Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-2002 - Forminator Forms – Contact Form, Payment Form & Custom Form Builder Plugin
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form_name parameter in all versions up to, and including, 1.50.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The plugin allows admins to give form management permissions to lower level users, which could make this exploitable by users such as…
PLUGIN
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
CVE-2026-2002
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-12062 - Filters Plugin
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.8.6 via the fc_load_template function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .html files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .html file types can be uploaded and included.
PLUGIN
Filters
CVE-2025-12062
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2001 - WowRevenue – Product Bundles & Bulk Discounts Plugin
The WowRevenue plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'Notice::install_activate_plugin' function in all versions up to, and including, 2.1.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible.
PLUGIN
WowRevenue – Product Bundles & Bulk Discounts
CVE-2026-2001
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0929 - Before 6 Plugin
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site.
PLUGIN
Before 6
CVE-2026-0929
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1750 - Ecwid By Lightspeed Ecommerce Shopping Cart Plugin
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
PLUGIN
Ecwid By Lightspeed Ecommerce Shopping Cart
CVE-2026-1750
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1793 - Bdthemes Element Pack Lite Plugin
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render_svg' function. This makes it possible for authenticated attackers, with contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
PLUGIN
Bdthemes Element Pack Lite
CVE-2026-1793
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1490 - Cleantalk Spam Protect Plugin
The Spam protection, Anti-Spam, FireWall by CleanTalk plugin for WordPress is vulnerable to unauthorized Arbitrary Plugin Installation due to an authorization bypass via reverse DNS (PTR record) spoofing on the 'checkWithoutToken' function in all versions up to, and including, 6.71. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. Note: This is only exploitable on sites with an invalid API key.
PLUGIN
Cleantalk Spam Protect
CVE-2026-1490
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2312 - Media Library Folders Plugin
The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
PLUGIN
Media Library Folders
CVE-2026-2312
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1512 - Essential Addons for Elementor – Popular Elementor Templates & Widgets Plugin
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Essential Addons for Elementor – Popular Elementor Templates & Widgets
CVE-2026-1512
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1843 - Super Page Cache Plugin
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Super Page Cache
CVE-2026-1843
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1258 - Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more Plugin
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
PLUGIN
Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more
CVE-2026-1258
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1254 - Modula Image Gallery – Photo Grid & Video Gallery Plugin
The Modula Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.13.6. This is due to the plugin not properly verifying that a user is authorized to modify specific posts before updating them via the REST API. This makes it possible for authenticated attackers, with contributor level access and above, to update the title, excerpt, and content of arbitrary posts by passing post IDs in the modulaImages field when editing a gallery.
PLUGIN
Modula Image Gallery – Photo Grid & Video Gallery
CVE-2026-1254
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-8572 - Truelysell Core Plugin
The Truelysell Core plugin for WordPress is vulnerable to privilege escalation in versions less than, or equal to, 1.8.7. This is due to insufficient validation of the user_role parameter during user registration. This makes it possible for unauthenticated attackers to create accounts with elevated privileges, including administrator access.
PLUGIN
Truelysell Core
CVE-2025-8572
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0550 - myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. Plugin
The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program.
CVE-2026-0550
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1249 - MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar Plugin
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
PLUGIN
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar
CVE-2026-1249
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2024 - Photostack Gallery Plugin
The PhotoStack Gallery plugin for WordPress is vulnerable to SQL Injection via the 'postid' parameter in all versions up to, and including, 0.4.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
PLUGIN
Photostack Gallery
CVE-2026-2024
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1988 - Flexi Product Slider And Grid For Woocommerce Plugin
The Flexi Product Slider and Grid for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.5 via the `flexipsg_carousel` shortcode. This is due to the `theme` parameter being directly concatenated into a file path without proper sanitization or validation, allowing directory traversal. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server via the `theme` parameter granted they can create posts with shortcodes.
PLUGIN
Flexi Product Slider And Grid For Woocommerce
CVE-2026-1988
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1985 - Press3d Plugin
The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
PLUGIN
Press3d
CVE-2026-1985
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1987 - Scheduler Widget Plugin
The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
PLUGIN
Scheduler Widget
CVE-2026-1987
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1944 - Callbackkiller Service Widget Plugin
The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
PLUGIN
Callbackkiller Service Widget
CVE-2026-1944
Risk Score