Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-09
CVE-2026-2593 - Greenshift – animation and page builder blocks Plugin
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `_gspb_post_css` post meta value and the `dynamicAttributes` block attribute in all versions up to, and including, 12.8.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Greenshift – animation and page builder blocks
CVE-2026-2593
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3459 - Drag And Drop Multiple File Upload Contact Form 7 Plugin
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
PLUGIN
Drag And Drop Multiple File Upload Contact Form 7
CVE-2026-3459
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-1720 - Create Stunning Popups And Optins For Lead Generation Plugin
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.
PLUGIN
Create Stunning Popups And Optins For Lead Generation
CVE-2026-1720
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2599 - Contact Form Entries Plugin
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.7 via deserialization of untrusted input in the 'download_csv' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme…
PLUGIN
Contact Form Entries
CVE-2026-2599
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2893 - Page And Post Clone Plugin
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as…
PLUGIN
Page And Post Clone
CVE-2026-2893
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-1321 - Restrict Content Plugin
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.20. This is due to the `rcp_setup_registration_init()` function accepting any membership level ID via the `rcp_level` POST parameter without validating that the level is active or that payment is required. Combined with the `add_user_role()` method which assigns the WordPress role configured on the membership level without status checks, this makes it possible for unauthenticated attackers to register with any membership level, including inactive levels that grant privileged WordPress roles…
PLUGIN
Restrict Content
CVE-2026-1321
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3072 - Media Library Assistant Plugin
The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.
PLUGIN
Media Library Assistant
CVE-2026-3072
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2418 - Login With Salesforce Plugin
The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email
PLUGIN
Login With Salesforce
CVE-2026-2418
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2026-28043 - Healer - Doctor, Clinic & Medical WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through
THEME
Healer - Doctor, Clinic & Medical WordPress Theme
CVE-2026-28043
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27342 - TopFit - Fitness and Gym WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit allows PHP Local File Inclusion.This issue affects TopFit - Fitness and Gym WordPress Theme: from n/a through
THEME
TopFit - Fitness and Gym WordPress Theme
CVE-2026-27342
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2026-27341 - TopScorer - Sports WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through
THEME
TopScorer - Sports WordPress Theme
CVE-2026-27341
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27340 - Apollo | Night Club, DJ Event WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through
THEME
Apollo | Night Club, DJ Event WordPress Theme
CVE-2026-27340
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-27339 - Buzz Stone | Magazine & Viral Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone allows PHP Local File Inclusion.This issue affects Buzz Stone | Magazine & Viral Blog WordPress Theme: from n/a through
THEME
Buzz Stone | Magazine & Viral Blog WordPress Theme
CVE-2026-27339
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27337 - Chronicle - Lifestyle Magazine & Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through
THEME
Chronicle - Lifestyle Magazine & Blog WordPress Theme
CVE-2026-27337
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27336 - Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through
THEME
Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
CVE-2026-27336
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27326 - AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme: from n/a through
THEME
AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
CVE-2026-27326
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27097 - CasaMia | Property Rental Real Estate WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through
THEME
CasaMia | Property Rental Real Estate WordPress Theme
CVE-2026-27097
Risk Score
Threat Entry
Updated 2026-04-01
CVE-2026-22459 - WordPress CTA Plugin
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through
PLUGIN
WordPress CTA
CVE-2026-22459
Risk Score
Threat Entry
Updated 2026-03-10
CVE-2026-22390 - Builderall Builder for WordPress Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through
PLUGIN
Builderall Builder for WordPress
CVE-2026-22390
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3523 - Apocalypse Meow Plugin
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line…
PLUGIN
Apocalypse Meow
CVE-2026-3523
Risk Score