Threat Entry Updated 2026-04-15

CVE-2026-2301 - Post Duplicator Plugin

The Post Duplicator plugin for WordPress is vulnerable to unauthorized arbitrary protected post meta insertion in all versions up to, and including, 3.0.8. This is due to the `duplicate_post()` function in `includes/api.php` using `$wpdb->insert()` directly to the `wp_postmeta` table instead of WordPress's standard `add_post_meta()` function, which would call `is_protected_meta()` to prevent lower-privileged users from setting protected meta keys (those starting with `_`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary protected post meta keys such as `_wp_page_template`, `_wp_attached_file`, and other sensitive meta keys…

PLUGIN Post Duplicator

CVE-2026-2301

MEDIUM CVSS 4.3 2026-02-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-25

CVE-2025-14742 - Wp Recipe Maker Plugin

The WP Recipe Maker plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_search_recipes' and 'ajax_get_recipe' functions in all versions up to, and including, 10.2.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive recipe information including draft, pending, and private recipes that they shouldn't be able to access.

PLUGIN Wp Recipe Maker

CVE-2025-14742

MEDIUM CVSS 4.3 2026-02-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-2479 - Responsive Lightbox Plugin

The Responsive Lightbox & Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.7.1. This is due to the use of `strpos()` for substring-based hostname validation instead of strict host comparison in the `ajax_upload_image()` function. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations originating from the web application, which can be used to query and modify information from internal services.

PLUGIN Responsive Lightbox

CVE-2026-2479

MEDIUM CVSS 5.0 2026-02-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1614 - Rise Blocks – A Complete Gutenberg Page Builder Theme

The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Rise Blocks – A Complete Gutenberg Page Builder

CVE-2026-1614

MEDIUM CVSS 6.4 2026-02-25

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-27

CVE-2026-3075 - Simple Ajax Chat Plugin

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through

PLUGIN Simple Ajax Chat

CVE-2026-3075

MEDIUM CVSS 5.3 2026-02-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-23694 - Aruba Hispeed Cache Plugin

Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.

PLUGIN Aruba Hispeed Cache

CVE-2026-23694

MEDIUM CVSS 5.1 2026-02-23

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-2385 - The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce Theme

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.

THEME The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce

CVE-2026-2385

MEDIUM CVSS 5.3 2026-02-22

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1369 - Conditional Captcha Plugin

The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue

PLUGIN Conditional Captcha

CVE-2026-1369

MEDIUM CVSS 4.3 2026-02-22

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1787 - LearnPress – Backup & Migration Tool Plugin

The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.

PLUGIN LearnPress – Backup & Migration Tool

CVE-2026-1787

MEDIUM CVSS 4.8 2026-02-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-23

CVE-2025-14339 - And Automation Plugin

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to…

PLUGIN And Automation

CVE-2025-14339

MEDIUM CVSS 6.5 2026-02-21

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-26

CVE-2026-24953 - Simple File List Plugin

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through

PLUGIN Simple File List

CVE-2026-24953

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-26

CVE-2026-24946 - Print Invoice & Delivery Notes for WooCommerce Plugin

Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through

PLUGIN Print Invoice & Delivery Notes for WooCommerce

CVE-2026-24946

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-20

CVE-2026-24944 - Subscribe2 Plugin

Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through

PLUGIN Subscribe2

CVE-2026-24944

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-22383 - PawFriends - Pet Shop and Veterinary WordPress Theme

Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through

THEME PawFriends - Pet Shop and Veterinary WordPress Theme

CVE-2026-22383

MEDIUM CVSS 5.4 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-23

CVE-2026-22351 - WP FullCalendar Plugin

Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through

PLUGIN WP FullCalendar

CVE-2026-22351

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-25

CVE-2026-22350 - PDF for Elementor Forms + Drag And Drop Template Builder Plugin

Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through

PLUGIN PDF for Elementor Forms + Drag And Drop Template Builder

CVE-2026-22350

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-24

CVE-2026-22341 - Booked Plugin

Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through

PLUGIN Booked

CVE-2026-22341

MEDIUM CVSS 5.4 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-23

CVE-2025-69385 - Cartify Allows Exploiting Incorrectly Configured Access Control Security Levels Theme

Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through

THEME Cartify Allows Exploiting Incorrectly Configured Access Control Security Levels

CVE-2025-69385

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-25

CVE-2025-68837 - WordPress Core

Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through

CORE WordPress Core

CVE-2025-68837

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-02-25

CVE-2025-68028 - WordPress Core

Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through

CORE WordPress Core

CVE-2025-68028

MEDIUM CVSS 6.5 2026-02-20

Risk Score

Open Full Technical Breakdown