Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-27
CVE-2026-42750 - WPComplete Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nexcess WPComplete wpcomplete allows Stored XSS.This issue affects WPComplete: from n/a through
PLUGIN
WPComplete
CVE-2026-42750
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42744 - Ads by WPQuads Plugin
Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Manipulating Hidden Fields.This issue affects Ads by WPQuads: from n/a through
PLUGIN
Ads by WPQuads
CVE-2026-42744
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42732 - Ads by WPQuads Plugin
Improper Validation of Specified Quantity in Input vulnerability in Ads by WPQuads Ads by WPQuads quick-adsense-reloaded allows Input Data Manipulation.This issue affects Ads by WPQuads: from n/a through
PLUGIN
Ads by WPQuads
CVE-2026-42732
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42726 - WordPress Core
Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through
CORE
WordPress Core
CVE-2026-42726
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-42725 - Checkout Files Upload for WooCommerce Plugin
Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Files Upload for WooCommerce: from n/a through
PLUGIN
Checkout Files Upload for WooCommerce
CVE-2026-42725
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3349 - Minhnhut Link Gateway Plugin
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' parameter on the redirect page in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Minhnhut Link Gateway
CVE-2026-3349
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3348 - Minhnhut Link Gateway Plugin
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings (Description, Title, and other fields) in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the redirect page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Minhnhut Link Gateway
CVE-2026-3348
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-2288 - Mylinksdump Plugin
The myLinksDump plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_title' parameter in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Mylinksdump
CVE-2026-2288
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-2280 - Rexcrawler Plugin
The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Rexcrawler
CVE-2026-2280
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-48968 - Master Slider Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.10.8.
PLUGIN
Master Slider
CVE-2026-48968
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-48877 - GenerateBlocks Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data. This issue affects GenerateBlocks: from n/a through 2.1.0.
PLUGIN
GenerateBlocks
CVE-2026-48877
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8042 - Github Shortcode Plugin
The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Github Shortcode
CVE-2026-8042
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8906 - Wp Promoter Plugin
The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Wp Promoter
CVE-2026-8906
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-7618 - Envialosimple Email Marketing Y Newsletters Gratis Plugin
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Envialosimple Email Marketing Y Newsletters Gratis
CVE-2026-7618
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-8942 - Metamagic Seo Plugin
The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metamagic_update_options function. This makes it possible for unauthenticated attackers to modify the plugin's SEO settings, including enabling or disabling the plugin and toggling description and keyword meta tag output via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Metamagic Seo
CVE-2026-8942
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3897 - Addons For Beaver Builder Plugin
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
PLUGIN
Addons For Beaver Builder
CVE-2026-3897
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3279 - Enable Jquery Migrate Helper Plugin
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities.
PLUGIN
Enable Jquery Migrate Helper
CVE-2026-3279
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3896 - Livemesh Siteorigin Widgets Plugin
The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
PLUGIN
Livemesh Siteorigin Widgets
CVE-2026-3896
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-3895 - Addons For Visual Composer Plugin
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend.
PLUGIN
Addons For Visual Composer
CVE-2026-3895
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-2030 - Addons For Visual Composer Plugin
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically, shortcode attributes are encoded with `wp_json_encode()` and output into single-quoted `data-settings` HTML attributes without using `esc_attr()`, allowing attackers to break out of the attribute by injecting single quotes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute…
PLUGIN
Addons For Visual Composer
CVE-2026-2030
Risk Score