Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-22
CVE-2026-6864 - CBX 5 Star Rating & Review Plugin
The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
PLUGIN
CBX 5 Star Rating & Review
CVE-2026-6864
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-7249 - Location Weather Plugin
The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the `splw_update_block_options()` and `lwp_clean_weather_transients()` functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disable all weather blocks and purge all weather cache transients. The nonce required for these actions is exposed to all authenticated users via `wp_localize_script()` on the `init` hook.
PLUGIN
Location Weather
CVE-2026-7249
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-4070 - Alfie The Productfeedtool Wp Plugin
The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_manage() function which handles feed deletion via the 'delete' GET parameter. This makes it possible for unauthenticated attackers to delete arbitrary plugin feed data (from alfie_colindex, alfie_producten, alfie_reactions, and alfie_searchproduct tables) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Alfie The Productfeedtool Wp
CVE-2026-4070
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-3481 - Wp Blockade Plugin
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode (e.g., an HTML tag with JavaScript event handlers), do_shortcode() returns it unchanged, and it is reflected into the…
PLUGIN
Wp Blockade
CVE-2026-3481
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-2518 - Fastx Theme
The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.
THEME
Fastx
CVE-2026-2518
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-4843 - Gsheet For Woo Importer Plugin
The GSheet For Woo Importer plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the process_ajax_restore_action() function in all versions up to, and including, 2.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's Google Sheets API token and configuration options.
PLUGIN
Gsheet For Woo Importer
CVE-2026-4843
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-39593 - HAPPY Plugin
Missing Authorization vulnerability in VillaTheme HAPPY allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HAPPY: from n/a through 1.0.10.
PLUGIN
HAPPY
CVE-2026-39593
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-27393 - CF7 WOW Styler Plugin
Missing Authorization vulnerability in Tobias CF7 WOW Styler allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 WOW Styler: from n/a through 1.7.6.
PLUGIN
CF7 WOW Styler
CVE-2026-27393
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-27349 - Mail Mint Plugin
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPFunnels Team Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.19.5.
PLUGIN
Mail Mint
CVE-2026-27349
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-1543 - Avada (Fusion) Builder Theme
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
THEME
Avada (Fusion) Builder
CVE-2026-1543
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-4811 - Wpb Floating Menu Or Categories Plugin
The WPB Floating Menu & Categories for WordPress – Sticky Side Menu with Icons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Icon CSS Class' category field in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wpb Floating Menu Or Categories
CVE-2026-4811
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-1881 - Broadstreet Plugin
The Broadstreet plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.52.2 via the get_sponsored_meta AJAX action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disclose any private post metadata.
PLUGIN
Broadstreet
CVE-2026-1881
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-45443 - Elementor Plugin
Missing Authorization vulnerability in ADD-ONS.ORG PDF for Elementor Forms + Drag And Drop Template Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 5.5.1.
PLUGIN
Elementor
CVE-2026-45443
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-27405 - WpBookingly Plugin
Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9.
PLUGIN
WpBookingly
CVE-2026-27405
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-24573 - Visualizer Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0.
PLUGIN
Visualizer
CVE-2026-24573
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-27424 - Image Photo Gallery Final Tiles Grid Plugin
Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Image Photo Gallery Final Tiles Grid: from n/a through 3.6.11.
PLUGIN
Image Photo Gallery Final Tiles Grid
CVE-2026-27424
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6728 - Slider Revolution Plugin
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 7.0.9 via the 'get_stream_data()' function. This makes it possible for unauthenticated attackers to extract sensitive data including published password-protected post, page, and product content.
PLUGIN
Slider Revolution
CVE-2026-6728
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6405 - Anomaly Detection And Alerting Plugin
The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in versions up to and including 0.3.6. This is due to missing nonce verification on the settings page handler and insufficient output escaping in the admin_options.php template. The settings form includes no wp_nonce_field() and the handler performs no check_admin_referer() check, meaning any cross-origin POST can modify plugin settings. The API key field is sanitized only with sanitize_text_field(), which strips HTML tags but does not encode double-quote…
PLUGIN
Anomaly Detection And Alerting
CVE-2026-6405
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7385 - Decent Comments Plugin
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses.
PLUGIN
Decent Comments
CVE-2026-7385
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-6566 - Nextgen Gallery Plugin
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well…
PLUGIN
Nextgen Gallery
CVE-2026-6566
Risk Score