Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1793 - Bdthemes Element Pack Lite Plugin
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render_svg' function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bdthemes Element Pack Lite
CVE-2026-1793
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2312 - Media Library Folders Plugin
The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
PLUGIN
Media Library Folders
CVE-2026-2312
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1512 - Essential Addons for Elementor – Popular Elementor Templates & Widgets Plugin
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons for Elementor – Popular Elementor Templates & Widgets
CVE-2026-1512
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1258 - Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Plugin
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
PLUGIN
Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more
CVE-2026-1258
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1254 - Modula Image Gallery – Photo Grid & Video Gallery Plugin
The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.
PLUGIN
Modula Image Gallery – Photo Grid & Video Gallery
CVE-2026-1254
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0550 - myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. Plugin
The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
CVE-2026-0550
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1249 - MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar Plugin
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
CVE-2026-1249
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1985 - Press3d Plugin
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
PLUGIN
Press3d
CVE-2026-1985
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1987 - Scheduler Widget Plugin
The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
PLUGIN
Scheduler Widget
CVE-2026-1987
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1944 - Callbackkiller Service Widget Plugin
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
PLUGIN
Callbackkiller Service Widget
CVE-2026-1944
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2022 - Smart Forms – when you need more than just a contact form Plugin
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.
PLUGIN
Smart Forms – when you need more than just a contact form
CVE-2026-2022
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1939 - Percent To Infograph Plugin
The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `percent_to_graph` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Percent To Infograph
CVE-2026-1939
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1915 - Simple Plyr Plugin
The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Plyr
CVE-2026-1915
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1910 - Online Ordering For Restaurants Plugin
The UpMenu – Online ordering for restaurants plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lang' attribute of the 'upmenu-menu' shortcode in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Online Ordering For Restaurants
CVE-2026-1910
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1905 - Sphere Manager Plugin
The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Sphere Manager
CVE-2026-1905
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1903 - Ravelry Designs Widget Plugin
The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Ravelry Designs Widget
CVE-2026-1903
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1901 - Questionpro Surveys Plugin
The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Questionpro Surveys
CVE-2026-1901
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1796 - Stylebidet Plugin
The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Stylebidet
CVE-2026-1796
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1795 - Address Bar Ads Plugin
The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Address Bar Ads
CVE-2026-1795
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1792 - Geo Widget Plugin
The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Geo Widget
CVE-2026-1792
Risk Score