Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-0557 - Wp Data Access Plugin
The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Data Access
CVE-2026-0557
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0727 - Accordion And Accordion Slider Plugin
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site.
PLUGIN
Accordion And Accordion Slider
CVE-2026-0727
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0735 - User Language Switch Plugin
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
User Language Switch
CVE-2026-0735
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0693 - Allow Html In Category Descriptions Plugin
The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the `wp_kses_data` output filter for term_description, link_description, link_notes, and user_description fields without checking user capabilities. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in category descriptions that will execute whenever a user accesses a page where the category description is displayed. This only affects multi-site installations and…
PLUGIN
Allow Html In Category Descriptions
CVE-2026-0693
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-6792 - Wpguppy Lite Plugin
The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to intercept and view private chat messages between users.
PLUGIN
Wpguppy Lite
CVE-2025-6792
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-15483 - Link Hopper Plugin
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Link Hopper
CVE-2025-15483
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-14873 - Calendar Booking Plugin For Appointments And Events
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Calendar Booking Plugin For Appointments And Events
CVE-2025-14873
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-14852 - Mdirector Newsletter Plugin
The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
PLUGIN
Mdirector Newsletter
CVE-2025-14852
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1932 - Appointment Booking Calendar Plugin – Bookr
The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment.
PLUGIN
Appointment Booking Calendar Plugin – Bookr
CVE-2026-1932
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2144 - Magic Login Mail Plugin
The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the…
PLUGIN
Magic Login Mail
CVE-2026-2144
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-2027 - Amp Enhancer Plugin
The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Amp Enhancer
CVE-2026-2027
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1983 - Simple Event Attendance Plugin
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
PLUGIN
Simple Event Attendance
CVE-2026-1983
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1912 - Citations Tools Plugin
The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Citations Tools
CVE-2026-1912
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1904 - Simple Wp Colorfull Accordion Plugin
The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Simple Wp Colorfull Accordion
CVE-2026-1904
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1754 - Personal Authors Category Plugin
The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
Personal Authors Category
CVE-2026-1754
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1164 - Easy Voice Mail Plugin
The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Easy Voice Mail
CVE-2026-1164
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0692 - Bluesnap Payment Gateway For Woocommerce Plugin
The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.4.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold)…
PLUGIN
Bluesnap Payment Gateway For Woocommerce
CVE-2026-0692
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-14608 - Wp Last Modified Info Plugin
The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to update the last modified metadata and lock the modification date of arbitrary posts, including those created by Administrators via the 'post_ids' parameter.
PLUGIN
Wp Last Modified Info
CVE-2025-14608
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-14067 - Easy Form Builder Plugin
The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive form response data, including messages, admin replies, and user information due to a logic error in the authorization check that uses AND (&&) instead of OR (||).
PLUGIN
Easy Form Builder
CVE-2025-14067
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2025-13973 - Stickeasy Protected Contact Form Plugin
The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam.
PLUGIN
Stickeasy Protected Contact Form
CVE-2025-13973
Risk Score