Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-27
CVE-2026-42410 - Elementor Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.
PLUGIN
Elementor
CVE-2026-42410
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-4078 - Iteras Plugin
The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to and including 1.8.2. This is due to insufficient input sanitization and output escaping in the combine_attributes() function. The function directly concatenates shortcode attribute values into JavaScript code within tags using double-quoted string interpolation (line 489: '"'.$key.'": "'.$value.'"') without any escaping. An attacker can break out of the JavaScript string context by including a double-quote character in a shortcode attribute value and inject arbitrary JavaScript. This makes it…
PLUGIN
Iteras
CVE-2026-4078
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-3569 - Liaison Site Prober Plugin
The Liaison Site Prober plugin for WordPress is vulnerable to Information Exposure in all versions up to and including 1.2.1 via the /wp-json/site-prober/v1/logs REST API endpoint. The permissions_read() permission callback unconditionally returns true (via __return_true()) instead of checking for appropriate capabilities. This makes it possible for unauthenticated attackers to retrieve sensitive audit log data including IP addresses, user IDs, usernames, login/logout events, failed login attempts, and detailed activity descriptions.
PLUGIN
Liaison Site Prober
CVE-2026-3569
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-3565 - Taqnix Plugin
The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() function, where the check_ajax_referer() call is explicitly commented out on line 883. This makes it possible for unauthenticated attackers to trick a logged-in non-administrator user into deleting their own account via a forged request granted they can trick the user into performing an action such as clicking a link or visiting a malicious page.
PLUGIN
Taqnix
CVE-2026-3565
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-5428 - Royal Elementor Addons Plugin
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the render_post_thumbnail() function, where wp_kses_post() is used instead of esc_attr() for the alt attribute context. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses a page with the malicious image displayed in the media grid widget.
PLUGIN
Royal Elementor Addons
CVE-2026-5428
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-6810 - Booking Calendar Contact Form Plugin
The Booking Calendar Contact Form plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the dex_bccf_admin_int_calendar_list.inc.php file due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to takeover other user's calendars and view user data associated with the calendar.
PLUGIN
Booking Calendar Contact Form
CVE-2026-6810
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-5347 - Wp Books Gallery Plugin
The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the admin_init hook that handles the permalink settings update at line 205-209 of wp-books-gallery.php. The vulnerable code checks only for the presence of the 'permalink_structure' POST parameter before updating the 'wbg_cpt_slug' option, without verifying that the request comes from an authenticated administrator. This makes it possible for unauthenticated attackers to modify the custom post type slug for the…
PLUGIN
Wp Books Gallery
CVE-2026-5347
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-5488 - Google Analytics Dashboard For Wp Plugin
The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid…
PLUGIN
Google Analytics Dashboard For Wp
CVE-2026-5488
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-6393 - Betterdocs Plugin
The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() function, which relies solely on a nonce rather than verifying user permissions. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger OpenAI API calls using the site's configured API key with arbitrary user-controlled prompts, leading to unauthorized consumption of the site owner's paid AI API quota.
PLUGIN
Betterdocs
CVE-2026-6393
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-2028 - MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites Plugin
The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versions up to, and including, 2.1.8. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files in the wp-content/uploads directory, including files uploaded by other users and administrators.
PLUGIN
MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites
CVE-2026-2028
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-28040 - Taxi Booking Manager for WooCommerce Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Stored XSS.This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.0.
PLUGIN
Taxi Booking Manager for WooCommerce
CVE-2026-28040
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-3361 - Wp Store Locator Plugin
The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl_address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page and opens an injected map marker info window.
PLUGIN
Wp Store Locator
CVE-2026-3361
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-2951 - Page Builder For Gutenberg Editor Plugin
The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Page Builder For Gutenberg Editor
CVE-2026-2951
Risk Score
Threat Entry
Updated 2026-04-23
CVE-2026-1923 - Social Sharing Plugin
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Social Sharing
CVE-2026-1923
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1930 - Emailchef Plugin
The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.
PLUGIN
Emailchef
CVE-2026-1930
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1913 - Gallagher Website Design Plugin
The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gallagher Website Design
CVE-2026-1913
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1395 - Gutentools Plugin
The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Gutentools
CVE-2026-1395
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6246 - Simple Random Posts Shortcode Plugin
The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Random Posts Shortcode
CVE-2026-6246
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6236 - Posts Map Plugin
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Posts Map
CVE-2026-6236
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-6041 - Buzz Comments Plugin
The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' (buzz_comments_avatar_image) setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin settings page.
PLUGIN
Buzz Comments
CVE-2026-6041
Risk Score