Search criteria
8898 vulnerabilities
CVE-2026-2385 (GCVE-0-2026-2385)
Vulnerability from cvelistv5 – Published: 2026-02-22 08:24 – Updated: 2026-02-22 08:24
VLAI?
Title
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email Relay
Summary
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| posimyththemes | The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce |
Affected:
* , ≤ 6.4.7
(semver)
|
Credits
Quốc Huy
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce",
"vendor": "posimyththemes",
"versions": [
{
"lessThanOrEqual": "6.4.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the \u0027email_data\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-22T08:24:44.635Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9176535c-8e37-4a18-b458-a71c4a84daa4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3463156/the-plus-addons-for-elementor-page-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-11T23:50:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-21T19:49:02.000Z",
"value": "Disclosed"
}
],
"title": "The Plus Addons for Elementor \u2013 Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce \u003c= 6.4.7 - Unauthenticated Email Relay"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2385",
"datePublished": "2026-02-22T08:24:44.635Z",
"dateReserved": "2026-02-11T22:53:35.124Z",
"dateUpdated": "2026-02-22T08:24:44.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1787 (GCVE-0-2026-1787)
Vulnerability from cvelistv5 – Published: 2026-02-21 10:37 – Updated: 2026-02-21 10:37
VLAI?
Title
LearnPress Export Import <= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion
Summary
The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.
Severity ?
4.8 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thimpress | LearnPress – Backup & Migration Tool |
Affected:
* , ≤ 4.1.0
(semver)
|
Credits
Osvaldo Noe Gonzalez Del Rio
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 Backup \u0026 Migration Tool",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress Export Import \u2013 WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027delete_migrated_data\u0027 function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T10:37:17.153Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bde915d-092a-452b-a0e0-ce5c2ce203dc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.0/inc/Migration/Controllers/TutorMigrationController.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3458589/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T03:25:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress Export Import \u003c= 4.1.0 - Missing Authentication to Unauthenticated Migrated Course Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1787",
"datePublished": "2026-02-21T10:37:17.153Z",
"dateReserved": "2026-02-03T01:03:46.808Z",
"dateUpdated": "2026-02-21T10:37:17.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14339 (GCVE-0-2025-14339)
Vulnerability from cvelistv5 – Published: 2026-02-21 09:27 – Updated: 2026-02-21 09:27
VLAI?
Title
weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion
Summary
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
Severity ?
6.5 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wedevs | weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins |
Affected:
* , ≤ 2.0.7
(semver)
|
Credits
Angus Girvan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "weMail: Email Marketing, Email Automation, Newsletters, Subscribers \u0026 eCommerce Email Optins",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "2.0.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-21T09:27:59.721Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3442404%40wemail%2Ftrunk\u0026old=3423372%40wemail%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-24T15:30:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-20T20:58:51.000Z",
"value": "Disclosed"
}
],
"title": "weMail \u003c= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14339",
"datePublished": "2026-02-21T09:27:59.721Z",
"dateReserved": "2025-12-09T14:06:01.519Z",
"dateUpdated": "2026-02-21T09:27:59.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2486 (GCVE-0-2026-2486)
Vulnerability from cvelistv5 – Published: 2026-02-20 11:26 – Updated: 2026-02-20 13:03
VLAI?
Title
Master Addons For Elementor <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ma_el_bh_table_btn_text'
Summary
The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litonice13 | Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations |
Affected:
* , ≤ 2.1.1
(semver)
|
Credits
Thanakorn Bunsin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2486",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T13:03:11.183225Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T13:03:26.807Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Master Addons For Elementor \u2013 White Label, Free Widgets, Hover Effects, Conditions, \u0026 Animations",
"vendor": "litonice13",
"versions": [
{
"lessThanOrEqual": "2.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thanakorn Bunsin"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027ma_el_bh_table_btn_text\u0027 parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T11:26:36.502Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a78c2621-afff-40b4-ae45-831b2b847756?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3461745/master-addons/tags/2.1.2/addons/ma-business-hours/ma-business-hours.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T20:59:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-19T23:25:04.000Z",
"value": "Disclosed"
}
],
"title": "Master Addons For Elementor \u003c= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027ma_el_bh_table_btn_text\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2486",
"datePublished": "2026-02-20T11:26:36.502Z",
"dateReserved": "2026-02-13T20:31:48.856Z",
"dateUpdated": "2026-02-20T13:03:26.807Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2384 (GCVE-0-2026-2384)
Vulnerability from cvelistv5 – Published: 2026-02-20 02:23 – Updated: 2026-02-20 16:25
VLAI?
Title
Quiz Maker <= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Note: This vulnerability requires WPBakery Page Builder to be installed and active
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Quiz Maker |
Affected:
* , ≤ 6.7.1.7
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T16:25:01.074662Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T16:25:38.290Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz Maker",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "6.7.1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\r\nNote: This vulnerability requires WPBakery Page Builder to be installed and active"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T02:23:32.566Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54e2831-e5e9-43f4-acb6-9cf00fdb4e57?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L60"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-31T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-11T22:44:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-19T13:25:41.000Z",
"value": "Disclosed"
}
],
"title": "Quiz Maker \u003c= 6.7.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2384",
"datePublished": "2026-02-20T02:23:32.566Z",
"dateReserved": "2026-02-11T22:29:12.029Z",
"dateUpdated": "2026-02-20T16:25:38.290Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2232 (GCVE-0-2026-2232)
Vulnerability from cvelistv5 – Published: 2026-02-19 16:24 – Updated: 2026-02-23 18:23
VLAI?
Title
Product Table and List Builder for WooCommerce Lite <= 4.6.2 - Unauthenticated Time-Based SQL Injection via 'search' Parameter
Summary
The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wcproducttable | Product Table and List Builder for WooCommerce Lite |
Affected:
* , ≤ 4.6.2
(semver)
|
Credits
Nguyen Ba Hung
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:22:45.286973Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:23:06.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Table and List Builder for WooCommerce Lite",
"vendor": "wcproducttable",
"versions": [
{
"lessThanOrEqual": "4.6.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ba Hung"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the \u0027search\u0027 parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:24:56.496Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f2891f3d-9081-4a9f-8408-2373ce1d0306?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/trunk/search.php#L549"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/tags/4.6.2/search.php#L549"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/trunk/search.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/tags/4.6.2/search.php#L574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/trunk/search.php#L598"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wc-product-table-lite/tags/4.6.2/search.php#L598"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3457877/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T18:26:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Product Table and List Builder for WooCommerce Lite \u003c= 4.6.2 - Unauthenticated Time-Based SQL Injection via \u0027search\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2232",
"datePublished": "2026-02-19T16:24:56.496Z",
"dateReserved": "2026-02-08T21:00:22.835Z",
"dateUpdated": "2026-02-23T18:23:06.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1581 (GCVE-0-2026-1581)
Vulnerability from cvelistv5 – Published: 2026-02-19 16:24 – Updated: 2026-02-23 18:24
VLAI?
Title
wpForo Forum <= 2.4.14 - Unauthenticated Time-Based SQL Injection
Summary
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tomdever | wpForo Forum |
Affected:
* , ≤ 2.4.14
(semver)
|
Credits
Youssef Elouaer
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1581",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:24:12.557053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:24:37.511Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpForo Forum",
"vendor": "tomdever",
"versions": [
{
"lessThanOrEqual": "2.4.14",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youssef Elouaer"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the \u0027wpfob\u0027 parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T16:24:55.855Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c447dbb-f8fb-4b46-9c47-20ab7330bbaa?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/trunk/classes/Topics.php#L1702"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/trunk/wpforo.php#L1077"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3459801/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-29T00:22:56.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "wpForo Forum \u003c= 2.4.14 - Unauthenticated Time-Based SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1581",
"datePublished": "2026-02-19T16:24:55.855Z",
"dateReserved": "2026-01-29T00:06:54.407Z",
"dateUpdated": "2026-02-23T18:24:37.511Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1219 (GCVE-0-2026-1219)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:37
VLAI?
Title
MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure
Summary
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sonaar | MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar |
Affected:
4.0 , ≤ 5.10
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1219",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:37:24.748298Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:37:50.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar",
"vendor": "sonaar",
"versions": [
{
"lessThanOrEqual": "5.10",
"status": "affected",
"version": "4.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the \u0027load_track_note_ajax\u0027 due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:26:36.530Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce8fa964-d543-4d46-a534-e403dff4f425?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/sonaar-music.php#L179"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mp3-music-player-by-sonaar/tags/5.10/public/class-sonaar-music-public.php#L323"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3453076/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "MP3 Audio Player \u2013 Music Player, Podcast Player \u0026 Radio by Sonaar 4.0 - 5.10 - Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1219",
"datePublished": "2026-02-19T09:26:36.530Z",
"dateReserved": "2026-01-20T01:27:06.784Z",
"dateUpdated": "2026-02-20T20:37:50.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2718 (GCVE-0-2026-2718)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:38
VLAI?
Title
Dealia <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block Attributes
Summary
The Dealia – Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.6. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dealia | Dealia – Request a quote |
Affected:
* , ≤ 1.0.6
(semver)
|
Credits
Ronnachai Sretawat Na Ayutaya
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2718",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:38:35.399621Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:38:49.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dealia \u2013 Request a quote",
"vendor": "dealia",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Sretawat Na Ayutaya"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dealia \u2013 Request a Quote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Gutenberg block attributes in all versions up to, and including, 1.0.6. This is due to the use of `wp_kses()` for output escaping within HTML attribute contexts where `esc_attr()` is required. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:26:36.089Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/617785d7-90b1-482c-bfff-9b5a63741415?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/templates/widgets/dealia-nonproduct-button.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/templates/widgets/dealia-nonproduct-button.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/functions.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/functions.php#L9"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T21:07:11.000Z",
"value": "Disclosed"
}
],
"title": "Dealia \u003c= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2718",
"datePublished": "2026-02-19T09:26:36.089Z",
"dateReserved": "2026-02-18T21:01:51.626Z",
"dateUpdated": "2026-02-20T20:38:49.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2716 (GCVE-0-2026-2716)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:39
VLAI?
Title
Client Testimonial Slider <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Testimonial Heading' Setting
Summary
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| amu02aftab | Client Testimonial Slider |
Affected:
* , ≤ 2.0
(semver)
|
Credits
Muhammad Nur Ibnu Hubab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:39:30.256217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:39:47.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Client Testimonial Slider",
"vendor": "amu02aftab",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Testimonial Heading\u0027 setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:26:35.600Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/583b5cd7-a33e-41d0-a389-ac36679d5f22?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-client-testimonial/trunk/include/testimonial-settings.php#L45"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-client-testimonial/tags/2.0/include/testimonial-settings.php#L45"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T20:59:42.000Z",
"value": "Disclosed"
}
],
"title": "Client Testimonial Slider \u003c= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027Testimonial Heading\u0027 Setting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2716",
"datePublished": "2026-02-19T09:26:35.600Z",
"dateReserved": "2026-02-18T20:59:30.749Z",
"dateUpdated": "2026-02-20T20:39:47.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1461 (GCVE-0-2026-1461)
Vulnerability from cvelistv5 – Published: 2026-02-19 09:26 – Updated: 2026-02-20 20:40
VLAI?
Title
Simple Membership <= 4.7.0 - Unauthenticated Improper Handling of Missing Values
Summary
The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption.
Severity ?
6.5 (Medium)
CWE
- CWE-230 - Improper Handling of Missing Values
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpinsider-1 | Simple Membership |
Affected:
* , ≤ 4.7.0
(semver)
|
Credits
Rafał
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1461",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T20:40:19.154307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T20:40:36.644Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple Membership",
"vendor": "wpinsider-1",
"versions": [
{
"lessThanOrEqual": "4.7.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafa\u0142"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple Membership plugin for WordPress is vulnerable to Improper Handling of Missing Values in all versions up to, and including, 4.7.0 via the Stripe webhook handler. This is due to the plugin only validating webhook signatures when the stripe-webhook-signing-secret setting is configured, which is empty by default. This makes it possible for unauthenticated attackers to forge Stripe webhook events to manipulate membership subscriptions, including reactivating expired memberships without payment or canceling legitimate subscriptions, potentially leading to unauthorized access and service disruption."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-230",
"description": "CWE-230 Improper Handling of Missing Values",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T09:26:34.833Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4e4df9a6-8f7d-428b-a596-0751ca047169?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/trunk/ipn/swpm-stripe-webhook-handler.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-membership/trunk/classes/class.swpm-wp-loaded-tasks.php#L90"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3453404/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-28T03:25:47.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Simple Membership \u003c= 4.7.0 - Unauthenticated Improper Handling of Missing Values"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1461",
"datePublished": "2026-02-19T09:26:34.833Z",
"dateReserved": "2026-01-27T02:01:14.522Z",
"dateUpdated": "2026-02-20T20:40:36.644Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1994 (GCVE-0-2026-1994)
Vulnerability from cvelistv5 – Published: 2026-02-19 06:49 – Updated: 2026-02-19 21:20
VLAI?
Title
s2Member <= 260127 - Unauthenticated Privilege Escalation via Account Takeover
Summary
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity ?
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| clavaque | s2Member – Excellent for All Kinds of Memberships, Content Restriction Paywalls & Member Access Subscriptions |
Affected:
* , ≤ 260127
(semver)
|
Credits
Alyudin Nafiie
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:20:12.391999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:20:40.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "s2Member \u2013 Excellent for All Kinds of Memberships, Content Restriction Paywalls \u0026 Member Access Subscriptions",
"vendor": "clavaque",
"versions": [
{
"lessThanOrEqual": "260127",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alyudin Nafiie"
}
],
"descriptions": [
{
"lang": "en",
"value": "The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T06:49:43.503Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6c31cf92-26b7-484d-8c93-ce241d655d07?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/s2member/tags/260127/src/includes/classes/registrations.inc.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3461625/s2member#file5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T18:11:15.000Z",
"value": "Disclosed"
}
],
"title": "s2Member \u003c= 260127 - Unauthenticated Privilege Escalation via Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1994",
"datePublished": "2026-02-19T06:49:43.503Z",
"dateReserved": "2026-02-05T16:34:36.592Z",
"dateUpdated": "2026-02-19T21:20:40.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1055 (GCVE-0-2026-1055)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-23 18:47
VLAI?
Title
TalkJS <= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'welcomeMessage' Parameter
Summary
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Bhumividh Treloges
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-23T18:46:22.811619Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-23T18:47:26.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TalkJS",
"vendor": "talkjs",
"versions": [
{
"lessThanOrEqual": "0.1.15",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:28.335Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f91ed211-9703-44fb-a2f8-8d8da910b4c7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/talkjs/trunk/classes/admin/ui/SettingsPage.php#L276"
},
{
"url": "https://plugins.trac.wordpress.org/browser/talkjs/tags/0.1.15/classes/admin/ui/SettingsPage.php#L276"
},
{
"url": "https://plugins.trac.wordpress.org/browser/talkjs/trunk/classes/admin/ui/FieldBuilder.php#L147"
},
{
"url": "https://plugins.trac.wordpress.org/browser/talkjs/tags/0.1.15/classes/admin/ui/FieldBuilder.php#L147"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:58:50.000Z",
"value": "Disclosed"
}
],
"title": "TalkJS \u003c= 0.1.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027welcomeMessage\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1055",
"datePublished": "2026-02-19T04:36:28.335Z",
"dateReserved": "2026-01-16T17:11:29.252Z",
"dateUpdated": "2026-02-23T18:47:26.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0722 (GCVE-0-2026-0722)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:31
VLAI?
Title
Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection
Summary
The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| paultgoodchild | Shield: Blocks Bots, Protects Users, and Prevents Security Breaches |
Affected:
* , ≤ 21.0.8
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0722",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:31:07.258498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:31:27.159Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shield: Blocks Bots, Protects Users, and Prevents Security Breaches",
"vendor": "paultgoodchild",
"versions": [
{
"lessThanOrEqual": "21.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the \u0027isNonceVerifyRequired\u0027 function. This makes it possible for unauthenticated attackers to execute SQL injection attacks, extracting sensitive information from the database, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:27.820Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f53d9579-56e9-41aa-b6b7-2472734ee719?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/CaptureAjaxAction.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/ActionRouter/Actions/BaseAction.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-simple-firewall/tags/21.0.8/src/lib/src/Tables/DataTables/LoadData/Traffic/BuildTrafficTableData.php#L114"
},
{
"url": "https://research.cleantalk.org/cve-2026-0722/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3439494%40wp-simple-firewall\u0026new=3439494%40wp-simple-firewall\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-26T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-18T16:19:04.000Z",
"value": "Disclosed"
}
],
"title": "Shield Security \u003c= 21.0.8 - Cross-Site Request Forgery to SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0722",
"datePublished": "2026-02-19T04:36:27.820Z",
"dateReserved": "2026-01-08T12:35:07.937Z",
"dateUpdated": "2026-02-24T01:31:27.159Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13851 (GCVE-0-2025-13851)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:24
VLAI?
Title
Buyent Theme (with Buyent Classified Plugin) <= 1.0.7 - Unauthenticated Privilege Escalation via User Registration
Summary
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
Severity ?
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| scriptsbundle | Buyent |
Affected:
* , ≤ 1.0.7
(semver)
|
Credits
Ismail Syaleh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:24:01.264002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:24:16.175Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Buyent",
"vendor": "scriptsbundle",
"versions": [
{
"lessThanOrEqual": "1.0.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ismail Syaleh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:27.334Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3e618cf-dd77-45a7-ab57-5732fd329883?source=cve"
},
{
"url": "https://themeforest.net/item/buyent-classified-wordpress-theme/32588790"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:39:26.000Z",
"value": "Disclosed"
}
],
"title": "Buyent Theme (with Buyent Classified Plugin) \u003c= 1.0.7 - Unauthenticated Privilege Escalation via User Registration"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13851",
"datePublished": "2026-02-19T04:36:27.334Z",
"dateReserved": "2025-12-01T20:07:37.511Z",
"dateUpdated": "2026-02-19T21:24:16.175Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1373 (GCVE-0-2026-1373)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:25
VLAI?
Title
Easy Author Image <= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Picture URL
Summary
The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lawsonry | Easy Author Image |
Affected:
* , ≤ 1.7
(semver)
|
Credits
Nabil Irawan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:25:22.183459Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:25:54.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Author Image",
"vendor": "lawsonry",
"versions": [
{
"lessThanOrEqual": "1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027author_profile_picture_url\u0027 parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:26.857Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eaa53088-c383-4315-9871-b4ceb83f5fdb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-author-image/tags/1.7/easy-author-image.php#L149"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-12T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-18T15:53:59.000Z",
"value": "Disclosed"
}
],
"title": "Easy Author Image \u003c= 1.7 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Picture URL"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1373",
"datePublished": "2026-02-19T04:36:26.857Z",
"dateReserved": "2026-01-23T16:49:30.413Z",
"dateUpdated": "2026-02-19T21:25:54.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2284 (GCVE-0-2026-2284)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:27
VLAI?
Title
News Element Elementor Blog Magazine <= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss
Summary
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webangon | News Element Elementor Blog Magazine |
Affected:
* , ≤ 1.0.8
(semver)
|
Credits
Abhirup Konwar
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2284",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:26:40.517449Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:27:00.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "News Element Elementor Blog Magazine",
"vendor": "webangon",
"versions": [
{
"lessThanOrEqual": "1.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the \u0027ne_clean_data\u0027 AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:26.287Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5d81318-c9da-4626-acfa-f092d2ce5fe9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/news-element/trunk/admin/inc/dash.php#L206"
},
{
"url": "https://plugins.trac.wordpress.org/browser/news-element/tags/1.0.8/admin/inc/dash.php#L206"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:53:23.000Z",
"value": "Disclosed"
}
],
"title": "News Element Elementor Blog Magazine \u003c= 1.0.8 - Missing Authorization to Authenticated (Subscriber+) Data Loss"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2284",
"datePublished": "2026-02-19T04:36:26.287Z",
"dateReserved": "2026-02-10T14:40:00.956Z",
"dateUpdated": "2026-02-19T21:27:00.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1455 (GCVE-0-2026-1455)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:28
VLAI?
Title
Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action
Summary
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| whatsiplus | Whatsiplus Scheduled Notification for Woocommerce |
Affected:
* , ≤ 1.0.1
(semver)
|
Credits
Muhammad Afnaan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:27:49.457970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:28:00.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Whatsiplus Scheduled Notification for Woocommerce",
"vendor": "whatsiplus",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the \u0027wsnfw_save_users_settings\u0027 AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:25.835Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e466640e-de66-42f0-b56b-226db32d382d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/whatsiplus-scheduled-notification-for-woocommerce/tags/1.0.1/inc/wsnfw-ajax-request.php#L84"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:52:18.000Z",
"value": "Disclosed"
}
],
"title": "Whatsiplus Scheduled Notification for Woocommerce \u003c= 1.0.1 - Cross-Site Request Forgery to \u0027wsnfw_save_users_settings\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1455",
"datePublished": "2026-02-19T04:36:25.835Z",
"dateReserved": "2026-01-26T20:12:04.006Z",
"dateUpdated": "2026-02-19T21:28:00.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14445 (GCVE-0-2025-14445)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:28
VLAI?
Title
Image Hotspot by DevVN <= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta
Summary
The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| levantoan | Image Hotspot by DevVN |
Affected:
* , ≤ 1.2.9
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14445",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:28:46.548163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:28:58.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Image Hotspot by DevVN",
"vendor": "levantoan",
"versions": [
{
"lessThanOrEqual": "1.2.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027hotspot_content\u0027 custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:25.358Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e41965eb-f8eb-4f40-b8f6-e415dff048cd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/devvn-image-hotspot/tags/1.2.9/admin/inc/add_shortcode_devvn_ihotspot.php?marks=97#L97"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3417725%40devvn-image-hotspot\u0026new=3417725%40devvn-image-hotspot\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-10T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Image Hotspot by DevVN \u003c= 1.2.9 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Field Meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14445",
"datePublished": "2026-02-19T04:36:25.358Z",
"dateReserved": "2025-12-10T13:35:36.365Z",
"dateUpdated": "2026-02-19T21:28:58.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0926 (GCVE-0-2026-0926)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:11
VLAI?
Title
Prodigy Commerce <= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name]
Summary
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.9 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Severity ?
9.8 (Critical)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| prodigycommerce | Prodigy Commerce |
Affected:
* , ≤ 3.2.9
(semver)
|
Credits
Athiwat Tiprasaharn
Itthidej Aramsri
Waris Damkham
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0926",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:11:38.339964Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:11:51.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Prodigy Commerce",
"vendor": "prodigycommerce",
"versions": [
{
"lessThanOrEqual": "3.2.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.9 via the \u0027parameters[template_name]\u0027 parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:24.867Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/de255530-6b2d-426b-9f80-dbfebd2e3307?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/shortcodes/class-prodigy-short-code-my-account.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/frontend/class-prodigy-public.php#L491"
},
{
"url": "https://plugins.trac.wordpress.org/browser/prodigy-commerce/trunk/includes/helpers/class-prodigy-template.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/prodigy-commerce/tags/3.2.9/includes/helpers/class-prodigy-template.php#L55"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:52:33.000Z",
"value": "Disclosed"
}
],
"title": "Prodigy Commerce \u003c= 3.2.9 - Unauthenticated Local File Inclusion via parameters[template_name]"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0926",
"datePublished": "2026-02-19T04:36:24.867Z",
"dateReserved": "2026-01-13T21:22:20.386Z",
"dateUpdated": "2026-02-19T21:11:51.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14357 (GCVE-0-2025-14357)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:18
VLAI?
Title
Mega Store Woocommerce <= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change
Summary
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| misbahwp | Mega Store Woocommerce |
Affected:
* , ≤ 5.9
(semver)
|
Credits
John Peace
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:15:27.620086Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:18:31.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mega Store Woocommerce",
"vendor": "misbahwp",
"versions": [
{
"lessThanOrEqual": "5.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "John Peace"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:24.395Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cbe3ce13-ce92-423f-b190-1b2c3dc74b82?source=cve"
},
{
"url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/trunk/core/includes/importer/whizzie.php#L668"
},
{
"url": "https://themes.trac.wordpress.org/browser/mega-store-woocommerce/5.6/core/includes/importer/whizzie.php#L668"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:50:48.000Z",
"value": "Disclosed"
}
],
"title": "Mega Store Woocommerce \u003c= 5.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation and Settings Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14357",
"datePublished": "2026-02-19T04:36:24.395Z",
"dateReserved": "2025-12-09T16:42:08.562Z",
"dateUpdated": "2026-02-19T21:18:31.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0561 (GCVE-0-2026-0561)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:14
VLAI?
Title
Shield Security <= 21.0.8 - Unauthenticated Reflected Cross-Site Scripting via 'message' Parameter
Summary
The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| paultgoodchild | Shield: Blocks Bots, Protects Users, and Prevents Security Breaches |
Affected:
* , ≤ 21.0.8
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:14:47.532106Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:14:59.387Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Shield: Blocks Bots, Protects Users, and Prevents Security Breaches",
"vendor": "paultgoodchild",
"versions": [
{
"lessThanOrEqual": "21.0.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027message\u0027 parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:23.952Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb49eb5f-c1ff-4440-8b53-c2515e65da27?source=cve"
},
{
"url": "https://research.cleantalk.org/cve-2026-0561"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3439494%40wp-simple-firewall\u0026new=3439494%40wp-simple-firewall\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-25T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-02-18T16:17:44.000Z",
"value": "Disclosed"
}
],
"title": "Shield Security \u003c= 21.0.8 - Unauthenticated Reflected Cross-Site Scripting via \u0027message\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0561",
"datePublished": "2026-02-19T04:36:23.952Z",
"dateReserved": "2026-01-01T22:13:21.759Z",
"dateUpdated": "2026-02-19T21:14:59.387Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2504 (GCVE-0-2026-2504)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:14
VLAI?
Title
Dealia – Request a quote <= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset
Summary
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dealia | Dealia – Request a quote |
Affected:
* , ≤ 1.0.6
(semver)
|
Credits
Ronnachai Sretawat Na Ayutaya
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2504",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:14:05.072101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:14:23.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dealia \u2013 Request a quote",
"vendor": "dealia",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Sretawat Na Ayutaya"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dealia \u2013 Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can(\u0027manage_options\u0027). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:23.492Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8f506ef-972c-403d-9167-ffdd93be8ea6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L309"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/AdminSettingsController.php#L416"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/tags/1.0.6/src/Controllers/PostsController.php#L49"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/AdminSettingsController.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dealia-request-a-quote/trunk/src/Controllers/PostsController.php#L49"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:54:50.000Z",
"value": "Disclosed"
}
],
"title": "Dealia \u2013 Request a quote \u003c= 1.0.6 - Missing Authorization to Authenticated (Contributor+) Plugin Configuration Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2504",
"datePublished": "2026-02-19T04:36:23.492Z",
"dateReserved": "2026-02-13T22:10:20.072Z",
"dateUpdated": "2026-02-19T21:14:23.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14452 (GCVE-0-2025-14452)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-19 21:12
VLAI?
Title
WP Customer Reviews <= 3.7.5 - Reflected Cross-Site Scripting via 'wpcr3_fname' Parameter
Summary
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bompus | WP Customer Reviews |
Affected:
* , ≤ 3.7.5
(semver)
|
Credits
Athiwat Tiprasaharn
Itthidej Aramsri
Powpy
Waris Damkham
Varakorn Chanthasri
Peerapat Samatathanyakorn
Sopon Tangpathum (SoNaJaa)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14452",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-19T21:12:14.523966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T21:12:29.224Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Customer Reviews",
"vendor": "bompus",
"versions": [
{
"lessThanOrEqual": "3.7.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Powpy"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
},
{
"lang": "en",
"type": "finder",
"value": "Varakorn Chanthasri"
},
{
"lang": "en",
"type": "finder",
"value": "Peerapat Samatathanyakorn"
},
{
"lang": "en",
"type": "finder",
"value": "Sopon Tangpathum (SoNaJaa)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027wpcr3_fname\u0027 parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:23.007Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4f22ca7-0e7c-438a-8e63-cf3723d087f4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-customer-reviews/trunk/wp-customer-reviews-3.php#L205"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-customer-reviews/tags/3.7.4/wp-customer-reviews-3.php#L205"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-customer-reviews/trunk/wp-customer-reviews-3.php#L835"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-customer-reviews/tags/3.7.4/wp-customer-reviews-3.php#L835"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3417719%40wp-customer-reviews\u0026new=3417719%40wp-customer-reviews\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3417782%40wp-customer-reviews\u0026new=3417782%40wp-customer-reviews\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T16:21:24.000Z",
"value": "Disclosed"
}
],
"title": "WP Customer Reviews \u003c= 3.7.5 - Reflected Cross-Site Scripting via \u0027wpcr3_fname\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14452",
"datePublished": "2026-02-19T04:36:23.007Z",
"dateReserved": "2025-12-10T14:34:42.967Z",
"dateUpdated": "2026-02-19T21:12:29.224Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14983 (GCVE-0-2025-14983)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:32
VLAI?
Title
Advanced Custom Fields: Font Awesome <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mattkeys | Advanced Custom Fields: Font Awesome Field |
Affected:
* , ≤ 5.0.1
(semver)
|
Credits
JongHwan Shin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14983",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:31:58.199802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:32:09.581Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields: Font Awesome Field",
"vendor": "mattkeys",
"versions": [
{
"lessThanOrEqual": "5.0.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JongHwan Shin"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim\u0027s browser."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:22.512Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c495d7f6-6d4a-4b1a-90f9-5273e7773d7a?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L332"
},
{
"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L337"
},
{
"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L361"
},
{
"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php#L374"
},
{
"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L361"
},
{
"url": "https://plugins.svn.wordpress.org/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v6.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-custom-fields-font-awesome/trunk/fields/acf-font-awesome-v7.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3435775%40advanced-custom-fields-font-awesome\u0026new=3435775%40advanced-custom-fields-font-awesome\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Advanced Custom Fields: Font Awesome \u003c= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14983",
"datePublished": "2026-02-19T04:36:22.512Z",
"dateReserved": "2025-12-19T17:53:53.254Z",
"dateUpdated": "2026-02-24T01:32:09.581Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14167 (GCVE-0-2025-14167)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:32
VLAI?
Title
Remove Post Type Slug <= 1.0.2 - Cross-Site Request Forgery to Settings Update
Summary
The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| akshayshah5189 | Remove Post Type Slug |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Muhammad Nur Ibnu Hubab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14167",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:32:34.163682Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:32:50.245Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Remove Post Type Slug",
"vendor": "akshayshah5189",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (\u0026\u0026), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it\u0027s empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin\u0027s post type slug removal settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:21.975Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c463a1d4-14c8-460a-ad83-6f3b38f1e4e8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/remove-post-type-slug/trunk/admin/class-remove-post-type-slug-admin.php#L127"
},
{
"url": "https://plugins.trac.wordpress.org/browser/remove-post-type-slug/tags/1.0.2/admin/class-remove-post-type-slug-admin.php#L127"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:59:41.000Z",
"value": "Disclosed"
}
],
"title": "Remove Post Type Slug \u003c= 1.0.2 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14167",
"datePublished": "2026-02-19T04:36:21.975Z",
"dateReserved": "2025-12-05T21:23:32.778Z",
"dateUpdated": "2026-02-24T01:32:50.245Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0974 (GCVE-0-2026-0974)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:33
VLAI?
Title
Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
Summary
The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution.
Severity ?
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| orderable | Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin |
Affected:
* , ≤ 1.20.0
(semver)
|
Credits
Athiwat Tiprasaharn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0974",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:33:12.853927Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:33:27.120Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin",
"vendor": "orderable",
"versions": [
{
"lessThanOrEqual": "1.20.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Orderable \u2013 WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the \u0027install_plugin\u0027 function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:21.529Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b97d2b63-7eaa-4518-b838-35d4b993743d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/orderable/trunk/inc/vendor/iconic-onboard/inc/class-ajax.php#L111"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:44:21.000Z",
"value": "Disclosed"
}
],
"title": "Orderable \u003c= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0974",
"datePublished": "2026-02-19T04:36:21.529Z",
"dateReserved": "2026-01-15T01:29:25.748Z",
"dateUpdated": "2026-02-24T01:33:27.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14270 (GCVE-0-2025-14270)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:35
VLAI?
Title
OneClick Chat to Order <= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update
Summary
The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| walterpinem | OneClick Chat to Order |
Affected:
* , ≤ 1.0.9
(semver)
|
Credits
Mohammad Amin Hajian
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14270",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:35:01.408068Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:35:17.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OneClick Chat to Order",
"vendor": "walterpinem",
"versions": [
{
"lessThanOrEqual": "1.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammad Amin Hajian"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorized to perform an action in the wa_order_number_save_number_field function. This makes it possible for authenticated attackers, with Editor-level access and above, to modify WhatsApp phone numbers used by the plugin, redirecting customer orders and messages to attacker-controlled phone numbers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 2.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:21.072Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b4b5cc5e-af82-49e0-a0b5-d27c3631a102?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L156"
},
{
"url": "https://plugins.trac.wordpress.org/browser/oneclick-whatsapp-order/tags/1.0.9/includes/multiple-numbers.php#L26"
},
{
"url": "https://developer.wordpress.org/plugins/security/checking-user-capabilities/"
},
{
"url": "https://developer.wordpress.org/plugins/security/nonces/"
},
{
"url": "https://cwe.mitre.org/data/definitions/862.html"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3417664%40oneclick-whatsapp-order\u0026new=3417664%40oneclick-whatsapp-order\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T16:05:27.000Z",
"value": "Disclosed"
}
],
"title": "OneClick Chat to Order \u003c= 1.0.9 - Missing Authorization to Authenticated (Editor+) Plugin Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14270",
"datePublished": "2026-02-19T04:36:21.072Z",
"dateReserved": "2025-12-08T14:15:55.997Z",
"dateUpdated": "2026-02-24T01:35:17.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13563 (GCVE-0-2025-13563)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:36
VLAI?
Title
Lizza LMS Pro <= 1.0.3 - Unauthenticated Privilege Escalation
Summary
The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Severity ?
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BuddhaThemes | Lizza LMS Pro |
Affected:
* , ≤ 1.0.3
(semver)
|
Credits
Alyudin Nafiie
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:36:10.312572Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:36:23.308Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Lizza LMS Pro",
"vendor": "BuddhaThemes",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Alyudin Nafiie"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the \u0027lizza_lms_pro_register_user_front_end\u0027 function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the \u0027administrator\u0027 role during registration and gain administrator access to the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:20.596Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b113f475-3133-4ea3-9152-03bb84d79307?source=cve"
},
{
"url": "https://themeforest.net/item/lizza-lms-education-wordpress-theme/51057780"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T15:49:30.000Z",
"value": "Disclosed"
}
],
"title": "Lizza LMS Pro \u003c= 1.0.3 - Unauthenticated Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13563",
"datePublished": "2026-02-19T04:36:20.596Z",
"dateReserved": "2025-11-22T17:13:16.491Z",
"dateUpdated": "2026-02-24T01:36:23.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14851 (GCVE-0-2025-14851)
Vulnerability from cvelistv5 – Published: 2026-02-19 04:36 – Updated: 2026-02-24 01:36
VLAI?
Title
YaMaps for WordPress <= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters
Summary
The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| yhunter | YaMaps for WordPress Plugin |
Affected:
* , ≤ 0.6.40
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-24T01:36:44.055977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-24T01:36:55.664Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "YaMaps for WordPress Plugin",
"vendor": "yhunter",
"versions": [
{
"lessThanOrEqual": "0.6.40",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-19T04:36:20.136Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b0b84c2a-7297-4d96-8fa7-638b2b9953f4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yamaps/tags/0.6.40/includes/shortcodes.php#L194"
},
{
"url": "https://plugins.trac.wordpress.org/browser/yamaps/tags/0.6.40/includes/shortcodes.php#L195"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3440575%40yamaps\u0026new=3440575%40yamaps\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T16:26:48.000Z",
"value": "Disclosed"
}
],
"title": "YaMaps for WordPress \u003c= 0.6.40 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14851",
"datePublished": "2026-02-19T04:36:20.136Z",
"dateReserved": "2025-12-17T19:27:18.395Z",
"dateUpdated": "2026-02-24T01:36:55.664Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}