Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-09
CVE-2026-1650 - Mdjm Event Management Plugin
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
PLUGIN
Mdjm Event Management
CVE-2026-1650
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2371 - Animation And Page Builder Blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the `gspb_el_reusable_load()` AJAX handler. The handler accepts an arbitrary `post_id` parameter and renders the content of any `wp_block` post without checking `current_user_can('read_post', $post_id)` or verifying the post status. Combined with the nonce being exposed to unauthenticated users on any public page using the `[wp_reusable_render]` shortcode with `ajax="1"`, this makes it possible for unauthenticated…
PLUGIN
Animation And Page Builder Blocks
CVE-2026-2371
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1981 - HUMN-1 AI Website Scanner & Human Certification by Winston AI Plugin
The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action.
PLUGIN
HUMN-1 AI Website Scanner & Human Certification by Winston AI
CVE-2026-1981
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1644 - Wp Front End Profile Plugin
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
PLUGIN
Wp Front End Profile
CVE-2026-1644
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2830 - Google Sheets Plugin
The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Google Sheets
CVE-2026-2830
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1128 - Wp Ecommerce Plugin
The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack
PLUGIN
Wp Ecommerce
CVE-2026-1128
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2589 - Animation And Page Builder Blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12.8.3 via the automated Settings Backup stored in a publicly accessible file. This makes it possible for unauthenticated attackers to extract sensitive data including the configured OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile API keys.
PLUGIN
Animation And Page Builder Blocks
CVE-2026-2589
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-2593 - Greenshift – animation and page builder blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Greenshift – animation and page builder blocks
CVE-2026-2593
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2893 - Page And Post Clone Plugin
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as…
PLUGIN
Page And Post Clone
CVE-2026-2893
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3072 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.
PLUGIN
Media Library Assistant
CVE-2026-3072
Risk Score
Threat Entry
Updated 2026-04-01
CVE-2026-22459 - WordPress CTA Plugin
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through
PLUGIN
WordPress CTA
CVE-2026-22459
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3523 - Apocalypse Meow Plugin
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line…
PLUGIN
Apocalypse Meow
CVE-2026-3523
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2899 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter. Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for…
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2899
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3034 - Ooohboi Steroids For Elementor Plugin
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
PLUGIN
Ooohboi Steroids For Elementor
CVE-2026-3034
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-2355 - My Calendar – Accessible Event Manager Plugin
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `
PLUGIN
My Calendar – Accessible Event Manager
CVE-2026-2355
Risk Score
Threat Entry
Updated 2026-03-31
CVE-2026-3058 - Seraphinite Accelerator Plugin
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.
PLUGIN
Seraphinite Accelerator
CVE-2026-3058
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-3056 - Seraphinite Accelerator Plugin
The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.
PLUGIN
Seraphinite Accelerator
CVE-2026-3056
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1674 - And Custom Form Builder Plugin
The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or…
PLUGIN
And Custom Form Builder
CVE-2026-1674
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1706 - All In One Video Gallery Plugin
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
All In One Video Gallery
CVE-2026-1706
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1236 - Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Plugin
The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More
CVE-2026-1236
Risk Score