Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-01
CVE-2026-4146 - Loco Translate Plugin
The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Loco Translate
CVE-2026-4146
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-1710 - Woocommerce Payments Plugin
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings.
PLUGIN
Woocommerce Payments
CVE-2026-1710
Risk Score
Threat Entry
Updated 2026-04-01
CVE-2026-1797 - Truebooker Appointment Booking Plugin
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.
PLUGIN
Truebooker Appointment Booking
CVE-2026-1797
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-2602 - Twentig Plugin
The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Twentig
CVE-2026-2602
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-2595 - Quads Ads Manager For Google Adsense Plugin
The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Quads Ads Manager For Google Adsense
CVE-2026-2595
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-2442 - Drag And Drop Website Builder Plugin
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a…
PLUGIN
Drag And Drop Website Builder
CVE-2026-2442
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-1307 - Ninja Forms The Contact Form Builder That Grows With You Plugin
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.
PLUGIN
Ninja Forms The Contact Form Builder That Grows With You
CVE-2026-1307
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-33559 - Osm Plugin
WordPress Plugin "OpenStreetMap" provided by MiKa contains a cross-site scripting vulnerability. On the site with the affected version of the plugin enabled, a logged-in user with a page-creating/editing privilege can embed some malicious script with a crafted HTTP request. When a victim user accesses this page, the script may be executed in the user's web browser.
PLUGIN
Osm
CVE-2026-33559
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-3098 - Smart Slider 3 Plugin
The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Smart Slider 3
CVE-2026-3098
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-2389 - Ccpa Cookie Consent Plugin
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `”` HTML entities with literal double-quote characters (`"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this…
PLUGIN
Ccpa Cookie Consent
CVE-2026-2389
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-1032 - Conditional Menus Plugin
The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to missing nonce validation on the 'save_options' function. This makes it possible for unauthenticated attackers to modify conditional menu assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Conditional Menus
CVE-2026-1032
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1890 - Before 3 Plugin
The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data
PLUGIN
Before 3
CVE-2026-1890
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1430 - Wp Lightbox 2 Plugin
The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Wp Lightbox 2
CVE-2026-1430
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-1206 - Elementor Website Builder Plugin
The Elementor Website Builder plugin for WordPress is vulnerable to Incorrect Authorization to Sensitive Information Exposure in all versions up to, and including, 3.35.7. This is due to a logic error in the is_allowed_to_read_template() function permission check that treats non-published templates as readable without verifying edit capabilities. This makes it possible for authenticated attackers, with contributor-level access and above, to read private or draft Elementor template content via the 'template_id' supplied to the 'get_template_data' action of the 'elementor_ajax' endpoint.
PLUGIN
Elementor Website Builder
CVE-2026-1206
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4389 - Dsgvo Leaflet Map Plugin
The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Dsgvo Leaflet Map
CVE-2026-4389
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4281 - Formlift For Infusionsoft Web Forms Plugin
The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication…
PLUGIN
Formlift For Infusionsoft Web Forms
CVE-2026-4281
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4331 - Blog2Social: Social Media Auto Post & Scheduler Plugin
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to unauthorized data loss in all versions up to, and including, 8.8.2. This is due to the resetSocialMetaTags() function only verifying that the user has the 'read' capability and a valid b2s_security_nonce, both of which are available to Subscriber-level users, as the plugin grants 'blog2social_access' capability to all roles upon activation, allowing them to access the plugin's admin pages where the nonce is output. This makes it possible for authenticated attackers, with Subscriber-level access and above, to…
PLUGIN
Blog2Social: Social Media Auto Post & Scheduler
CVE-2026-4331
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4278 - Simple Download Counter Plugin
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and…
PLUGIN
Simple Download Counter
CVE-2026-4278
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4075 - Bwl Advanced Faq Manager Lite Plugin
The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever…
PLUGIN
Bwl Advanced Faq Manager Lite
CVE-2026-4075
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-4335 - Shortpixel Image Optimiser Plugin
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment…
PLUGIN
Shortpixel Image Optimiser
CVE-2026-4335
Risk Score