Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-0726 - Nexter Extension – Security, Performance, Code Snippets & Site Toolkit Theme
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on…
THEME
Nexter Extension – Security, Performance, Code Snippets & Site Toolkit
CVE-2026-0726
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0690 - Adsense And Custom Code Plugin
The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Adsense And Custom Code
CVE-2026-0690
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0608 - Head Meta Data Plugin
The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Head Meta Data
CVE-2026-0608
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0548 - Tutor LMS – eLearning and online course solution Theme
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
THEME
Tutor LMS – eLearning and online course solution
CVE-2026-0548
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-0554 - NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar Plugin
The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership.
PLUGIN
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar
CVE-2026-0554
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15347 - And Trainers Plugin
The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options.
PLUGIN
And Trainers
CVE-2025-15347
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15380 - Floating Notification Bar Plugin
The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site.
PLUGIN
Floating Notification Bar
CVE-2025-15380
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15043 - The Events Calendar Plugin
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.
PLUGIN
The Events Calendar
CVE-2025-15043
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14533 - Acf Extended Plugin
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
PLUGIN
Acf Extended
CVE-2025-14533
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-12573 - Allowing Low Privileged Users To Delete Bookingor Plugin
The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data.
PLUGIN
Allowing Low Privileged Users To Delete Bookingor
CVE-2025-12573
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1045 - Viet Contact Plugin
The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
PLUGIN
Viet Contact
CVE-2026-1045
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1042 - Wp Hello Bar Plugin
The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
PLUGIN
Wp Hello Bar
CVE-2026-1042
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14977 - Dokan Lite Plugin
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to…
PLUGIN
Dokan Lite
CVE-2025-14977
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14348 - And Automation Plugin
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII…
PLUGIN
And Automation
CVE-2025-14348
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14798 - Wordpress Lms Plugin
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included.
PLUGIN
Wordpress Lms
CVE-2025-14798
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14351 - Custom Fonts Plugin
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
PLUGIN
Custom Fonts
CVE-2025-14351
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1051 - For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To Plugin
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
PLUGIN
For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To
CVE-2026-1051
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14978 - Peachpay For Woocommerce Plugin
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
PLUGIN
Peachpay For Woocommerce
CVE-2025-14978
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15466 - Image Photo Gallery Final Tiles Grid Plugin
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators.
PLUGIN
Image Photo Gallery Final Tiles Grid
CVE-2025-15466
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-22850 - Koko Analytics Is An Open Source Analytics Plugin
Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as "),('999','x');DROP TABLE wp_users;-- breaks out of the value list. When an administrator later…
PLUGIN
Koko Analytics Is An Open Source Analytics
CVE-2026-22850
Risk Score