Search criteria
9922 vulnerabilities
CVE-2026-4290 (GCVE-0-2026-4290)
Vulnerability from cvelistv5 – Published: 2026-05-29 14:29 – Updated: 2026-05-29 15:03
VLAI
Title
WP Travel Pro <= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators
Summary
The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators.
Severity
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WPTravel | WP Travel Pro |
Affected:
0 , ≤ 10.6.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T15:03:49.351480Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T15:03:55.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Travel Pro",
"vendor": "WPTravel",
"versions": [
{
"lessThanOrEqual": "10.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ren Voza"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:29:08.134Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/885dd550-4c80-4e36-8dae-cb47c1500ea5?source=cve"
},
{
"url": "https://wptravel.io/wp-travel-pro/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T14:22:39.000Z",
"value": "Disclosed"
}
],
"title": "WP Travel Pro \u003c= 10.6.0 - Missing Authorization to Unauthenticated Arbitrary User Deletion Including Administrators"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4290",
"datePublished": "2026-05-29T14:29:08.134Z",
"dateReserved": "2026-03-16T16:54:44.082Z",
"dateUpdated": "2026-05-29T15:03:55.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12714 (GCVE-0-2025-12714)
Vulnerability from cvelistv5 – Published: 2026-05-29 09:28 – Updated: 2026-05-29 12:55
VLAI
Title
Rank Math SEO – AI SEO Tools to Dominate SEO Rankings <= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification
Summary
The Rank Math SEO – AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rankmath | Rank Math SEO – AI SEO Tools to Dominate SEO Rankings |
Affected:
0 , ≤ 1.0.271
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T12:55:07.147654Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T12:55:17.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rank Math SEO \u2013 AI SEO Tools to Dominate SEO Rankings",
"vendor": "rankmath",
"versions": [
{
"lessThanOrEqual": "1.0.271",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
},
{
"lang": "en",
"type": "finder",
"value": "abrahack"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rank Math SEO \u2013 AI SEO Tools to Dominate SEO Rankings plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the update_site_editor_homepage function in all versions up to, and including, 1.0.271. This makes it possible for unauthenticated attackers to modify several plugin settings including homepage title, meta description, breadcrumbs label, and social media metadata, which can have severe impact on SEO rankings and display malicious content across all site pages where breadcrumbs are used."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T09:28:06.406Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd072774-6f85-42de-a9d4-6826703ad839?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L122"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L129"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-shared.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-by-rank-math/trunk/includes/rest/class-rest-helper.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3552223/seo-by-rank-math/trunk/includes/rest/class-rest-helper.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-04T20:12:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T21:09:47.000Z",
"value": "Disclosed"
}
],
"title": "Rank Math SEO \u2013 AI SEO Tools to Dominate SEO Rankings \u003c= 1.0.271 - Missing Authorization to Unauthenticated Homepage Settings Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12714",
"datePublished": "2026-05-29T09:28:06.406Z",
"dateReserved": "2025-11-04T19:56:00.630Z",
"dateUpdated": "2026-05-29T12:55:17.214Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9189 (GCVE-0-2026-9189)
Vulnerability from cvelistv5 – Published: 2026-05-29 08:28 – Updated: 2026-05-29 10:04
VLAI
Title
Contact Form 7 – PayPal & Stripe Add-on <= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler ('invoice'/'mc_gross' Verification)
Summary
The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload's `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount.
Severity
5.3 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| scottpaterson | Contact Form 7 – PayPal & Stripe Add-on |
Affected:
0 , ≤ 2.4.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9189",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:00:42.885449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:04:53.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Contact Form 7 \u2013 PayPal \u0026 Stripe Add-on",
"vendor": "scottpaterson",
"versions": [
{
"lessThanOrEqual": "2.4.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muni Nitish Kumar Yaddala"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Contact Form 7 \u2013 PayPal \u0026 Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although `cf7pp_paypal_ipn_handler()` correctly validates IPN authenticity by posting back to PayPal with `cmd=_notify-validate`, it fails to compare the IPN payload\u0027s `mc_gross` (payment amount), `mc_currency`, or `receiver_email` fields against the corresponding stored order values before passing the attacker-controlled `invoice` field directly to `cf7pp_complete_payment()`, which marks the order completed after only an integer cast with no amount verification. This makes it possible for unauthenticated attackers to mark arbitrary high-value pending orders as fully paid by making a minimal real PayPal payment and crafting an IPN whose `invoice` parameter references the targeted order, effectively completing purchases without tendering the required payment amount."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T08:28:24.446Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e274781-1c20-4224-bc10-26dadb9b1e07?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.8/includes/payments/paypal_handler.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.8/includes/payments/paypal_handler.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.8/includes/payments/functions.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.6/includes/payments/paypal_handler.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.6/includes/payments/paypal_handler.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/contact-form-7-paypal-add-on/tags/2.4.6/includes/payments/functions.php#L31"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3551197/contact-form-7-paypal-add-on"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T15:22:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T19:54:04.000Z",
"value": "Disclosed"
}
],
"title": "Contact Form 7 \u2013 PayPal \u0026 Stripe Add-on \u003c= 2.4.9 - Unauthenticated Payment Bypass via Insufficient Verification of Data Authenticity via PayPal IPN Handler (\u0027invoice\u0027/\u0027mc_gross\u0027 Verification)"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9189",
"datePublished": "2026-05-29T08:28:24.446Z",
"dateReserved": "2026-05-21T15:06:53.761Z",
"dateUpdated": "2026-05-29T10:04:53.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10039 (GCVE-0-2026-10039)
Vulnerability from cvelistv5 – Published: 2026-05-29 07:46 – Updated: 2026-05-29 10:05
VLAI
Title
Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter
Summary
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid 'orderby' parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the 'order' value into the SQL query.
Severity
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| shabti | Frontend Admin by DynamiApps |
Affected:
0 , ≤ 3.28.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10039",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:00:55.399914Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:05:08.058Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontend Admin by DynamiApps",
"vendor": "shabti",
"versions": [
{
"lessThanOrEqual": "3.28.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Deschanel"
},
{
"lang": "en",
"type": "finder",
"value": "Pascal SUN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the \u0027order\u0027 parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires that the attacker also supply a valid \u0027orderby\u0027 parameter in the same request, as this is necessary to reach the vulnerable code path that processes and concatenates the \u0027order\u0027 value into the SQL query."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T07:46:48.956Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51d79701-8580-4130-8f84-e739aa2f7f5f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.3/main/admin/admin-pages/payments/list.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.29.3/main/admin/admin-pages/payments/list.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/payments/list.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/admin/admin-pages/payments/list.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3472098%40acf-frontend-form-element\u0026new=3472098%40acf-frontend-form-element\u0026sfp_email=\u0026sfph_mail=#file3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T19:51:06.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T19:36:05.000Z",
"value": "Disclosed"
}
],
"title": "Frontend Admin by DynamiApps \u003c= 3.28.28 - Authenticated (Administrator+) SQL Injection via \u0027order\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10039",
"datePublished": "2026-05-29T07:46:48.956Z",
"dateReserved": "2026-05-28T19:35:54.219Z",
"dateUpdated": "2026-05-29T10:05:08.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6075 (GCVE-0-2026-6075)
Vulnerability from cvelistv5 – Published: 2026-05-29 07:46 – Updated: 2026-05-29 10:05
VLAI
Title
Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form
Summary
The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request.
Severity
8.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dglingren | Media Library Assistant |
Affected:
0 , ≤ 3.35
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:03.043838Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:05:22.136Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Media Library Assistant",
"vendor": "dglingren",
"versions": [
{
"lessThanOrEqual": "3.35",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Pas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an administrator into performing bulk delete, edit, or purge operations on plugin settings and attachment metadata via a forged request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T07:46:48.404Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e399651-8992-4949-b7a7-4e8ce199b47a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings.php#L1331"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-view-tab.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-view-tab.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-custom-fields-tab.php#L664"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-custom-fields-tab.php#L664"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings-iptc-exif-tab.php#L804"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings-iptc-exif-tab.php#L804"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-assistant/tags/3.33/includes/class-mla-settings.php#L1331"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3494141/media-library-assistant/trunk/includes/class-mla-settings-custom-fields-tab.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmedia-library-assistant/tags/3.34\u0026new_path=%2Fmedia-library-assistant/tags/3.35"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-10T14:46:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T18:57:53.000Z",
"value": "Disclosed"
}
],
"title": "Media Library Assistant \u003c= 3.35 - Cross-Site Request Forgery via Bulk Action Form"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6075",
"datePublished": "2026-05-29T07:46:48.404Z",
"dateReserved": "2026-04-10T14:31:12.134Z",
"dateUpdated": "2026-05-29T10:05:22.136Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11262 (GCVE-0-2025-11262)
Vulnerability from cvelistv5 – Published: 2026-05-29 06:43 – Updated: 2026-05-29 10:05
VLAI
Title
Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting
Summary
The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| linkwhspr | Link Whisper Free |
Affected:
0 , ≤ 0.9.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11262",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:11.074867Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:05:36.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Link Whisper Free",
"vendor": "linkwhspr",
"versions": [
{
"lessThanOrEqual": "0.9.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T06:43:42.803Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ad159b18-0ad1-4cab-932e-6850cf7a867f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/link-whisper/trunk/core/Wpil/Settings.php#L883"
},
{
"url": "https://wordpress.org/plugins/link-whisper/#developers"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-19T16:53:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T18:06:26.000Z",
"value": "Disclosed"
}
],
"title": "Link Whisper Free \u003c= 0.9.0 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11262",
"datePublished": "2026-05-29T06:43:42.803Z",
"dateReserved": "2025-10-03T14:09:32.758Z",
"dateUpdated": "2026-05-29T10:05:36.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3655 (GCVE-0-2026-3655)
Vulnerability from cvelistv5 – Published: 2026-05-29 06:43 – Updated: 2026-05-29 10:05
VLAI
Title
OTP Login With Phone Number, OTP Verification <= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification
Summary
The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim's stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim's phone number in the same request.
Severity
9.8 (Critical)
CWE
- CWE-287 - Improper Authentication
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| glboy | OTP Login With Phone Number, OTP Verification |
Affected:
1.8.50 , ≤ 1.8.60
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3655",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:30.010604Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:05:49.537Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OTP Login With Phone Number, OTP Verification",
"vendor": "glboy",
"versions": [
{
"lessThanOrEqual": "1.8.60",
"status": "affected",
"version": "1.8.50",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lucky_buddy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the `lwp_ajax_register` AJAX handler not binding the Firebase session to the phone number supplied in the request. The `idehweb_lwp_activate_through_firebase()` function validates that a Firebase OTP session is legitimate, but the `phoneNumber` returned by Firebase is never compared against the victim\u0027s stored phone number. This makes it possible for unauthenticated attackers to authenticate as any user who has a phone number stored in user meta, including administrators, by verifying their own Firebase session and supplying the victim\u0027s phone number in the same request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287 Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T06:43:41.811Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7fc410f2-5f2b-4eea-a0fb-fe58f988f95f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L649"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L659"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/tags/1.8.60/inc/ajax-handlers.php#L1167"
},
{
"url": "https://plugins.trac.wordpress.org/browser/login-with-phone-number/trunk/inc/ajax-handlers.php#L649"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3479314/login-with-phone-number/trunk/inc/ajax-handlers.php?old=3455810\u0026old_path=login-with-phone-number%2Ftrunk%2Finc%2Fajax-handlers.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:30:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T17:56:28.000Z",
"value": "Disclosed"
}
],
"title": "OTP Login With Phone Number, OTP Verification \u003c= 1.8.60 - Unauthenticated Authentication Bypass via Firebase OTP Verification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3655",
"datePublished": "2026-05-29T06:43:41.811Z",
"dateReserved": "2026-03-06T18:14:33.842Z",
"dateUpdated": "2026-05-29T10:05:49.537Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9243 (GCVE-0-2026-9243)
Vulnerability from cvelistv5 – Published: 2026-05-29 06:43 – Updated: 2026-05-29 10:06
VLAI
Title
The Plus Addons for Elementor <= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'carousel_direction' Parameter
Summary
The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| posimyththemes | The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce |
Affected:
0 , ≤ 6.4.15
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9243",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:36.349169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:06:02.975Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce",
"vendor": "posimyththemes",
"versions": [
{
"lessThanOrEqual": "6.4.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027carousel_direction\u0027 parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T06:43:41.113Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/699e41ad-1991-4100-9ef2-caea7743e45b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.4.15/modules/widgets/tp_carousel_anything.php#L1187"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-plus-addons-for-elementor-page-builder/tags/6.4.15/modules/widgets/tp_carousel_anything.php#L1143"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fthe-plus-addons-for-elementor-page-builder/tags/6.4.15\u0026new_path=%2Fthe-plus-addons-for-elementor-page-builder/tags/6.4.16"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T19:45:36.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T18:38:13.000Z",
"value": "Disclosed"
}
],
"title": "The Plus Addons for Elementor \u003c= 6.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027carousel_direction\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9243",
"datePublished": "2026-05-29T06:43:41.113Z",
"dateReserved": "2026-05-21T19:17:51.867Z",
"dateUpdated": "2026-05-29T10:06:02.975Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9714 (GCVE-0-2026-9714)
Vulnerability from cvelistv5 – Published: 2026-05-29 05:32 – Updated: 2026-05-29 10:06
VLAI
Title
Simple Divi Shortcode <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Summary
The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmodule_shortcode() function, which concatenates the 'id' shortcode attribute directly into a dynamically constructed shortcode string without applying esc_attr() or any escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| creaweb2b | Simple Divi Shortcode |
Affected:
0 , ≤ 1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:41.980504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:06:16.184Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple Divi Shortcode",
"vendor": "creaweb2b",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027id\u0027 parameter of the [showmodule] shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmodule_shortcode() function, which concatenates the \u0027id\u0027 shortcode attribute directly into a dynamically constructed shortcode string without applying esc_attr() or any escaping, allowing an attacker to break out of the attribute context and inject arbitrary HTML. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T05:32:37.685Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f188337e-023e-498e-b752-b5f3fa7a9949?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-divi-shortcode/trunk/simple_divi_shortcode.php#L63"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-divi-shortcode/trunk/simple_divi_shortcode.php#L62"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fsimple-divi-shortcode/tags/1.2\u0026new_path=%2Fsimple-divi-shortcode/tags/1.2.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T20:27:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T16:58:31.000Z",
"value": "Disclosed"
}
],
"title": "Simple Divi Shortcode \u003c= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027id\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9714",
"datePublished": "2026-05-29T05:32:37.685Z",
"dateReserved": "2026-05-27T15:05:09.334Z",
"dateUpdated": "2026-05-29T10:06:16.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14042 (GCVE-0-2025-14042)
Vulnerability from cvelistv5 – Published: 2026-05-29 05:32 – Updated: 2026-05-29 10:06
VLAI
Title
Automotive Car Dealership Business WordPress Theme <= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details
Summary
The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the 'project_details' custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themesuite | Automotive Car Dealership Business WordPress Theme |
Affected:
0 , ≤ 13.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:47.296971Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:06:30.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Automotive Car Dealership Business WordPress Theme",
"vendor": "themesuite",
"versions": [
{
"lessThanOrEqual": "13.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mateusz Gierblinski"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Project Details\u0027 custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the \u0027project_details\u0027 custom field. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T05:32:37.304Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ced350cf-1116-4003-ac74-f6dec34360a5?source=cve"
},
{
"url": "https://themeforest.net/item/automotive-car-dealership-business-wordpress-theme/9210971"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T17:26:48.000Z",
"value": "Disclosed"
}
],
"title": "Automotive Car Dealership Business WordPress Theme \u003c= 13.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Portfolio Project Details"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14042",
"datePublished": "2026-05-29T05:32:37.304Z",
"dateReserved": "2025-12-04T16:07:26.674Z",
"dateUpdated": "2026-05-29T10:06:30.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11993 (GCVE-0-2025-11993)
Vulnerability from cvelistv5 – Published: 2026-05-29 05:32 – Updated: 2026-05-29 10:06
VLAI
Title
WooCommerce Infinite Scroll and Ajax Pagination <= 1.8 - Authenticated (Subscriber+) PHP Object Injection
Summary
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the 'settings' parameter in the 'import_settings' function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Severity
8.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| sbthemes | WooCommerce Infinite Scroll and Ajax Pagination |
Affected:
0 , ≤ 1.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:01:55.923786Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:06:43.473Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Infinite Scroll and Ajax Pagination",
"vendor": "sbthemes",
"versions": [
{
"lessThanOrEqual": "1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "cuokon"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.8 via the \u0027settings\u0027 parameter in the \u0027import_settings\u0027 function. This is due to deserialization of untrusted data supplied via the import configuration feature without capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No POP chain is present within the vulnerable plugin itself, but if a POP chain is present via an additional plugin or theme installed on the target system, it could allow an attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T05:32:36.905Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eb3ec8-0784-4702-86bf-a621b288e7a0?source=cve"
},
{
"url": "https://codecanyon.net/item/woocommerce-infinite-scroll-and-ajax-pagination/10192075"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-30T18:49:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T16:45:07.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Infinite Scroll and Ajax Pagination \u003c= 1.8 - Authenticated (Subscriber+) PHP Object Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11993",
"datePublished": "2026-05-29T05:32:36.905Z",
"dateReserved": "2025-10-20T20:07:27.819Z",
"dateUpdated": "2026-05-29T10:06:43.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8732 (GCVE-0-2026-8732)
Vulnerability from cvelistv5 – Published: 2026-05-29 05:32 – Updated: 2026-05-29 10:06
VLAI
Title
WP Maps Pro <= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action
Summary
The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover.
Severity
9.8 (Critical)
CWE
- CWE-306 - Missing Authentication for Critical Function
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| flippercode | WP Maps Pro |
Affected:
0 , ≤ 6.0.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8732",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:02:06.385518Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:06:56.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Maps Pro",
"vendor": "flippercode",
"versions": [
{
"lessThanOrEqual": "6.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David Brown"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmp_temp_access_ajax AJAX action being registered with wp_ajax_nopriv_ and protected only by a nonce check using the fc-call-nonce nonce, which is publicly embedded into every frontend page via wp_localize_script as the nonce field of the wpgmp_local JavaScript object, rendering the check ineffective as an access control mechanism. This makes it possible for unauthenticated attackers to invoke the wpgmp_temp_access_support handler with check_temp=false, which unconditionally creates a new WordPress user with the hardcoded role of administrator via wp_insert_user() and returns a magic login URL that, when visited, calls wp_set_auth_cookie() to fully authenticate the attacker as the newly created administrator, resulting in complete site takeover."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T05:32:36.013Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65988550-d39d-40be-8d25-647e7237062d?source=cve"
},
{
"url": "https://codecanyon.net/item/advanced-google-maps-plugin-for-wordpress/5211638"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T16:51:57.000Z",
"value": "Disclosed"
}
],
"title": "WP Maps Pro \u003c= 6.1.0 - Unauthenticated Privilege Escalation via Administrator Account Creation to wpgmp_temp_access_ajax AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8732",
"datePublished": "2026-05-29T05:32:36.013Z",
"dateReserved": "2026-05-16T10:10:10.883Z",
"dateUpdated": "2026-05-29T10:06:56.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6275 (GCVE-0-2026-6275)
Vulnerability from cvelistv5 – Published: 2026-05-29 05:32 – Updated: 2026-05-29 10:07
VLAI
Title
StatCounter <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname
Summary
The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author's nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a <script> block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| statcounter | StatCounter – Free Real Time Visitor Stats |
Affected:
0 , ≤ 2.1.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6275",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:02:26.217798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:07:11.779Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "StatCounter \u2013 Free Real Time Visitor Stats",
"vendor": "statcounter",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZAST.AI"
}
],
"descriptions": [
{
"lang": "en",
"value": "The StatCounter \u2013 Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author\u0027s nickname in the statcounter_addToTags() function. The function is hooked to wp_head and fires on every single post page. It retrieves the post author\u0027s nickname via the_author_meta() and echoes it directly into a JavaScript double-quoted string context inside a \u003cscript\u003e block without applying esc_js() or any equivalent JavaScript-context escaping. This makes it possible for authenticated attackers with Author-level access and above to inject arbitrary web scripts into pages that will execute whenever any user (including unauthenticated visitors) accesses a post authored by the attacker."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T05:32:35.478Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30e0bf40-7f7b-43e6-8439-6dc00a889344?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/trunk/StatCounter-Wordpress-Plugin.php#L274"
},
{
"url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/tags/2.1.1/StatCounter-Wordpress-Plugin.php#L274"
},
{
"url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/trunk/StatCounter-Wordpress-Plugin.php#L266"
},
{
"url": "https://plugins.trac.wordpress.org/browser/official-statcounter-plugin-for-wordpress/tags/2.1.1/StatCounter-Wordpress-Plugin.php#L266"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fofficial-statcounter-plugin-for-wordpress/tags/2.1.1\u0026new_path=%2Fofficial-statcounter-plugin-for-wordpress/tags/2.1.2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T17:02:14.000Z",
"value": "Disclosed"
}
],
"title": "StatCounter \u003c= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting via Author Nickname"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6275",
"datePublished": "2026-05-29T05:32:35.478Z",
"dateReserved": "2026-04-14T13:44:26.816Z",
"dateUpdated": "2026-05-29T10:07:11.779Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2128 (GCVE-0-2026-2128)
Vulnerability from cvelistv5 – Published: 2026-05-29 03:39 – Updated: 2026-05-29 10:07
VLAI
Title
Breeze Cache <= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie
Summary
The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users.
Severity
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cloudways | Breeze Cache |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:02:35.493268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:07:26.626Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Breeze Cache",
"vendor": "cloudways",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Duc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the \"Cache Logged-in Users\" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session\u0027s cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T03:39:08.827Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f0b6c41d-833e-4ad4-bdb6-c38fef3eb7f4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/breeze/trunk/inc/cache/execute-cache.php#L140"
},
{
"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.php#L140"
},
{
"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.2.24/inc/cache/execute-cache.php#L132"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3456822/breeze/trunk/inc/cache/execute-cache.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbreeze/tags/2.2.24\u0026new_path=%2Fbreeze/tags/2.3.0"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fbreeze/tags/2.5.2\u0026new_path=%2Fbreeze/tags/2.5.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T14:55:00.000Z",
"value": "Disclosed"
}
],
"title": "Breeze Cache \u003c= 2.5.2 - Unauthenticated Exposure of Sensitive Information to an Unauthorized Actor via Crafted Login Cookie"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2128",
"datePublished": "2026-05-29T03:39:08.827Z",
"dateReserved": "2026-02-06T19:47:59.101Z",
"dateUpdated": "2026-05-29T10:07:26.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8995 (GCVE-0-2026-8995)
Vulnerability from cvelistv5 – Published: 2026-05-29 02:27 – Updated: 2026-05-29 10:07
VLAI
Title
Poll Maker by AYS <= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in 'ays_poll_get_user_information' AJAX Action
Summary
The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the 'ays_poll_get_user_information' AJAX action, which serializes and returns the complete WP_User object — including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities — without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
9 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ays-pro | Poll Maker by AYS – Versus Polls, Anonymous Polls, Image Polls |
Affected:
0 , ≤ 6.3.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8995",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:02:42.910315Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:07:40.915Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Poll Maker by AYS \u2013 Versus Polls, Anonymous Polls, Image Polls",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "6.3.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Satoo Nakano"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Poll Maker \u2013 Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 6.3.7. This is due to insufficient access controls on the \u0027ays_poll_get_user_information\u0027 AJAX action, which serializes and returns the complete WP_User object \u2014 including the user_pass (bcrypt password hash), user_email, user_login, user_registered, roles, and all capabilities \u2014 without any nonce verification or capability check beyond is_user_logged_in(). This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve sensitive account data including their own password hash, which WordPress does not expose through any of its standard interfaces and which can be leveraged for offline password-cracking attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T02:27:46.380Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d1ff79e-5246-422a-ae75-20763e7acd17?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.3.7/public/class-poll-maker-ays-public.php#L2967"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.3.7/includes/class-poll-maker-ays.php#L318"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.3.7/public/class-poll-maker-ays-public.php#L2960"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.2.7/public/class-poll-maker-ays-public.php#L2967"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.2.7/includes/class-poll-maker-ays.php#L318"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.2.7/public/class-poll-maker-ays-public.php#L2960"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.3.8/public/class-poll-maker-ays-public.php#L2959"
},
{
"url": "https://plugins.trac.wordpress.org/browser/poll-maker/tags/6.3.8/includes/class-poll-maker-ays.php#L318"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T13:45:06.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T13:39:45.000Z",
"value": "Disclosed"
}
],
"title": "Poll Maker by AYS \u003c= 6.3.7 - Authenticated (Subscriber+) Sensitive Information Exposure in \u0027ays_poll_get_user_information\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8995",
"datePublished": "2026-05-29T02:27:46.380Z",
"dateReserved": "2026-05-19T13:29:26.247Z",
"dateUpdated": "2026-05-29T10:07:40.915Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7430 (GCVE-0-2026-7430)
Vulnerability from cvelistv5 – Published: 2026-05-29 02:27 – Updated: 2026-05-29 10:07
VLAI
Title
Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import
Summary
The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress's `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability.
Severity
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| saadiqbal | Post Snippets – Custom WordPress Code Snippets Customizer |
Affected:
0 , ≤ 4.0.19
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7430",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:02:50.720346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:07:55.722Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Post Snippets \u2013 Custom WordPress Code Snippets Customizer",
"vendor": "saadiqbal",
"versions": [
{
"lessThanOrEqual": "4.0.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Albatross George"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the `jqueryUiDialog()` method in `WPEditor.php` embeds snippet content directly into JavaScript string literals without escaping double quotes (the quote-escaping code on line 214 is commented out). When snippets are imported via the Import/Export feature, the content bypasses WordPress\u0027s `wp_magic_quotes()` (which would otherwise add protective backslashes), allowing double quotes in snippet content to break out of the JavaScript string context. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts via a malicious import file that execute whenever any administrator accesses a post editor page. Please note that this does not affect single-site installations as administrators already have the `unfiltered_html` capability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T02:27:45.625Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59dc2448-491c-478f-a784-c727057b126b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.0.19/src/PostSnippets/WPEditor.php#L218"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/trunk/src/PostSnippets/WPEditor.php#L218"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.0.19/src/PostSnippets/DBTable.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/trunk/src/PostSnippets/DBTable.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.php#L20"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.php#L221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/post-snippets/tags/4.1.1/src/PostSnippets/WPEditor.php#L227"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-29T15:31:17.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T13:41:27.000Z",
"value": "Disclosed"
}
],
"title": "Post Snippets \u003c= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7430",
"datePublished": "2026-05-29T02:27:45.625Z",
"dateReserved": "2026-04-29T15:15:58.743Z",
"dateUpdated": "2026-05-29T10:07:55.722Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8809 (GCVE-0-2026-8809)
Vulnerability from cvelistv5 – Published: 2026-05-28 22:27 – Updated: 2026-05-29 10:08
VLAI
Title
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to '_acf_post_id' Parameter
Summary
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field.
Severity
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hwk-fr | Advanced Custom Fields: Extended |
Affected:
0 , ≤ 0.9.2.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8809",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T10:03:00.555711Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T10:08:09.995Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields: Extended",
"vendor": "hwk-fr",
"versions": [
{
"lessThanOrEqual": "0.9.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter \u2014 with no authentication or integrity verification \u2014 to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T22:27:27.387Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd332f49-5aa9-4207-89db-84692a6430e0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/module-acf.php#L141"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/hooks.php#L636"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-action-user.php#L715"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.4/includes/modules/form/module-form-front.php#L94"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3551665/acf-extended"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T10:28:29.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-28T10:09:02.000Z",
"value": "Disclosed"
}
],
"title": "Advanced Custom Fields: Extended \u003c= 0.9.2.5 - Unauthenticated Privilege Escalation via Validation Bypass to \u0027_acf_post_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8809",
"datePublished": "2026-05-28T22:27:27.387Z",
"dateReserved": "2026-05-18T06:34:31.899Z",
"dateUpdated": "2026-05-29T10:08:09.995Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4334 (GCVE-0-2026-4334)
Vulnerability from cvelistv5 – Published: 2026-05-28 08:27 – Updated: 2026-05-28 10:31
VLAI
Title
Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting
Summary
The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 3uu | Shariff Wrapper |
Affected:
0 , ≤ 4.6.20
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:09:43.921367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:31:28.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shariff Wrapper",
"vendor": "3uu",
"versions": [
{
"lessThanOrEqual": "4.6.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027headline\u0027 parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability occurs because the plugin uses a custom wp_kses implementation with permissive allowed HTML tags, and then performs a str_replace operation that injects HTML after sanitization, allowing event handlers to be introduced through the %total placeholder in the style attribute."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T08:27:38.853Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e037d22a-3d4d-4f70-a749-6d6c552c7553?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shariff/trunk/shariff.php#L1143"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shariff/trunk/shariff.php#L1144"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shariff/trunk/shariff.php#L965"
},
{
"url": "https://plugins.trac.wordpress.org/browser/shariff/trunk/shariff.php#L868"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3532532%40shariff\u0026new=3532532%40shariff\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-17T06:27:54.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T19:48:38.000Z",
"value": "Disclosed"
}
],
"title": "Shariff Wrapper \u003c= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4334",
"datePublished": "2026-05-28T08:27:38.853Z",
"dateReserved": "2026-03-17T14:11:01.203Z",
"dateUpdated": "2026-05-28T10:31:28.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6226 (GCVE-0-2026-6226)
Vulnerability from cvelistv5 – Published: 2026-05-28 08:27 – Updated: 2026-05-28 10:31
VLAI
Title
Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection
Summary
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST['_acf_form'] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action's run() function falls back to attacker-controlled field definitions from $form['fields'] when legitimate fields cannot be found. The role field's pre_update_value() validation reads $field['role_options'] from this attacker-controlled definition, allowing an attacker to specify ['administrator'] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field.
Severity
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| shabti | Frontend Admin by DynamiApps |
Affected:
0 , ≤ 3.29.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6226",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:09:51.368944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:31:42.500Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontend Admin by DynamiApps",
"vendor": "shabti",
"versions": [
{
"lessThanOrEqual": "3.29.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling that accepts arbitrary form definitions from user input instead of securely loading them from the backend. When $_POST[\u0027_acf_form\u0027] is an array (rather than a form ID), the validate_form() function bypasses database lookup and directly processes the attacker-controlled structure. The create_record() function preserves attacker-supplied record data if present, and the user action\u0027s run() function falls back to attacker-controlled field definitions from $form[\u0027fields\u0027] when legitimate fields cannot be found. The role field\u0027s pre_update_value() validation reads $field[\u0027role_options\u0027] from this attacker-controlled definition, allowing an attacker to specify [\u0027administrator\u0027] as an allowed role and bypass the security check. This makes it possible for unauthenticated attackers to create administrator accounts by injecting a custom form configuration with a spoofed role field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T08:27:38.286Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/123e1758-3384-4ea7-96dd-d6adcce40392?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php#L107"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/fields/user/class-role.php#L107"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/actions/user.php#L458"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/forms/actions/user.php#L458"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/submit.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/forms/classes/submit.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/trunk/main/frontend/forms/classes/display.php#L245"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.33/main/frontend/forms/classes/display.php#L245"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3525193%40acf-frontend-form-element\u0026new=3525193%40acf-frontend-form-element\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T14:22:50.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Frontend Admin by DynamiApps \u003c= 3.29.2 - Unauthenticated Privilege Escalation via Form Configuration Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6226",
"datePublished": "2026-05-28T08:27:38.286Z",
"dateReserved": "2026-04-13T14:07:38.949Z",
"dateUpdated": "2026-05-28T10:31:42.500Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6937 (GCVE-0-2026-6937)
Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:31
VLAI
Title
Appointment Booking Calendar <= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint
Summary
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| croixhaug | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
0 , ≤ 1.6.11.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6937",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:09:59.992945Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:31:56.999Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "croixhaug",
"versions": [
{
"lessThanOrEqual": "1.6.11.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "winrace"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointments REST API endpoint. This makes it possible for unauthenticated attackers to modify arbitrary appointment records including customer PII, payment status, and meeting URL fields, and to expose full customer PII from existing appointment records via the bulk endpoint response. The public nonce is a static, user-independent value present in the HTML source of any page hosting the [ssa_booking] shortcode, meaning any visitor who has viewed such a page can obtain it and target any appointment in the system without authentication."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T07:43:43.859Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef0f5f9d-788a-4cf8-9747-ada076a69a1f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-bootstrap.php#L151"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.0/includes/lib/td-util/class-td-api-model.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/class-appointment-model.php#L724"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.0/includes/class-appointment-model.php#L724"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.0/includes/class-bootstrap.php#L151"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.0/includes/lib/td-util/class-td-api-model.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.0/includes/class-appointment-model.php#L724"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.0/includes/class-bootstrap.php#L151"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3549843%40simply-schedule-appointments\u0026new=3549843%40simply-schedule-appointments\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-23T19:26:29.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T19:43:02.000Z",
"value": "Disclosed"
}
],
"title": "Appointment Booking Calendar \u003c= 1.6.11.8 - Missing Authorization to Unauthenticated Arbitrary Modification via Bulk Appointments REST API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6937",
"datePublished": "2026-05-28T07:43:43.859Z",
"dateReserved": "2026-04-23T19:11:14.213Z",
"dateUpdated": "2026-05-28T10:31:56.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8689 (GCVE-0-2026-8689)
Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
VLAI
Title
Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions
Summary
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | Visualizer: Tables and Charts Manager for WordPress |
Affected:
0 , ≤ 3.11.14
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8689",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:10:48.268434Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:32:10.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Visualizer: Tables and Charts Manager for WordPress",
"vendor": "themeisle",
"versions": [
{
"lessThanOrEqual": "3.11.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "David Fern\u00e1ndez Morilla"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T07:43:43.470Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d18e9696-0f96-4478-9871-a93ac2976c11?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Chart.php#L531"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Chart.php#L1221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Chart.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.14/classes/Visualizer/Module/Chart.php#L531"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.14/classes/Visualizer/Module/Chart.php#L1221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.14/classes/Visualizer/Module/Chart.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3474710"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T14:56:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T19:31:18.000Z",
"value": "Disclosed"
}
],
"title": "Visualizer: Tables and Charts Manager for WordPress \u003c= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8689",
"datePublished": "2026-05-28T07:43:43.470Z",
"dateReserved": "2026-05-15T14:41:35.110Z",
"dateUpdated": "2026-05-28T10:32:10.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9015 (GCVE-0-2026-9015)
Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
VLAI
Title
Equalize Digital Accessibility Checker <= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action
Summary
The Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site — including mass modification of all rows sharing an 'object' identifier when largeBatch=true is supplied — corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| equalizedigital | Equalize Digital Accessibility Checker – WCAG, ADA, EAA and Section 508 compliance |
Affected:
0 , ≤ 1.42.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:10:26.941471Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:32:25.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Equalize Digital Accessibility Checker \u2013 WCAG, ADA, EAA and Section 508 compliance",
"vendor": "equalizedigital",
"versions": [
{
"lessThanOrEqual": "1.42.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Herlangga Maulani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Equalize Digital Accessibility Checker \u2013 WCAG, ADA, EAA and Section 508 compliance plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.42.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the ignore state, ignore reason, and ignore comment of arbitrary accessibility issues across the entire site \u2014 including mass modification of all rows sharing an \u0027object\u0027 identifier when largeBatch=true is supplied \u2014 corrupting accessibility audit integrity by hiding or dismissing findings outside their authorization scope."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T07:43:43.050Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/613fc64a-1206-4a11-b945-216068b9339a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L856"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L814"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-ajax.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.41.0/admin/class-enqueue-admin.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-ajax.php#L856"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-ajax.php#L814"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-ajax.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/accessibility-checker/tags/1.38.0/admin/class-enqueue-admin.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3539961%40accessibility-checker\u0026new=3539961%40accessibility-checker\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T17:09:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:52:56.000Z",
"value": "Disclosed"
}
],
"title": "Equalize Digital Accessibility Checker \u003c= 1.42.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Accessibility Issue Modification via edac_insert_ignore_data AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9015",
"datePublished": "2026-05-28T07:43:43.050Z",
"dateReserved": "2026-05-19T14:28:17.653Z",
"dateUpdated": "2026-05-28T10:32:25.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7048 (GCVE-0-2026-7048)
Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
VLAI
Title
Photo Gallery by 10Web <= 1.8.40 - Authenticated (Contributor+) SQL Injection via 'order_by' Shortcode Attribute
Summary
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered.
Severity
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 10web | Photo Gallery by 10Web – Mobile-Friendly Image Gallery |
Affected:
0 , ≤ 1.8.40
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7048",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:10:40.412233Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:32:39.004Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery",
"vendor": "10web",
"versions": [
{
"lessThanOrEqual": "1.8.40",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Or Benit"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based blind SQL Injection via the \u0027order_by\u0027 parameter in all versions up to, and including, 1.8.40 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is exploitable by embedding a malicious shortcode in a post or draft, allowing the injected SQL to execute when the shortcode is rendered."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T07:43:42.650Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27394b03-3604-4fb0-950f-e1f838cabb05?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.39/framework/WDWLibrary.php#L1351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/framework/WDWLibrary.php#L1351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/photo-gallery.php#L789"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.39/photo-gallery.php#L789"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/framework/WDWLibrary.php#L2112"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.39/framework/WDWLibrary.php#L2112"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/trunk/frontend/controllers/controller.php#L354"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.39/frontend/controllers/controller.php#L354"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3532364%40photo-gallery\u0026new=3532364%40photo-gallery\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T17:46:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T19:36:32.000Z",
"value": "Disclosed"
}
],
"title": "Photo Gallery by 10Web \u003c= 1.8.40 - Authenticated (Contributor+) SQL Injection via \u0027order_by\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7048",
"datePublished": "2026-05-28T07:43:42.650Z",
"dateReserved": "2026-04-25T17:31:21.734Z",
"dateUpdated": "2026-05-28T10:32:39.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7526 (GCVE-0-2026-7526)
Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
VLAI
Title
PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page
Summary
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | PDF Embedder |
Affected:
0 , ≤ 4.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:25:00.865799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:32:52.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PDF Embedder",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T07:43:41.869Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e0f2516-0fa7-415e-868e-6bd259bc6546?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L204"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L204"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.php?old=3429550\u0026old_path=pdf-embedder%2Ftrunk%2Fsrc%2FPlugin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T17:41:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:49:03.000Z",
"value": "Disclosed"
}
],
"title": "PDF Embedder \u003c= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7526",
"datePublished": "2026-05-28T07:43:41.869Z",
"dateReserved": "2026-04-30T17:26:08.252Z",
"dateUpdated": "2026-05-28T10:32:52.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7052 (GCVE-0-2026-7052)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:33
VLAI
Title
HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field
Summary
The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the 'Store Submissions' setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer.
Severity
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| htplugins | HT Contact Form – Drag & Drop Form Builder for WordPress |
Affected:
0 , ≤ 2.8.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7052",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:10:56.370655Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:33:10.091Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HT Contact Form \u2013 Drag \u0026 Drop Form Builder for WordPress",
"vendor": "htplugins",
"versions": [
{
"lessThanOrEqual": "2.8.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Azril Fathoni"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HT Contact Form \u2013 Drag \u0026 Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027file_upload\u0027 parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the \u0027Store Submissions\u0027 setting to be enabled, as this controls whether unsanitized field values are persisted to the database and subsequently rendered via dangerouslySetInnerHTML in the admin entry viewer."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:43.237Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/edb0ee0c-1eab-4988-9eb6-cc0c253fee15?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php#L403"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/Includes/Api/Endpoints/Submission.php#L403"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Models/Entries.php#L298"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/Includes/Models/Entries.php#L298"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/Includes/Api/Endpoints/Submission.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/Includes/Api/Endpoints/Submission.php#L108"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/Includes/Api/Endpoints/Submission.php#L108"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/trunk/admin/dist/bundle.js#L2"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ht-contactform/tags/2.8.2/admin/dist/bundle.js#L2"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3521197%40ht-contactform%2Ftrunk\u0026old=3499444%40ht-contactform%2Ftrunk"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-25T19:03:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:06:02.000Z",
"value": "Disclosed"
}
],
"title": "HT Contact Form \u003c= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7052",
"datePublished": "2026-05-28T06:45:43.237Z",
"dateReserved": "2026-04-25T18:47:55.013Z",
"dateUpdated": "2026-05-28T10:33:10.091Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7797 (GCVE-0-2026-7797)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:33
VLAI
Title
Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter
Summary
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget's frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP's superglobals are not populated and the blocklist check silently passes.
Severity
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| croixhaug | Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin |
Affected:
0 , ≤ 1.6.11.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:25:09.853835Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:33:24.502Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin",
"vendor": "croixhaug",
"versions": [
{
"lessThanOrEqual": "1.6.11.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Appointment Booking Calendar \u2014 Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the \u0027append_where_sql\u0027 parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The /appointments/bulk REST endpoint is reachable by unauthenticated attackers because its permission check accepts a public nonce that is embedded in the booking widget\u0027s frontend JavaScript (ssa.api.public_nonce) and visible to all site visitors; exploitation requires issuing the request as a PUT with an application/x-www-form-urlencoded body so that PHP\u0027s superglobals are not populated and the blocklist check silently passes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:42.854Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db3bddbd-44b0-4105-9039-0d669d643481?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-db-model.php#L1049"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.2/includes/lib/td-util/class-td-db-model.php#L1049"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L304"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.2/includes/lib/td-util/class-td-api-model.php#L304"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/trunk/includes/lib/td-util/class-td-api-model.php#L361"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.11.2/includes/lib/td-util/class-td-api-model.php#L361"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.2/includes/lib/td-util/class-td-db-model.php#L1049"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.2/includes/lib/td-util/class-td-api-model.php#L304"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simply-schedule-appointments/tags/1.6.10.2/includes/lib/td-util/class-td-api-model.php#L361"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3549843/simply-schedule-appointments/tags/1.6.11.9/includes/lib/td-util/class-td-db-model.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T19:25:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:30:22.000Z",
"value": "Disclosed"
}
],
"title": "Appointment Booking Calendar \u003c= 1.6.11.8 - Unauthenticated SQL Injection via \u0027append_where_sql\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7797",
"datePublished": "2026-05-28T06:45:42.854Z",
"dateReserved": "2026-05-04T19:10:12.014Z",
"dateUpdated": "2026-05-28T10:33:24.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8682 (GCVE-0-2026-8682)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:33
VLAI
Title
3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint
Summary
The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hasanazizul | 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On |
Affected:
0 , ≤ 2.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8682",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:25:17.834878Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:33:38.952Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "3D Viewer \u2013 3D Model Viewer \u2013 Augmented Reality \u2013 Virtual Try On",
"vendor": "hasanazizul",
"versions": [
{
"lessThanOrEqual": "2.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The 3D Viewer \u2013 3D Model Viewer \u2013 Augmented Reality \u2013 Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin settings by writing arbitrary data to the ar_try_on_settings option in the database via the /wp-json/ar_try_on/v1/settings REST endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:42.465Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bfcd914c-3c12-4e6a-bb05-38d42ce411d4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L358"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/2.0.1/api/AR_TRY_ON_Api_Routes.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L358"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ar-vr-3d-model-try-on/tags/1.9.0/api/AR_TRY_ON_Api_Routes.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3536110%40ar-vr-3d-model-try-on\u0026new=3536110%40ar-vr-3d-model-try-on\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-15T14:41:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "3D Viewer \u003c= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Modification via settings REST endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8682",
"datePublished": "2026-05-28T06:45:42.465Z",
"dateReserved": "2026-05-15T13:40:00.628Z",
"dateUpdated": "2026-05-28T10:33:38.952Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7660 (GCVE-0-2026-7660)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:33
VLAI
Title
Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter
Summary
The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link.
Severity
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| davidanderson | Easy Updates Manager |
Affected:
0 , ≤ 9.0.20
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7660",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:26:58.298078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:33:53.918Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Updates Manager",
"vendor": "davidanderson",
"versions": [
{
"lessThanOrEqual": "9.0.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027paged\u0027 parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination() function. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page granted they can trick an administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:42.024Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bbbd989c-4d69-45c9-bcb9-44f9ab98b969?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_List_Table.php#L800"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/tags/9.0.20/includes/MPSUM_List_Table.php#L800"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_Plugins_List_Table.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stops-core-theme-and-plugin-updates/tags/9.0.20/includes/MPSUM_Plugins_List_Table.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3531188/stops-core-theme-and-plugin-updates/trunk/includes/MPSUM_List_Table.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fstops-core-theme-and-plugin-updates/tags/9.0.20\u0026new_path=%2Fstops-core-theme-and-plugin-updates/tags/9.0.21"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T19:43:31.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:13:25.000Z",
"value": "Disclosed"
}
],
"title": "Easy Updates Manager \u003c= 9.0.20 - Reflected Cross-Site Scripting via \u0027paged\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7660",
"datePublished": "2026-05-28T06:45:42.024Z",
"dateReserved": "2026-05-01T19:28:13.961Z",
"dateUpdated": "2026-05-28T10:33:53.918Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6455 (GCVE-0-2026-6455)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:34
VLAI
Title
WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via 'contact_form' Parameter
Summary
The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result's post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing 'ys_cfdbh_file' are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files).
Severity
8.1 (High)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yudiz | WP Contact Form 7 DB Handler |
Affected:
0 , ≤ 3.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:27:04.354033Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:34:08.834Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Contact Form 7 DB Handler",
"vendor": "yudiz",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Louis Deschanel"
},
{
"lang": "en",
"type": "finder",
"value": "Pascal SUN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and including 3.0. This is due to a missing nonce verification in the process_bulk_action() function, the nonce check is only executed when _wpnonce is present in the POST body, allowing it to be trivially bypassed by omitting the field, combined with the use of an unsanitized, unparameterized user-supplied value in a numeric SQL context (WHERE ID = $ID) and the unsafe deserialization of the query result\u0027s post_content field. An attacker can craft a CSRF page that tricks a logged-in administrator into triggering a UNION-based SQL injection payload (using CHAR() to avoid esc_sql quote-escaping) that returns a malicious serialized PHP array as post_content; upon deserialization, array values associated with keys containing \u0027ys_cfdbh_file\u0027 are used as file paths appended to the uploads directory path without any path traversal validation, and then passed to wp_delete_file(), allowing the attacker to delete arbitrary files on the server (e.g., wp-config.php, system files)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:41.596Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/96cdba03-7385-4374-915d-061be0276a95?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.php#L615"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.php#L615"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.php#L589"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.php#L589"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.php#L605"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.php#L605"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/trunk/include/form-inner-page-class.php#L607"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-contact-form-7-db-handler/tags/3.0/include/form-inner-page-class.php#L607"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3520240%40wp-contact-form-7-db-handler\u0026new=3520240%40wp-contact-form-7-db-handler\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-16T20:32:22.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:05:02.000Z",
"value": "Disclosed"
}
],
"title": "WP Contact Form 7 DB Handler \u003c= 3.0 - Cross-Site Request Forgery to Arbitrary File Deletion via \u0027contact_form\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6455",
"datePublished": "2026-05-28T06:45:41.596Z",
"dateReserved": "2026-04-16T20:17:12.219Z",
"dateUpdated": "2026-05-28T10:34:08.834Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7621 (GCVE-0-2026-7621)
Vulnerability from cvelistv5 – Published: 2026-05-28 06:45 – Updated: 2026-05-28 10:34
VLAI
Title
SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate
Summary
The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smtp2go | SMTP2GO for WordPress – Email Made Easy |
Affected:
0 , ≤ 1.16.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:27:12.233092Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:34:23.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SMTP2GO for WordPress \u2013 Email Made Easy",
"vendor": "smtp2go",
"versions": [
{
"lessThanOrEqual": "1.16.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "darkestmode"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SMTP2GO for WordPress \u2013 Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to truncate all SMTP2GO log records from the database or download a CSV export of all SMTP log data including recipient addresses, sender addresses, message subjects, and API response data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T06:45:41.169Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6424de06-95ca-4148-9b24-0df0a2a8871d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPluginAdmin.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.1/app/WordpressPluginAdmin.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPluginAdmin.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.1/app/WordpressPluginAdmin.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/trunk/app/WordpressPlugin.php#L135"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.1/app/WordpressPlugin.php#L135"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPluginAdmin.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPluginAdmin.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smtp2go/tags/1.14.0/app/WordpressPlugin.php#L135"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3546743%40smtp2go\u0026new=3546743%40smtp2go\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T23:59:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T17:42:00.000Z",
"value": "Disclosed"
}
],
"title": "SMTP2GO for WordPress \u003c= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7621",
"datePublished": "2026-05-28T06:45:41.169Z",
"dateReserved": "2026-05-01T13:31:23.314Z",
"dateUpdated": "2026-05-28T10:34:23.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}