Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-02-19
CVE-2026-23544 - Valenti Plugin
Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through
PLUGIN
Valenti
CVE-2026-23544
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2026-23547 - CMSMasters Content Composer Plugin
Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through
PLUGIN
CMSMasters Content Composer
CVE-2026-23547
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23545 - Aruba HiSpeed Cache Plugin
Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through
PLUGIN
Aruba HiSpeed Cache
CVE-2026-23545
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23548 - DirectoryPress Plugin
Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through
PLUGIN
DirectoryPress
CVE-2026-23548
Risk Score
Threat Entry
Updated 2026-02-26
CVE-2026-23543 - Essential Addons for Elementor Plugin
Missing Authorization vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Addons for Elementor: from n/a through
PLUGIN
Essential Addons for Elementor
CVE-2026-23543
Risk Score
Threat Entry
Updated 2026-02-24
CVE-2026-22333 - YITH WooCommerce Compare Theme
Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through
THEME
YITH WooCommerce Compare
CVE-2026-22333
Risk Score
Threat Entry
Updated 2026-02-20
CVE-2026-22422 - Everest Forms Plugin
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through
PLUGIN
Everest Forms
CVE-2026-22422
Risk Score
Threat Entry
Updated 2026-02-19
CVE-2026-23541 - Mail Mint Plugin
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through
PLUGIN
Mail Mint
CVE-2026-23541
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2502 - Xmlrpc Attacks Blocker Plugin
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
PLUGIN
Xmlrpc Attacks Blocker
CVE-2026-2502
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2284 - News Element Plugin
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss.
PLUGIN
News Element
CVE-2026-2284
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2282 - Slidorion Plugin
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Slidorion
CVE-2026-2282
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2504 - Dealia – Request a quote Plugin
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.7. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
PLUGIN
Dealia – Request a quote
CVE-2026-2504
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1994 - s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions Plugin
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
PLUGIN
s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions
CVE-2026-1994
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1646 - Advance Block Extend Plugin
The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Advance Block Extend
CVE-2026-1646
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1455 - Whatsiplus Scheduled Notification For Woocommerce Plugin
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Whatsiplus Scheduled Notification For Woocommerce
CVE-2026-1455
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1405 - Slider Future Plugin
The Slider Future plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'slider_future_handle_image_upload' function in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
PLUGIN
Slider Future
CVE-2026-1405
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1373 - Easy Author Image Plugin
The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Author Image
CVE-2026-1373
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1055 - Talkjs Plugin
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Talkjs
CVE-2026-1055
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1047 - salavat counter Plugin
The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_url' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
salavat counter Plugin
CVE-2026-1047
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1044 - Tennis Court Bookings Plugin
The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Tennis Court Bookings
CVE-2026-1044
Risk Score