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers access the usergroups admin page, accessible to any authenticated user, to obtain a nonce, then remap all wpForo usergroups to arbitrary WordPress roles.
PLUGIN
Wpforo
CVE-2026-28557
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2025-13673 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
PLUGIN
Elearning And Online Course Solution
CVE-2025-13673
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2471 - Wp Mail Logging Plugin
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on all properties retrieved from the database without validation. This makes it possible for unauthenticated attackers to inject a PHP Object by submitting a double-serialized payload through any public-facing form that sends email (e.g., Contact Form 7). When the email is logged and subsequently viewed by an administrator,…
PLUGIN
Wp Mail Logging
CVE-2026-2471
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-2751 - Centreon Web On Central Server Plugin
Blind SQL Injection via unsanitized array keys in Service Dependencies deletion. Vulnerability in Centreon Centreon Web on Central Server on Linux (Service Dependencies modules) allows Blind SQL Injection.This issue affects Centreon Web on Central Server before 25.10.8, 24.10.20, 24.04.24.
PLUGIN
Centreon Web On Central Server
CVE-2026-2751
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-2252 - Xerox FreeFlow Core Plugin
An XML External Entity (XXE) vulnerability allows malicious user to perform Server-Side Request Forgery (SSRF) via crafted XML input containing malicious external entity references. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads
PLUGIN
Xerox FreeFlow Core
CVE-2026-2252
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2428 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2428
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1565 - User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration Plugin
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
CVE-2026-1565
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28136 - WP SMS Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through
PLUGIN
WP SMS
CVE-2026-28136
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28138 - uListing Plugin
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through
PLUGIN
uListing
CVE-2026-28138
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1311 - Worry Proof Backup Plugin
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.
PLUGIN
Worry Proof Backup
CVE-2026-1311
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1779 - User Registration Plugin
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
PLUGIN
User Registration
CVE-2026-1779
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-27938 - Wp Graphql Plugin
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the `wp-graphql/wp-graphql` repository contains a GitHub Actions workflow (`release.yml`) vulnerable to OS command injection through direct use of `${{ github.event.pull_request.body }}` inside a `run:` shell block. When a pull request from `develop` to `master` is merged, the PR body is injected verbatim into a shell command, allowing arbitrary command execution on the Actions runner. Version 2.9.1 contains a fix for the vulnerability.
PLUGIN
Wp Graphql
CVE-2026-27938
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1557 - Wp Responsive Images Plugin
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Wp Responsive Images
CVE-2026-1557
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1929 - Advanced Woo Labels Plugin
The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of `call_user_func_array()` with user-controlled callback and parameters in the `get_select_option_values()` AJAX handler without an allowlist of permitted callbacks or a capability check. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP functions and operating system commands on the server via the 'callback' parameter.
PLUGIN
Advanced Woo Labels
CVE-2026-1929
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2416 - Geo Mashup Plugin
The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1.13.17. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Geo Mashup
CVE-2026-2416
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1916 - Spreadsheet Integration Plugin
The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3.8.3. Both REST endpoints use `permission_callback => '__return_true'`, allowing unauthenticated access. The plugin's custom token-based validation relies on a Base64-encoded JSON object containing the user ID and email address, but is not cryptographically signed. This makes it possible for unauthenticated attackers to forge tokens using publicly enumerable information (admin…
PLUGIN
Spreadsheet Integration
CVE-2026-1916
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2025-15386 - Before 2 Plugin
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.
PLUGIN
Before 2
CVE-2025-15386
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-27072 - PixelYourSite – Your smart PIXEL (TAG) Manager Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through
PLUGIN
PixelYourSite – Your smart PIXEL (TAG) Manager
CVE-2026-27072
Risk Score