Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1754 - Personal Authors Category Plugin
The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Personal Authors Category
CVE-2026-1754
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1164 - Easy Voice Mail Plugin
The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Voice Mail
CVE-2026-1164
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-14608 - Wp Last Modified Info Plugin
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
PLUGIN
Wp Last Modified Info
CVE-2025-14608
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-14067 - Easy Form Builder Plugin
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive form response data, including messages, admin replies, and user information due to a logic error in the authorization check that uses AND (&&) instead of OR (||).
PLUGIN
Easy Form Builder
CVE-2025-14067
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-13973 - Stickeasy Protected Contact Form Plugin
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.
PLUGIN
Stickeasy Protected Contact Form
CVE-2025-13973
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-13681 - Bfg Tools Extension Zipper Plugin
The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php.
PLUGIN
Bfg Tools Extension Zipper
CVE-2025-13681
Risk Score
Threat Entry
Updated 2026-02-13
CVE-2025-15520 - Before 6 Plugin
The RegistrationMagic WordPress plugin before 6.0.7.2 checks nonces but not capabilities, allowing for the disclosure of some sensitive data to subscribers and above.
PLUGIN
Before 6
CVE-2025-15520
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1671 - Activity Log For Wordpress Plugin
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view potentially sensitive information (e.g., the password of a higher level user, such as an administrator) contained in the exposed log files.
PLUGIN
Activity Log For Wordpress
CVE-2026-1671
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1356 - Converter for Media – Optimize images | Convert WebP & AVIF Plugin
The Converter for Media – Optimize images | Convert WebP & AVIF plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.5.1 via the PassthruLoader::load_image_source function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
Converter for Media – Optimize images | Convert WebP & AVIF
CVE-2026-1356
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1537 - Calendar Booking Plugin For Appointments And Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.
PLUGIN
Calendar Booking Plugin For Appointments And Events
CVE-2026-1537
Risk Score
Threat Entry
Updated 2026-02-11
CVE-2025-13391 - WooCommerce Plugin
The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'uni_cpo_remove_file' function in all versions up to, and including, 4.9.60. This makes it possible for unauthenticated attackers to delete arbitrary attachments or files stored in Dropbox if the file path is known. The vulnerability was partially patched in version 4.9.60.
PLUGIN
WooCommerce
CVE-2025-13391
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2295 - WPZOOM Addons for Elementor – Starter Templates & Widgets Plugin
The WPZOOM Addons for Elementor – Starter Templates & Widgets plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'ajax_post_grid_load_more' function in all versions up to, and including, 1.3.2. This makes it possible for unauthenticated attackers to retrieve protected (draft, future, pending) post titles and excerpts that should not be accessible to unauthenticated users.
PLUGIN
WPZOOM Addons for Elementor – Starter Templates & Widgets
CVE-2026-2295
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1885 - Slideshow Wp Plugin
The Slideshow Wp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sswpid' attribute of the 'sswp-slide' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Slideshow Wp
CVE-2026-1885
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1853 - Buddyholis Listsearch Plugin
The BuddyHolis ListSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'listsearch' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Buddyholis Listsearch
CVE-2026-1853
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1827 - IDE Micro code-editor Plugin
The Flask Micro code-editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's codeflask shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
IDE Micro code-editor
CVE-2026-1827
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1826 - OpenPOS Lite – Point of Sale for WooCommerce Plugin
The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
OpenPOS Lite – Point of Sale for WooCommerce
CVE-2026-1826
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1821 - Microtango Plugin
The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Microtango
CVE-2026-1821
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1809 - Html Shortcodes Plugin
The HTML Tag Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Html Shortcodes
CVE-2026-1809
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1833 - Wamate Confirm Plugin
The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to block and unblock phone numbers, which should be restricted to administrators.
PLUGIN
Wamate Confirm
CVE-2026-1833
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1786 - Twitter Posts To Blog Plugin
The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings including Twitter API credentials, post author, post status, and the capability required to access the plugin's admin menu.
PLUGIN
Twitter Posts To Blog
CVE-2026-1786
Risk Score