Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-12
CVE-2026-7562 - Wp Redirection Plugin
The WP-Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.3. This is due to the absence of a nonce field in the admin settings form and the lack of any nonce verification (via check_admin_referer() or wp_verify_nonce()) in the displayWPRedirectionManagementPage() function before processing POST requests that add, edit, or delete URL redirection rules. This makes it possible for unauthenticated attackers to trick a logged-in administrator into clicking a crafted link, causing the attacker to create, modify, or delete redirection records in the…
PLUGIN
Wp Redirection
CVE-2026-7562
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6913 - Shortcodely Plugin
The Shortcodely plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'widget_area' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Shortcodely
CVE-2026-6913
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6808 - Awesome Pricing Tables Lite By Optimalplugins
The Pricing Tables for WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
Awesome Pricing Tables Lite By Optimalplugins
CVE-2026-6808
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6708 - Hel Online Classroom Plugin
The HEL Online Classroom: AI-powered Online Classrooms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.3. This is due to a missing capability check on a REST API endpoint registered with a permission_callback of '__return_true', which bypasses all WordPress authentication and authorization checks. This makes it possible for unauthenticated attackers to delete any classroom record by supplying its ID in the request, resulting in permanent data loss.
PLUGIN
Hel Online Classroom
CVE-2026-6708
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-7050 - Forms Rb Plugin
The Forms Rb plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to read form submission records, modify form configuration options, and delete records belonging to any form they do not own.
PLUGIN
Forms Rb
CVE-2026-7050
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6932 - Woo Commerce Min Weight Plugin
The Woo Commerce Minimum Weight plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 3.0.1. This is due to missing nonce verification on the settings update handler in edit-weight.php. This makes it possible for unauthenticated attackers to modify the minimum order weight setting by tricking a site administrator into clicking a link or visiting an attacker-controlled page containing a forged POST request.
PLUGIN
Woo Commerce Min Weight
CVE-2026-6932
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6710 - Skysa Text Ticker App Plugin
The Skysa Text Ticker App plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the SkysaApps_Admin_AppPage function. This makes it possible for unauthenticated attackers to trick a site administrator into making a forged request to modify the plugin's settings, including the scrolling message text and URL, via a forged cross-site request via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Skysa Text Ticker App
CVE-2026-6710
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6709 - Coinbase Commerce For Contact Form 7 Plugin
The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the save_settings() function, which is registered on the admin_post_cccf7_save_settings hook. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the plugin's Coinbase Commerce API key option (cccf7_api_key) via a crafted POST request to /wp-admin/admin-post.
PLUGIN
Coinbase Commerce For Contact Form 7
CVE-2026-6709
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6256 - Source Shortcode Plugin
The Credits Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' attribute of the 'credits' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Source Shortcode
CVE-2026-6256
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6247 - Scratchblocks For Wp Plugin
The scratchblocks for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'element' attribute of the 'scratchblocks' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Scratchblocks For Wp
CVE-2026-6247
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6237 - Quick Table Plugin
The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Quick Table
CVE-2026-6237
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5715 - Voyage Plus Plugin
The Voyage Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' attribute of the 'post-content' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Voyage Plus
CVE-2026-5715
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-6663 - Graphic Web Design Inc Plugin
The GWD Connect plugin for WordPress is vulnerable to missing authorization to limited code execution in all versions up to, and including, 2.9. This is due to the plugin's standalone agent endpoints (gwd-backup.php and gwd-logs.php) not verifying authentication when the API key has not been configured, which is the default state. This makes it possible for unauthenticated attackers - on unregistered installations only, in certain environments - to execute arbitrary code on the server via the update_agent action, which writes attacker-supplied PHP code to the agent file.
PLUGIN
Graphic Web Design Inc
CVE-2026-6663
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5028 - Eight Day Week Print Workflow Plugin
The Eight Day Week Print Workflow plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'title' parameter in the `pp-get-articles` AJAX action in all versions up to, and including, 1.2.6. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Eight Day Week Print Workflow
CVE-2026-5028
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5340 - Fancy Image Show Plugin
The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `fancy-img-show` shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Fancy Image Show
CVE-2026-5340
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-4920 - Nextdate Plugin
The Next Date plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nextdate
CVE-2026-4920
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-4859 - Sp Blog Designer Plugin
The SP Blog Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'design' attribute of the `wpsbd_post_carousel` shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sp Blog Designer
CVE-2026-4859
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-5693 - Smart Appointment Booking Plugin
The Smart Appointment & Booking plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and a nonce validation logic flaw in the saab_cancel_booking() function in all versions up to, and including, 1.0.8. The nonce check uses && (AND) instead of || (OR), which means providing any value for the security parameter causes the entire check to be skipped. This makes it possible for unauthenticated attackers to cancel arbitrary bookings by supplying a predictable booking ID.
PLUGIN
Smart Appointment Booking
CVE-2026-5693
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-4301 - Rate Star Review Plugin
The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr_review() AJAX handler lacks both capability checks and nonce verification. The only access control is an is_user_logged_in() check. When the 'form' parameter is set to 'update', the function takes an arbitrary post ID from the user-supplied 'rating_id' GET parameter, sets it as the post ID in the update array, and passes it directly to wp_update_post(). This overwrites the target post's title, content,…
PLUGIN
Rate Star Review
CVE-2026-4301
Risk Score
Threat Entry
Updated 2026-05-12
CVE-2026-3604 - Wp Seo Structured Data Schema Plugin
The WP SEO Structured Data Schema plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_kcseo_ative_tab` parameter in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Seo Structured Data Schema
CVE-2026-3604
Risk Score