Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-12
CVE-2026-2300 - Bj Lazy Load Plugin
The BJ Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `filter_images()` function in all versions up to, and including, 1.0.9. This is due to the use of regex-based HTML processing (`preg_replace`) that does not properly handle HTML attribute boundaries when replacing `src` attributes, allowing crafted content inside a `class` attribute value to be promoted to real DOM attributes after processing. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user…
PLUGIN
Bj Lazy Load
CVE-2026-2300
Risk Score
Threat Entry
Updated 2026-05-11
CVE-2026-8198 - Multisite Activity Log From Logtivity Plugin
The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including, 3.3.6. This is due to a logic flaw in the verifyAuthorization method where requests without an Authorization header skip Bearer token validation and fall through to an unconditional return true statement, bypassing all authentication checks. This makes it possible for unauthenticated attackers to access the /wp-json/logtivity/v1/options REST API endpoint and retrieve all plugin configuration options, including the logtivity_site_api_key which can be used…
PLUGIN
Multisite Activity Log From Logtivity
CVE-2026-8198
Risk Score
Threat Entry
Updated 2026-05-11
CVE-2026-7652 - Latepoint Plugin
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that…
PLUGIN
Latepoint
CVE-2026-7652
Risk Score
Threat Entry
Updated 2026-05-08
CVE-2026-7650 - Export Pdf Tool For Wordpress Plugin
The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `e2pdf-download` shortcode in all versions up to, and including, 1.32.17. This is due to insufficient input sanitization and output escaping on the shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Export Pdf Tool For Wordpress
CVE-2026-7650
Risk Score
Threat Entry
Updated 2026-05-08
CVE-2026-7475 - Sky Elementor Addons Plugin
The Sky Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `sky-custom-scripts` custom post type in all versions up to, and including, 3.3.2. This is due to the custom post type being registered with `capability_type => 'post'` and `show_in_rest => true`, combined with insufficient input sanitization on the `sky_script_content` meta field and lack of output escaping when rendering scripts on the frontend. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts via the REST API that execute on every…
PLUGIN
Sky Elementor Addons
CVE-2026-7475
Risk Score
Threat Entry
Updated 2026-05-08
CVE-2026-5341 - Nmr Strava Activities Plugin
The NMR Strava activities plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `strava_nmr_connect` shortcode in all versions up to, and including, 1.0.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Nmr Strava Activities
CVE-2026-5341
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-27415 - BEAR Plugin
Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5.
PLUGIN
BEAR
CVE-2026-27415
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-27421 - Elementor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WProyal Royal Elementor Addons allows Stored XSS. This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
PLUGIN
Elementor
CVE-2026-27421
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-27416 - PDF Poster Plugin
Missing Authorization vulnerability in bPlugins PDF Poster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF Poster: from n/a through 2.4.1.
PLUGIN
PDF Poster
CVE-2026-27416
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-27329 - YITH WooCommerce Wishlist Plugin
Authorization Bypass Through User-Controlled Key vulnerability in YITH YITH WooCommerce Wishlist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Wishlist: from n/a through 4.12.0.
PLUGIN
YITH WooCommerce Wishlist
CVE-2026-27329
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-25468 - Elementor Plugin
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs Happy Addons for Elementor allows Retrieve Embedded Sensitive Data. This issue affects Happy Addons for Elementor: from n/a through 3.20.8.
PLUGIN
Elementor
CVE-2026-25468
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-25436 - Elementor Plugin
Missing Authorization vulnerability in WProyal Royal Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal Elementor Addons: from n/a before 1.7.1053.
PLUGIN
Elementor
CVE-2026-25436
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-6214 - Forminator Forms Plugin
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listen_for_saving_export_schedule() function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration, unlike the parallel listen_for_csv_export() function which correctly verifies user permissions. This makes it possible for authenticated attackers with subscriber-level access to configure a scheduled export job that emails all form submissions to an attacker-controlled email address, resulting in sensitive data exfiltration.
PLUGIN
Forminator Forms
CVE-2026-6214
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-4807 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the nonce_permissions_check() method combined with the public exposure of a site-wide reusable nonce. The plugin exposes a public_nonce value through the /wp-json/ssa/v1/embed-inner endpoint, which is accessible to unauthenticated users. The appointment deletion endpoint at /wp-json/ssa/v1/appointments/{id}/delete and /wp-json/ssa/v1/appointments/bulk use a permission check that accepts requests containing both an X-WP-Nonce header (with any arbitrary value) and an X-PUBLIC-Nonce header (with the valid public nonce).…
PLUGIN
Simply Schedule Appointments
CVE-2026-4807
Risk Score
Threat Entry
Updated 2026-05-07
CVE-2026-6222 - Forminator Forms Plugin
The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the `processRequest()` method in `Forminator_Admin_Module_Edit_Page` (admin/abstracts/class-admin-module-edit-page.php) dispatching sensitive module-management actions — including export, delete, clone, delete-entries, publish/draft, and bulk variants — after only a nonce check, without ever verifying that the current user holds the `manage_forminator_modules` capability. The nonce used (`forminator_form_request`) is unconditionally embedded in the global `forminatorData` JavaScript object and localized on every Forminator admin page, including Templates and Reports pages accessible to users who explicitly lack…
PLUGIN
Forminator Forms
CVE-2026-6222
Risk Score
Threat Entry
Updated 2026-05-06
CVE-2026-7457 - Latepoint Plugin
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it…
PLUGIN
Latepoint
CVE-2026-7457
Risk Score
Threat Entry
Updated 2026-05-06
CVE-2026-6672 - Slicewp Affiliates Plugin
The Affiliate Program Suite — SliceWP Affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.2.7. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'slicewp_affiliate_url' shortcode. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slicewp Affiliates
CVE-2026-6672
Risk Score
Threat Entry
Updated 2026-05-06
CVE-2026-6344 - Fluent Forms Plugin
The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve ".\..\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator…
PLUGIN
Fluent Forms
CVE-2026-6344
Risk Score
Threat Entry
Updated 2026-05-06
CVE-2026-2306 - Ninja Tables Plugin
The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in all versions up to, and including, 5.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary Ninja Tables in the database which can lead to database pollution and resource exhaustion.
PLUGIN
Ninja Tables
CVE-2026-2306
Risk Score
Threat Entry
Updated 2026-05-06
CVE-2026-5753 - All In One Wp Migration Unlimited Extension Plugin
The All-in-One WP Migration Unlimited Extension plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.83. This is due to the 'Ai1wmve_Schedules_Controller::save' handler for 'admin_post_ai1wm_schedule_event_save' not verifying user capabilities before saving schedule data. This makes it possible for authenticated attackers, with subscriber-level access and above, to create scheduled export jobs and send backup notifications to attacker-controlled email addresses. Because such notifications include the random backup filename, full site backups can subsequently be downloaded from the target site, resulting in sensitive information exposure.
PLUGIN
All In One Wp Migration Unlimited Extension
CVE-2026-5753
Risk Score