Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-22
CVE-2026-6518 - Cmp Coming Soon Maintenance Plugin
The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access…
PLUGIN
Cmp Coming Soon Maintenance
CVE-2026-6518
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-2262 - Easy Appointments Plugin
The Easy Appointments plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.12.21 via the `/wp-json/wp/v2/eablocks/ea_appointments/` REST API endpoint. This is due to the endpoint being registered with `'permission_callback' => '__return_true'`, which allows access without any authentication or authorization checks. This makes it possible for unauthenticated attackers to extract sensitive customer appointment data including full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information.
PLUGIN
Easy Appointments
CVE-2026-2262
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-5718 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default dangerous extension denylist instead of merging with it, and the wpcf7_antiscript_file_name() sanitization function being bypassed for filenames containing non-ASCII characters. This makes it possible for unauthenticated attackers to upload arbitrary files, such as PHP files, to the server, which can be leveraged to…
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2026-5718
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5710 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Path Traversal leading to Arbitrary File Read in versions up to and including 1.3.9.6. This is due to the plugin using client-supplied mfile[] POST values as the source of truth for email attachment selection without performing any server-side upload provenance check, path canonicalization, or directory containment boundary enforcement. In dnd_wpcf7_posted_data(), each user-submitted filename is directly appended to the plugin's upload URL without sanitization. In dnd_cf7_mail_components(), the URL is converted back to a filesystem…
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2026-5710
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-3464 - Customer Area Plugin
The WP Customer Area plugin for WordPress is vulnerable to arbitrary file read and deletion due to insufficient file path validation in the 'ajax_attach_file' function in all versions up to, and including, 8.3.4. This makes it possible for authenticated attackers with a role that an administrator grants access to (e.g., Subscriber) to to read the contents of arbitrary files on the server, which can contain sensitive information, or delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as…
PLUGIN
Customer Area
CVE-2026-3464
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-4659 - Unlimited Elements For Elementor Plugin
The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Arbitrary File Read via the Repeater JSON/CSV URL parameter in versions up to, and including, 2.0.6. This is due to insufficient path traversal sanitization in the URLtoRelative() and urlToPath() functions, combined with the ability to enable debug output in widget settings. The URLtoRelative() function only performs a simple string replacement to remove the site's base URL without sanitizing path traversal sequences (../), and the cleanPath() function only normalizes directory separators without removing traversal components. This allows an attacker to…
PLUGIN
Unlimited Elements For Elementor
CVE-2026-4659
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5231 - Wp Statistics Plugin
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utm_source' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utm_source value into the source_name field when a wildcard channel domain matches, and the chart renderer later inserts this value into legend markup via innerHTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in admin pages that will execute whenever an administrator accesses…
PLUGIN
Wp Statistics
CVE-2026-5231
Risk Score
Threat Entry
Updated 2026-04-28
CVE-2026-40308 - For Managing Calendar Events Plugin
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mc_ajax_mcjs_action AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parse_str() without validation, allowing injection of arbitrary parameters including a site value. On WordPress Multisite installations, this enables an unauthenticated attacker to call switch_to_blog() with an arbitrary site ID and extract calendar events from any sub-site on the network, including private or hidden events. On standard Single Site installations, switch_to_blog() does not exist, causing an uncaught PHP fatal error and crashing the worker…
PLUGIN
For Managing Calendar Events
CVE-2026-40308
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-3489 - Business Directory And Classified Ad Listing Plugin
The DirectoryPress – Business Directory And Classified Ad Listing plugin for WordPress is vulnerable to SQL Injection via the 'packages' parameter in versions up to, and including, 3.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Business Directory And Classified Ad Listing
CVE-2026-3489
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-3876 - Prismatic Plugin
The Prismatic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'prismatic_encoded' pseudo-shortcode in all versions up to, and including, 3.7.3. This is due to insufficient input sanitization and output escaping on user-supplied attributes within the 'prismatic_decode' function. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page by submitting a comment containing a crafted 'prismatic_encoded' pseudo-shortcode.
PLUGIN
Prismatic
CVE-2026-3876
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1620 - Addons For Elementor Plugin
The Livemesh Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.0. This is due to insufficient sanitization of the template name parameter in the `lae_get_template_part()` function, which uses an inadequate `str_replace()` approach that can be bypassed using recursive directory traversal patterns. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the attacker to include and execute local files via the widget's template parameter granted they can…
PLUGIN
Addons For Elementor
CVE-2026-1620
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5050 - Woocommerce Lite Plugin
The Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 7.0.0 due to successful_request() handlers calculating a local signature but not validating Ds_Signature from the request before accepting payment status across the Redsys, Bizum, and Google Pay gateway flows. This makes it possible for unauthenticated attackers to forge payment callback data and mark pending orders as paid when they know a valid order key and order amount, potentially allowing checkout completion and product or service…
PLUGIN
Woocommerce Lite
CVE-2026-5050
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-3614 - Acymailing Plugin
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
PLUGIN
Acymailing
CVE-2026-3614
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-3599 - Riaxe Product Customizer Plugin
The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Riaxe Product Customizer
CVE-2026-3599
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6372 - Accept Cryptocurrencies with Plisio Plugin
Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.
PLUGIN
Accept Cryptocurrencies with Plisio
CVE-2026-6372
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-40784 - FluentBoards Plugin
Authorization Bypass Through User-Controlled Key vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentBoards: from n/a through
PLUGIN
FluentBoards
CVE-2026-40784
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-40744 - Beaver Builder Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through
PLUGIN
Beaver Builder
CVE-2026-40744
Risk Score
Threat Entry
Updated 2026-04-29
CVE-2026-40764 - WPForms Plugin
Cross-Site Request Forgery (CSRF) vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through
PLUGIN
WPForms
CVE-2026-40764
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-40745 - Elementor Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through
PLUGIN
Elementor
CVE-2026-40745
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5617 - One Click Login As User Plugin
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the "Return to Admin" functionality.
PLUGIN
One Click Login As User
CVE-2026-5617
Risk Score