Threat Entry Updated 2026-05-05

CVE-2026-6378 - Maxi Blocks Plugin

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin's style card styles are loaded, including across the entire WordPress admin panel.

PLUGIN Maxi Blocks

CVE-2026-6378

MEDIUM CVSS 6.4 2026-05-02

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-05-01

CVE-2026-3143 - Boldgrid Backup Plugin

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_cli_cancel' function in all versions up to, and including, 1.17.1. This makes it possible for unauthenticated attackers to cancel a pending rollback, potentially preventing a WordPress installation from automatically reverting a failed update.

PLUGIN Boldgrid Backup

CVE-2026-3143

MEDIUM CVSS 5.3 2026-05-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-05-01

CVE-2026-3140 - Ultimate Dashboard Plugin

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'handle_module_actions' function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN Ultimate Dashboard

CVE-2026-3140

MEDIUM CVSS 4.3 2026-05-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-05-01

CVE-2026-6127 - Elementor Website Builder Plugin

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization…

PLUGIN Elementor Website Builder

CVE-2026-6127

MEDIUM CVSS 6.4 2026-05-01

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-30

CVE-2026-6498 - Restaurant Reservations Plugin

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the valid_payment() function using a PHP loose comparison (==) between the attacker-controlled payment_id POST parameter and the booking's stripe_payment_intent_id property. When an unauthenticated attacker submits a request to the nopriv AJAX handler rtb_stripe_pmt_succeed before the Stripe payment intent has been created for a booking (i.e., before the JavaScript-triggered create_stripe_pmtIntnt() call has stored an intent ID in post meta), the stripe_payment_intent_id property…

PLUGIN Restaurant Reservations

CVE-2026-6498

MEDIUM CVSS 5.3 2026-04-30

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42648 - Spectra Plugin

Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through

PLUGIN Spectra

CVE-2026-42648

MEDIUM CVSS 4.3 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42643 - Image Widget Plugin

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in StellarWP Image Widget image-widget allows Stored XSS.This issue affects Image Widget: from n/a through

PLUGIN Image Widget

CVE-2026-42643

MEDIUM CVSS 5.9 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42641 - Share This Image Plugin

Server-Side Request Forgery (SSRF) vulnerability in ILLID Share This Image share-this-image allows Server Side Request Forgery.This issue affects Share This Image: from n/a through

PLUGIN Share This Image

CVE-2026-42641

MEDIUM CVSS 5.4 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42644 - BetterDocs Plugin

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPDeveloper BetterDocs betterdocs allows Retrieve Embedded Sensitive Data.This issue affects BetterDocs: from n/a through

PLUGIN BetterDocs

CVE-2026-42644

MEDIUM CVSS 5.3 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42642 - GiveWP Plugin

Missing Authorization vulnerability in StellarWP GiveWP give allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GiveWP: from n/a through

PLUGIN GiveWP

CVE-2026-42642

MEDIUM CVSS 5.3 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42645 - Barcode Scanner with Inventory & Order Manager Plugin

Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders allows Cross Site Request Forgery.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through

PLUGIN Barcode Scanner with Inventory & Order Manager

CVE-2026-42645

MEDIUM CVSS 4.3 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-2902 - Wp Meteor Website Speed Optimization Addon Plugin

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'frontend_rewrite' function's 'WPMETEOR[N]WPMETEOR' placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wp Meteor Website Speed Optimization Addon

CVE-2026-2902

MEDIUM CVSS 6.1 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-4019 - Ccpa Cookie Consent Plugin

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers…

PLUGIN Ccpa Cookie Consent

CVE-2026-4019

MEDIUM CVSS 5.3 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-29

CVE-2026-42412 - WP User Frontend Plugin

Missing Authorization vulnerability in weDevs WP User Frontend allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP User Frontend: from n/a through 4.3.1.

PLUGIN WP User Frontend

CVE-2026-42412

MEDIUM CVSS 6.5 2026-04-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-28

CVE-2026-4805 - Woostify Plugin

The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Woostify

CVE-2026-4805

MEDIUM CVSS 6.4 2026-04-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-28

CVE-2026-4911 - Booking Package Plugin

The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount…

PLUGIN Booking Package

CVE-2026-4911

MEDIUM CVSS 5.3 2026-04-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-28

CVE-2026-5306 - Log Email Plugin

The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled

PLUGIN Log Email

CVE-2026-5306

MEDIUM CVSS 5.4 2026-04-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-28

CVE-2026-6809 - Social Post Embed Plugin

The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Social Post Embed

CVE-2026-6809

MEDIUM CVSS 6.4 2026-04-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-28

CVE-2026-6725 - Wpc Smart Messages Plugin

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Wpc Smart Messages

CVE-2026-6725

MEDIUM CVSS 6.4 2026-04-28

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-28

CVE-2026-6551 - Timeline Blocks Plugin

The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PLUGIN Timeline Blocks

CVE-2026-6551

MEDIUM CVSS 6.4 2026-04-28

Risk Score

Open Full Technical Breakdown