Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-19
CVE-2026-25004 - CM Business Directory Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Business Directory cm-business-directory allows Stored XSS.This issue affects CM Business Directory: from n/a through
PLUGIN
CM Business Directory
CVE-2026-25004
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2026-25008 - Ninja Tables Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Retrieve Embedded Sensitive Data.This issue affects Ninja Tables: from n/a through
PLUGIN
Ninja Tables
CVE-2026-25008
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25003 - Client Portal Plugin
Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a through
PLUGIN
Client Portal
CVE-2026-25003
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-23803 - Smart Auto Upload Images Plugin
Server-Side Request Forgery (SSRF) vulnerability in Burhan Nasir Smart Auto Upload Images smart-auto-upload-images allows Server Side Request Forgery.This issue affects Smart Auto Upload Images: from n/a through
PLUGIN
Smart Auto Upload Images
CVE-2026-23803
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-24392 - HurryTimer Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through
PLUGIN
HurryTimer
CVE-2026-24392
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-23804 - Better Business Reviews Plugin
Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through
PLUGIN
Better Business Reviews
CVE-2026-23804
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-25000 - Wheel of Life Plugin
Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through
PLUGIN
Wheel of Life
CVE-2026-25000
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-24999 - Alma Plugin
Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through
PLUGIN
Alma
CVE-2026-24999
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-24375 - Ultimate Gift Cards For WooCommerce Plugin
Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Gift Cards For WooCommerce: from n/a through
PLUGIN
Ultimate Gift Cards For WooCommerce
CVE-2026-24375
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23545 - Aruba HiSpeed Cache Plugin
Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through
PLUGIN
Aruba HiSpeed Cache
CVE-2026-23545
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23548 - DirectoryPress Plugin
Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through
PLUGIN
DirectoryPress
CVE-2026-23548
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23543 - Essential Addons for Elementor Plugin
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through
PLUGIN
Essential Addons for Elementor
CVE-2026-23543
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2026-22422 - Everest Forms Plugin
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through
PLUGIN
Everest Forms
CVE-2026-22422
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2502 - Xmlrpc Attacks Blocker Plugin
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
PLUGIN
Xmlrpc Attacks Blocker
CVE-2026-2502
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2284 - News Element Plugin
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss.
PLUGIN
News Element
CVE-2026-2284
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2282 - Slidorion Plugin
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Slidorion
CVE-2026-2282
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2504 - Dealia – Request a quote Plugin
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
PLUGIN
Dealia – Request a quote
CVE-2026-2504
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1646 - Advance Block Extend Plugin
The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advance Block Extend
CVE-2026-1646
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1455 - Whatsiplus Scheduled Notification For Woocommerce Plugin
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Whatsiplus Scheduled Notification For Woocommerce
CVE-2026-1455
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1373 - Easy Author Image Plugin
The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Author Image
CVE-2026-1373
Risk Score