Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2383 - Simple Download Monitor Plugin
The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Download Monitor
CVE-2026-2383
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2362 - Wp Accessibility Plugin
The WP Accessibility plugin for WordPress is vulnerable to Stored DOM-Based Cross-Site Scripting via the 'alt' attribute of images processed by the "Long Description UI" feature in all versions up to, and including, 2.3.1. This is due to the plugin's JavaScript retrieving the alt attribute using getAttribute() and unsafely concatenating it into innerHTML and insertAdjacentHTML calls without proper sanitization or escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.…
PLUGIN
Wp Accessibility
CVE-2026-2362
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-2251 - Xerox FreeFlow Core Plugin
Improper limitation of a pathname to a restricted directory (Path Traversal) vulnerability in Xerox FreeFlow Core allows unauthorized path traversal leading to RCE. This issue affects Xerox FreeFlow Core versions up to and including 8.0.7. Please consider upgrading to FreeFlow Core version 8.1.0 via the software available on - https://www.support.xerox.com/en-us/product/core/downloads https://www.support.xerox.com/en-us/product/core/downloads
PLUGIN
Xerox FreeFlow Core
CVE-2026-2251
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-12981 - Listee Theme
The Listee theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.1.6. This is due to a broken validation check in the bundled listee-core plugin's user registration function that fails to properly sanitize the user_role parameter. This makes it possible for unauthenticated attackers to register as Administrator by manipulating the user_role parameter during registration.
THEME
Listee
CVE-2025-12981
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-14149 - Widgets For Elementor Plugin
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Widgets For Elementor
CVE-2025-14149
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2025-14040 - Automotive Car Dealership Business Wordpress Theme
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Call to Action' custom fields in all versions up to, and including, 13.4. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'action_text', 'action_button_text', 'action_link', and 'action_class' custom fields. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Automotive Car Dealership Business Wordpress
CVE-2025-14040
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1558 - Wp Recipe Maker Plugin
The WP Recipe Maker plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in versions up to, and including, 10.3.2. This is due to the /wp-json/wp-recipe-maker/v1/integrations/instacart REST API endpoint's permission_callback being set to __return_true and a lack of subsequent authorization or ownership checks on the user-supplied recipeId. This makes it possible for unauthenticated attackers to overwrite arbitrary post metadata (wprm_instacart_combinations) for any post ID on the site via the recipeId parameter.
PLUGIN
Wp Recipe Maker
CVE-2026-1558
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2428 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2428
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1565 - User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration Plugin
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WPUF_Admin_Settings::check_filetype_and_ext' function and in the 'Admin_Tools::check_filetype_and_ext' function in all versions up to, and including, 4.2.8. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration
CVE-2026-1565
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28136 - WP SMS Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs WP SMS wp-sms allows SQL Injection.This issue affects WP SMS: from n/a through
PLUGIN
WP SMS
CVE-2026-28136
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28138 - uListing Plugin
Deserialization of Untrusted Data vulnerability in Stylemix uListing ulisting allows Object Injection.This issue affects uListing: from n/a through
PLUGIN
uListing
CVE-2026-28138
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28131 - Elementor Addon Elements Plugin
Insertion of Sensitive Information Into Sent Data vulnerability in WPVibes Elementor Addon Elements addon-elements-for-elementor-page-builder allows Retrieve Embedded Sensitive Data.This issue affects Elementor Addon Elements: from n/a through
PLUGIN
Elementor Addon Elements
CVE-2026-28131
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28132 - WooCommerce Photo Reviews Theme
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in villatheme WooCommerce Photo Reviews woocommerce-photo-reviews allows Code Injection.This issue affects WooCommerce Photo Reviews: from n/a through
THEME
WooCommerce Photo Reviews
CVE-2026-28132
Risk Score
Threat Entry
Updated 2026-02-27
CVE-2026-28083 - Flatsome Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UX-themes Flatsome flatsome allows Stored XSS.This issue affects Flatsome: from n/a through
PLUGIN
Flatsome
CVE-2026-28083
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1311 - Worry Proof Backup Plugin
The Worry Proof Backup plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.2.4 via the backup upload functionality. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload a malicious ZIP archive with path traversal sequences to write arbitrary files anywhere on the server, including executable PHP files. This can lead to remote code execution.
PLUGIN
Worry Proof Backup
CVE-2026-1311
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2356 - User Registration Plugin
The User Registration & Membership – Custom Registration Form, Login Form, and User Profile plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2 via the 'register_member' function, due to missing validation on the 'member_id' user controlled key. This makes it possible for unauthenticated attackers to delete arbitrary user accounts that newly registered on the site who has the 'urm_user_just_created' user meta set.
PLUGIN
User Registration
CVE-2026-2356
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1779 - User Registration Plugin
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
PLUGIN
User Registration
CVE-2026-1779
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2506 - Cost Calculator Plugin
The EM Cost Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to the plugin storing attacker-controlled 'customer_name' data and rendering it in the admin customer list without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the EMCC Customers page.
PLUGIN
Cost Calculator
CVE-2026-2506
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2499 - Custom Logo Plugin
The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Custom Logo
CVE-2026-2499
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2498 - Wp Social Meta Plugin
The WP Social Meta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Wp Social Meta
CVE-2026-2498
Risk Score