Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-27
CVE-2025-14142 - Electric Enquiries Plugin
The Electric Enquiries plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button' parameter of the electric-enquiry shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Electric Enquiries
CVE-2025-14142
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1305 - Japanized For Woocommerce Plugin
The Japanized for WooCommerce plugin for WordPress is vulnerable to Improper Authentication in versions up to, and including, 2.8.4. This is due to a flawed permission check in the `paidy_webhook_permission_check` function that unconditionally returns `true` when the webhook signature header is omitted. This makes it possible for unauthenticated attackers to bypass payment verification and fraudulently mark orders as "Processing" or "Completed" without actual payment via a crafted POST request to the Paidy webhook endpoint.
PLUGIN
Japanized For Woocommerce
CVE-2026-1305
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2024-10938 - Ovri Payment Plugin
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.
PLUGIN
Ovri Payment
CVE-2024-10938
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2383 - Simple Download Monitor Plugin
The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Download Monitor
CVE-2026-2383
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2362 - Wp Accessibility Plugin
The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.…
PLUGIN
Wp Accessibility
CVE-2026-2362
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-14149 - Widgets For Elementor Plugin
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widgets For Elementor
CVE-2025-14149
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-14040 - Automotive Car Dealership Business Wordpress Theme
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Automotive Car Dealership Business Wordpress
CVE-2025-14040
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1558 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
PLUGIN
Wp Recipe Maker
CVE-2026-1558
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28131 - Elementor Addon Elements Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through
PLUGIN
Elementor Addon Elements
CVE-2026-28131
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28132 - WooCommerce Photo Reviews Theme
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through
THEME
WooCommerce Photo Reviews
CVE-2026-28132
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28083 - Flatsome Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Stored XSS.This issue affects Flatsome: from n/a through
PLUGIN
Flatsome
CVE-2026-28083
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2356 - User Registration Plugin
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
PLUGIN
User Registration
CVE-2026-2356
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2506 - Cost Calculator Plugin
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the EMCC Customers page.
PLUGIN
Cost Calculator
CVE-2026-2506
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2499 - Custom Logo Plugin
The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Custom Logo
CVE-2026-2499
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2498 - Wp Social Meta Plugin
The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wp Social Meta
CVE-2026-2498
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2029 - Addons For Beaver Builder Plugin
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[labb_pricing_item]` shortcode's `title` and `value` attributes in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. Specifically, the plugin uses `htmlspecialchars_decode()` after `wp_kses_post()`, which decodes HTML entities back into executable code after sanitization has occurred. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Addons For Beaver Builder
CVE-2026-2029
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2489 - Tp2wp Importer Plugin
The TP2WP Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Watched domains' textarea on the attachment importer settings page in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping when domains are saved via AJAX and rendered with echo implode() without esc_textarea(). This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the attachment importer settings page.
PLUGIN
Tp2wp Importer
CVE-2026-2489
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2694 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.
PLUGIN
The Events Calendar
CVE-2026-2694
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2367 - Secure Copy Content Protection Plugin
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Secure Copy Content Protection
CVE-2026-2367
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2410 - Disable Admin Notices Plugin
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Disable Admin Notices
CVE-2026-2410
Risk Score