Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-16
CVE-2026-3045 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments plugin for WordPress is vulnerable to unauthorized access of sensitive data in all versions up to and including 1.6.9.29. This is due to two compounding weaknesses: (1) a non-user-bound `public_nonce` is exposed to unauthenticated users through the public `/wp-json/ssa/v1/embed-inner` REST endpoint, and (2) the `get_item()` method in `SSA_Settings_Api` relies on `nonce_permissions_check()` for authorization (which accepts the public nonce) but does not call `remove_unauthorized_settings_for_current_user()` to filter restricted fields. This makes it possible for unauthenticated attackers to access admin-only plugin settings including the administrator…
PLUGIN
Simply Schedule Appointments
CVE-2026-3045
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-32412 - Gift Up Gift Cards for WordPress and WooCommerce Plugin
Server-Side Request Forgery (SSRF) vulnerability in Gift Up! Gift Up Gift Cards for WordPress and WooCommerce gift-up allows Server Side Request Forgery.This issue affects Gift Up Gift Cards for WordPress and WooCommerce: from n/a through
PLUGIN
Gift Up Gift Cards for WordPress and WooCommerce
CVE-2026-32412
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-32409 - Forminator Plugin
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform Forminator forminator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Forminator: from n/a through
PLUGIN
Forminator
CVE-2026-32409
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2890 - Formidable Forms Plugin
The Formidable Forms plugin for WordPress is vulnerable to a payment integrity bypass in all versions up to, and including, 6.28. This is due to the Stripe Link return handler (`handle_one_time_stripe_link_return_url`) marking payment records as complete based solely on the Stripe PaymentIntent status without comparing the intent's charged amount against the expected payment amount, and the `verify_intent()` function validating only client secret ownership without binding intents to specific forms or actions. This makes it possible for unauthenticated attackers to reuse a PaymentIntent from a completed low-value payment to mark a…
PLUGIN
Formidable Forms
CVE-2026-2890
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2879 - GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools Plugin
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2. This is due to missing validation on the `id` parameter in the `create()` method of the `GetGenieChat` REST API endpoint. The method accepts a user-controlled post ID and, when a post with that ID exists, calls `wp_update_post()` without verifying that the current user owns the post or that the post is of the expected `getgenie_chat` type. This makes it possible for authenticated attackers, with Author-level access and above, to overwrite…
PLUGIN
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools
CVE-2026-2879
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2888 - Formidable Forms Plugin
The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the `frm_strp_amount` AJAX handler (`update_intent_ajax`) overwriting the global `$_POST` data with attacker-controlled JSON input and then using those values to recalculate payment amounts via field shortcode resolution in `generate_false_entry()`. The handler relies on a nonce that is publicly exposed in the page's JavaScript (`frm_stripe_vars.nonce`), which provides CSRF protection but not authorization. This makes it possible for unauthenticated attackers to manipulate PaymentIntent amounts before…
PLUGIN
Formidable Forms
CVE-2026-2888
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-2257 - GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools Plugin
The GetGenie plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.2 due to missing validation on a user controlled key in the `action` function. This makes it possible for authenticated attackers, with Author-level access and above, to update post metadata for arbitrary posts. Combined with a lack of input sanitization, this leads to Stored Cross-Site Scripting when a higher-privileged user (such as an Administrator) views the affected post's "Competitor" tab in the GetGenie sidebar.
PLUGIN
GetGenie – AI Content Writer with Keyword Research & SEO Tracking Tools
CVE-2026-2257
Risk Score
Threat Entry
Updated 2026-03-17
CVE-2026-22210 - Wpdiscuz Plugin
wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpload class. Attackers can craft malicious attachment records or filter hooks to inject arbitrary JavaScript into img and anchor tag attributes, executing code in the context of WordPress users viewing comments.
PLUGIN
Wpdiscuz
CVE-2026-22210
Risk Score
Threat Entry
Updated 2026-03-16
CVE-2026-1704 - Simply Schedule Appointments Plugin
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.6.9.29. This is due to the `get_item_permissions_check` method granting access to users with the `ssa_manage_appointments` capability without validating staff ownership of the requested appointment. This makes it possible for authenticated attackers, with custom-level access and above (users granted the ssa_manage_appointments capability, such as Team Members), to view appointment records belonging to other staff members and access sensitive customer personally identifiable information via the…
PLUGIN
Simply Schedule Appointments
CVE-2026-1704
Risk Score
Threat Entry
Updated 2026-03-12
CVE-2026-2987 - Simple Ajax Chat Plugin
The Simple Ajax Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in versions up to, and including, 20260217 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Ajax Chat
CVE-2026-2987
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2687 - Reading Progressbar Plugin
The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
PLUGIN
Reading Progressbar
CVE-2026-2687
Risk Score
Threat Entry
Updated 2026-03-12
CVE-2026-3657 - My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu) Plugin
The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the `stickymenu_contact_lead_form` AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in `$wpdb->insert()`. While parameter values are sanitized with `esc_sql()` and `sanitize_text_field()`, the parameter keys are used as-is to build the column list in the INSERT statement. This makes it possible for unauthenticated attackers to inject SQL via crafted parameter names, enabling blind time-based data extraction from the database.
PLUGIN
My Sticky Bar – Floating Notification Bar & Sticky Header (formerly myStickymenu)
CVE-2026-3657
Risk Score
Threat Entry
Updated 2026-03-12
CVE-2026-3226 - LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling…
PLUGIN
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
CVE-2026-3226
Risk Score
Threat Entry
Updated 2026-03-12
CVE-2026-3496 - Jetbooking Plugin
The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Jetbooking
CVE-2026-3496
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-3178 - Name Directory Plugin
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.30.3 and 1.32.1.
PLUGIN
Name Directory
CVE-2026-3178
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-3492 - Gravity Forms Plugin
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.9.28.1. This is due to a compound failure involving missing authorization on the `create_from_template` AJAX endpoint (allowing any authenticated user to create forms), insufficient input sanitization (`sanitize_text_field()` preserves single quotes), and missing output escaping when the form title is rendered in the Form Switcher dropdown (`title` attribute constructed without `esc_attr()`, and JavaScript `saferHtml` utility only escapes `&`, `` but not quotes). This makes it possible for authenticated attackers, with Subscriber-level access…
PLUGIN
Gravity Forms
CVE-2026-3492
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-3906 - WordPress Core
WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any…
CORE
WordPress Core
CVE-2026-3906
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-1993 - ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting…
PLUGIN
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
CVE-2026-1993
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-1992 - ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only…
PLUGIN
ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin)
CVE-2026-1992
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-3231 - Woo Checkout Field Editor Pro Plugin
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `` element with the `onchange` event handler attribute. This makes it…
PLUGIN
Woo Checkout Field Editor Pro
CVE-2026-3231
Risk Score