Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-28
CVE-2026-9644 - Livesmart Video Chat Live Video Chat Plugin
The LiveSmart Video Chat Live Video Chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livesmart_widget' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Livesmart Video Chat Live Video Chat
CVE-2026-9644
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-9009 - Crawlomatic Multipage Scraper Post Generator Plugin
The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.7.2 via the filter_content function. This is due to passing the attacker-supplied 'callback_raw' shortcode attribute directly into call_user_func() with no sanitization or allowlist validation, relying solely on an is_callable() check that permits dangerous PHP built-ins such as system, shell_exec, exec, passthru, and assert. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. An identical sink exists for the 'callback'…
PLUGIN
Crawlomatic Multipage Scraper Post Generator
CVE-2026-9009
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7533 - Easy Digital Downloads Plugin
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
PLUGIN
Easy Digital Downloads
CVE-2026-7533
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-3173 - Display A Meta Field As Block Plugin
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user has permission to access the requested object's metadata. This makes it possible for authenticated attackers, with Contributor-level access and above, to read arbitrary user meta, post meta, and term meta data from any object in the database. On sites using plugins that store…
PLUGIN
Display A Meta Field As Block
CVE-2026-3173
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-9241 - Woocommerce Currency Switcher Plugin
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as…
PLUGIN
Woocommerce Currency Switcher
CVE-2026-9241
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-9228 - Mp Timetable Plugin
The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the action_get_event_data due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to enumerate timeslot IDs and read the full WP_Post object — including post_content, post_excerpt, post_status, and post_author — of draft, pending, and private mp-event posts belonging to other users, along with their associated raw timeslot descriptions.
PLUGIN
Mp Timetable
CVE-2026-9228
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-7802 - Acf Frontend Form Element Plugin
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite an administrator's user_pass, user_email, first_name, last_name, and other profile fields by supplying an arbitrary ?user_id= value, enabling full administrator account takeover via direct password replacement or email-redirect password reset. Exploitation requires the targeted Edit-User form to have…
PLUGIN
Acf Frontend Form Element
CVE-2026-7802
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-5737 - Independent Analytics Plugin
The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrer_url values when the signature matches, combined with a scheduled favicon fetcher that performs unrestricted cURL requests to stored domains. The signature validation is insufficient because the signature is embedded in publicly-accessible JavaScript and the salt is static per site, allowing attackers to extract valid signatures. The favicon downloader uses raw cURL functions without any SSRF protection…
PLUGIN
Independent Analytics
CVE-2026-5737
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-2374 - Login Recaptcha Plugin
The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `$_SERVER['PHP_SELF']` superglobal in all versions up to, and including, 1.8.0. This is due to the `authenticate()` function storing the unsanitized output of `basename($_SERVER['PHP_SELF'])` in the `login_nocaptcha_error` WordPress option when a login attempt is made from a non-standard login page (e.g., xmlrpc.php). The `admin_notices()` function then echoes this stored value directly into the admin dashboard HTML without escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator…
PLUGIN
Login Recaptcha
CVE-2026-2374
Risk Score
Threat Entry
Updated 2026-05-28
CVE-2026-4888 - Everest Forms Plugin
The Everest Forms – Contact Form, Payment Form, Quiz, Survey & Custom Form Builder plugin for WordPress is vulnerable to unauthorized email sending due to a missing capability check on the send_test_email() function in all versions up to, and including, 3.4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send test emails to arbitrary addresses from the server.
PLUGIN
Everest Forms
CVE-2026-4888
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49054 - The Post Grid Plugin
Missing Authorization vulnerability in Mamunur Rashid The Post Grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Post Grid: from n/a through 7.9.2.
PLUGIN
The Post Grid
CVE-2026-49054
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49046 - Duplicate Page and Post Plugin
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Arjun Thakur Duplicate Page and Post allows Blind SQL Injection. This issue affects Duplicate Page and Post: from n/a through 2.9.5.
PLUGIN
Duplicate Page and Post
CVE-2026-49046
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49053 - Elementor Plugin
Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6.
PLUGIN
Elementor
CVE-2026-49053
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49059 - Facebook for WooCommerce Plugin
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0.
PLUGIN
Facebook for WooCommerce
CVE-2026-49059
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49052 - Elementor Plugin
Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6.
PLUGIN
Elementor
CVE-2026-49052
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49051 - WP Meta and Date Remover Plugin
Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6.
PLUGIN
WP Meta and Date Remover
CVE-2026-49051
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49047 - DearFlip Plugin
Missing Authorization vulnerability in DearHive DearFlip allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DearFlip: from n/a through 2.4.27.
PLUGIN
DearFlip
CVE-2026-49047
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49044 - Advanced Custom Fields: Font Awesome Field Plugin
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Kruit Advanced Custom Fields: Font Awesome Field allows Stored XSS. This issue affects Advanced Custom Fields: Font Awesome Field: from n/a through 5.0.2.
PLUGIN
Advanced Custom Fields: Font Awesome Field
CVE-2026-49044
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-49045 - Adminimize Plugin
Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Adminimize: from n/a through 1.11.11.
PLUGIN
Adminimize
CVE-2026-49045
Risk Score
Threat Entry
Updated 2026-05-27
CVE-2026-48973 - SVG Support Plugin
Missing Authorization vulnerability in Benbodhi SVG Support allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SVG Support: from n/a through 2.5.14.
PLUGIN
SVG Support
CVE-2026-48973
Risk Score