Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-13
CVE-2026-3004 - Snow Monkey Blocks Plugin
The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Snow Monkey Blocks
CVE-2026-3004
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-6965 - Elearning And Online Course Solution Plugin
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated…
PLUGIN
Elearning And Online Course Solution
CVE-2026-6965
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-7619 - Charitable Plugin
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract…
PLUGIN
Charitable
CVE-2026-7619
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-6962 - Cost Of Goods For Woocommerce Plugin
The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'alg_wc_cog_product_cost' and 'alg_wc_cog_product_profit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Cost Of Goods For Woocommerce
CVE-2026-6962
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-6828 - Conversational Form Builder Plugin
The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permission_message' parameter in all versions up to, and including, 6.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Conversational Form Builder
CVE-2026-6828
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-7051 - Blog2social Plugin
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2S_Post_Tools::deleteUserPublishPost() and B2S_Post_Tools::deleteUserSchedPost() functions, neither function includes a blog_user_id constraint in its database query, allowing authenticated attackers to soft-delete any user's B2S post records by supplying arbitrary sequential wp_b2s_posts.id values via the 'postId' parameter. This makes it possible for authenticated attackers to delete other users' published and scheduled social media post records, disrupting content publishing workflows.
PLUGIN
Blog2social
CVE-2026-7051
Risk Score
Threat Entry
Updated 2026-05-13
CVE-2026-25431 - Hustle Plugin
Missing Authorization vulnerability in WPMU DEV Hustle allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hustle: through 7.8.10.1.
PLUGIN
Hustle
CVE-2026-25431
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-45210 - Broadstreet Ads Plugin
Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broadstreet Ads: from n/a through
PLUGIN
Broadstreet Ads
CVE-2026-45210
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-45215 - WP EasyPay Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal WP EasyPay wp-easy-pay allows Retrieve Embedded Sensitive Data.This issue affects WP EasyPay: from n/a through
PLUGIN
WP EasyPay
CVE-2026-45215
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-45212 - Asset CleanUp: Page Speed Booster Plugin
Missing Authorization vulnerability in Gabe Livan Asset CleanUp: Page Speed Booster wp-asset-clean-up allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Asset CleanUp: Page Speed Booster: from n/a through
PLUGIN
Asset CleanUp: Page Speed Booster
CVE-2026-45212
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6813 - Continually Plugin
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Continually
CVE-2026-6813
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6800 - Fastbots Ai Chatbots Plugin
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Fastbots Ai Chatbots
CVE-2026-6800
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-1934 - Motors Car Dealership Classified Listings Plugin
The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stm_save_user_extra_fields() function updating sensitive user meta fields from POST data without verifying that the current user should have permission to modify those fields. The function hooks into the 'personal_options_update' action and only checks current_user_can('edit_user', $user_id), which passes for any user editing their own profile. This makes it possible for authenticated attackers, with Subscriber-level access and above,…
PLUGIN
Motors Car Dealership Classified Listings
CVE-2026-1934
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7661 - Bootstrap Shortcode Plugin
The Bootstrap Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `box` shortcode in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Bootstrap Shortcode
CVE-2026-7661
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7659 - Advanced Social Media Icons Plugin
The Advanced Social Media Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `social` shortcode in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advanced Social Media Icons
CVE-2026-7659
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7561 - Tm Wordpress Redirection Plugin
The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Tm Wordpress Redirection
CVE-2026-7561
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7464 - Wp Google Maps Integration Plugin
The WP Google Maps Integration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Wp Google Maps Integration
CVE-2026-7464
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7437 - Azonpost Plugin
The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `editpos_hidden` parameter in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Azonpost
CVE-2026-7437
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7626 - Slek Gateway For Woocommerce Plugin
The Slek Gateway for WooCommerce plugin for WordPress is vulnerable to Information Exposure in version 1.0. This is due to the wsb_handle_slek_payment_redirect() function placing the merchant's slek_key and slek_secret API credentials directly into a client-side HTML form, and additionally embedding the slek_secret as a plaintext GET parameter in the IPN callback URL. This makes it possible for unauthenticated attackers who can place an order on the affected store to extract the merchant's API credentials by viewing the HTML source or using browser DevTools on the WooCommerce order-pay page before the…
PLUGIN
Slek Gateway For Woocommerce
CVE-2026-7626
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7616 - Zawgyi Embed Plugin
The Zawgyi Embed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the zawgyi_adminpage function. This makes it possible for unauthenticated attackers to update the plugin's zawgyi_forceCSS setting by submitting a forged POST request to options-general.php?page=zawgyi_embed via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Zawgyi Embed
CVE-2026-7616
Risk Score