Search
Find a vulnerability
Search criteria
10502 vulnerabilities
CVE-2026-9734 (GCVE-0-2026-9734)
Vulnerability from cvelistv5 – Published: 2026-07-18 04:31 – Updated: 2026-07-18 04:31
VLAI
EPSS
VEX
Title
W3SC Elementor to Zoho CRM <= 2.2.0 - Cross-Site Request Forgery to Settings Update
Summary
The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin's Zoho CRM integration settings, replacing the configured data center, client ID, client secret, and user email credentials with attacker-controlled values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| w3scloud | W3SC Elementor to Zoho CRM |
Affected:
0 , ≤ 2.2.0
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "W3SC Elementor to Zoho CRM",
"vendor": "w3scloud",
"versions": [
{
"lessThanOrEqual": "2.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "swat"
}
],
"descriptions": [
{
"lang": "en",
"value": "The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin\u0027s Zoho CRM integration settings, replacing the configured data center, client ID, client secret, and user email credentials with attacker-controlled values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-18T04:31:44.467Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b99ba627-1d24-4be1-a4db-ff39354526f2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/w3sc-elementor-to-zoho/trunk/includes/Admin/Authdata.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/w3sc-elementor-to-zoho/trunk/includes/Admin/Setting.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/w3sc-elementor-to-zoho/trunk/includes/Admin/Authdata.php#L33"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-17T16:13:50.000Z",
"value": "Disclosed"
}
],
"title": "W3SC Elementor to Zoho CRM \u003c= 2.2.0 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9734",
"datePublished": "2026-07-18T04:31:44.467Z",
"dateReserved": "2026-05-27T17:26:17.005Z",
"dateUpdated": "2026-07-18T04:31:44.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9656 (GCVE-0-2026-9656)
Vulnerability from cvelistv5 – Published: 2026-07-17 06:53 – Updated: 2026-07-17 11:59
VLAI
EPSS
VEX
Title
HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script
Summary
The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| hubspotdev | HubSpot All-In-One Marketing – Forms, Popups, Live Chat |
Affected:
0 , ≤ 11.3.62
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T11:59:37.622974Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T11:59:46.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat",
"vendor": "hubspotdev",
"versions": [
{
"lessThanOrEqual": "11.3.62",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "anhcd05"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HubSpot All-In-One Marketing \u2013 Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site\u0027s plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T06:53:26.239Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/718d7ea3-d8ba-46a0-9ab1-72657bd82c17?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-adminconstants.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/auth/class-oauth.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/admin/class-gutenberg.php#L44"
},
{
"url": "https://plugins.trac.wordpress.org/browser/leadin/tags/11.3.45/public/class-assetsmanager.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fleadin/tags/11.3.62\u0026new_path=%2Fleadin/tags/11.3.64"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-16T17:50:07.000Z",
"value": "Disclosed"
}
],
"title": "HubSpot All-In-One Marketing \u003c= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9656",
"datePublished": "2026-07-17T06:53:26.239Z",
"dateReserved": "2026-05-26T20:23:14.339Z",
"dateUpdated": "2026-07-17T11:59:46.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15094 (GCVE-0-2026-15094)
Vulnerability from cvelistv5 – Published: 2026-07-17 05:35 – Updated: 2026-07-17 18:05
VLAI
EPSS
VEX
Title
WP Hotel Booking <= 2.3.2 - Reflected Cross-Site Scripting via 'check_in_date' Parameter
Summary
The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check_in_date' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | WP Hotel Booking |
Affected:
0 , ≤ 2.3.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15094",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T12:34:40.050999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T18:05:35.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Hotel Booking",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "2.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027check_in_date\u0027 parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T05:35:59.119Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8139f512-7bc9-45ae-83d7-bf496e1ad56d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/TemplateHooks/ArchiveRoomTemplate.php#L262"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/TemplateHooks/ArchiveRoomTemplate.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/wphb-functions.php#L733"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hotel-booking/tags/2.3.2/includes/class-wphb-helpers.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3609563%40wp-hotel-booking\u0026new=3609563%40wp-hotel-booking"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T16:42:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T17:01:30.000Z",
"value": "Disclosed"
}
],
"title": "WP Hotel Booking \u003c= 2.3.2 - Reflected Cross-Site Scripting via \u0027check_in_date\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15094",
"datePublished": "2026-07-17T05:35:59.119Z",
"dateReserved": "2026-07-08T16:26:57.732Z",
"dateUpdated": "2026-07-17T18:05:35.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15982 (GCVE-0-2026-15982)
Vulnerability from cvelistv5 – Published: 2026-07-17 05:35 – Updated: 2026-07-17 10:11
VLAI
EPSS
VEX
Title
Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function'
Summary
The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomatic_call_google_ai_function' function. This makes it possible for unauthenticated attackers to leverage the 'aimogen_wp_god_mode' tool to clear function blacklists and execute arbitrary PHP functions, such as creating administrator accounts.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| CodeRevolution | Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit |
Affected:
0 , ≤ 2.8.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15982",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T10:10:53.792761Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T10:11:03.243Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot \u0026 Automation Toolkit",
"vendor": "CodeRevolution",
"versions": [
{
"lessThanOrEqual": "2.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao Le"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot \u0026 Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the \u0027aiomatic_call_google_ai_function\u0027 function. This makes it possible for unauthenticated attackers to leverage the \u0027aimogen_wp_god_mode\u0027 tool to clear function blacklists and execute arbitrary PHP functions, such as creating administrator accounts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T05:35:58.570Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53cc91fa-51fd-4d16-b740-a48f8d446b5d?source=cve"
},
{
"url": "https://coderevolution.ro/knowledge-base/faq/full-changelog-aiomatic-automatic-ai-content-writer-editor-gpt-3-gpt-4-chatgpt-chatbot-ai-toolkit/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-06T04:26:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot \u0026 Automation Toolkit \u003c= 2.8.4 - Unauthenticated Privilege Escalation via \u0027aiomatic_call_google_ai_function\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15982",
"datePublished": "2026-07-17T05:35:58.570Z",
"dateReserved": "2026-07-16T17:05:25.189Z",
"dateUpdated": "2026-07-17T10:11:03.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13765 (GCVE-0-2026-13765)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 18:05
VLAI
EPSS
VEX
Title
LearnPress <= 4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via /lp/v1/users/check-answer and /start-quiz REST Endpoints
Summary
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site — including questions belonging to paid courses the attacker is not enrolled in.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses |
Affected:
0 , ≤ 4.4.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T12:34:55.158070Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T18:05:38.965Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "\uc774\uc131\ubbfc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site \u2014 including questions belonging to paid courses the attacker is not enrolled in."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:42.953Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ee3bbf20-43fd-4977-b0ba-b81e7a3810d0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.1/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L434"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.1/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L80"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.1/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.1/inc/course/class-lp-course-no-required-enroll.php#L145"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.1/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.4.1/inc/lp-template-functions.php#L1422"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L434"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L80"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/course/class-lp-course-no-required-enroll.php#L145"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-users-controller.php#L181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/lp-template-functions.php#L1422"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3603546%40learnpress\u0026new=3603546%40learnpress"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-29T20:02:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T15:14:19.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u003c= 4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via /lp/v1/users/check-answer and /start-quiz REST Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13765",
"datePublished": "2026-07-17T03:43:42.953Z",
"dateReserved": "2026-06-29T19:46:50.351Z",
"dateUpdated": "2026-07-17T18:05:38.965Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15161 (GCVE-0-2026-15161)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 12:00
VLAI
EPSS
VEX
Title
Ninja Forms - Excel Export <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'filter' Parameter
Summary
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw $_POST['filter'] array into a WordPress option via update_option() without any capability check, nonce verification, or input sanitization, combined with the get_filter_row() method on the admin Excel Export screen concatenating the stored filter values (field_key, condition, value) directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SaturdayDrive | Ninja Forms - Excel Export |
Affected:
0 , ≤ 3.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T12:00:23.096223Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T12:00:30.287Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ninja Forms - Excel Export",
"vendor": "SaturdayDrive",
"versions": [
{
"lessThanOrEqual": "3.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chu Thao Mai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw $_POST[\u0027filter\u0027] array into a WordPress option via update_option() without any capability check, nonce verification, or input sanitization, combined with the get_filter_row() method on the admin Excel Export screen concatenating the stored filter values (field_key, condition, value) directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:42.577Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9ab836b-2798-43bd-b43b-8b7c7e81d42f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ninja-forms-excel-export/trunk/includes/Admin/Menus/ExcelExport.php#L236"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T20:39:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T14:42:09.000Z",
"value": "Disclosed"
}
],
"title": "Ninja Forms - Excel Export \u003c= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via \u0027filter\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15161",
"datePublished": "2026-07-17T03:43:42.577Z",
"dateReserved": "2026-07-08T20:24:07.379Z",
"dateUpdated": "2026-07-17T12:00:30.287Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15759 (GCVE-0-2026-15759)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 14:53
VLAI
EPSS
VEX
Title
ChatHelp <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes
Summary
The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeatelier | ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form |
Affected:
0 , ≤ 3.5.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15759",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T14:53:33.752986Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T14:53:44.373Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ChatHelp \u2013 Click to Chat Button, WooCommerce Chat to Order \u0026 Floating Chat Form",
"vendor": "themeatelier",
"versions": [
{
"lessThanOrEqual": "3.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ChatHelp \u2013 Click to Chat Button, WooCommerce Chat to Order \u0026 Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027number\u0027 and \u0027group\u0027 Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:42.185Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c3ec4978-0d51-4ca1-b0cf-81aaa4d43f7b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chat-help/tags/3.5.1/src/Frontend/Shortcode/CustomButtonsTemplates.php#L76"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chat-help/tags/3.5.1/src/Frontend/Shortcode/CustomButtonsTemplates.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chat-help/tags/3.5.1/src/Frontend/Shortcode/CustomButtonsTemplates.php#L138"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chat-help/tags/3.5.1/src/Frontend/Shortcode/CustomShortcode.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chat-help/tags/3.5.1/src/Includes/ChatHelp.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3609732%40chat-help\u0026new=3609732%40chat-help"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T16:53:48.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T15:14:24.000Z",
"value": "Disclosed"
}
],
"title": "ChatHelp \u003c= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027number\u0027 and \u0027group\u0027 Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15759",
"datePublished": "2026-07-17T03:43:42.185Z",
"dateReserved": "2026-07-14T16:38:37.414Z",
"dateUpdated": "2026-07-17T14:53:44.373Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13352 (GCVE-0-2026-13352)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 14:54
VLAI
EPSS
VEX
Title
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content <= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion
Summary
The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowed_mime_types function. This is due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. This filter is registered globally on every request regardless of whether the digital products feature is configured or in use, meaning the expanded MIME allowlist affects all WordPress upload contexts site-wide.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| properfraction | Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress |
Affected:
0 , ≤ 4.16.18
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13352",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T14:53:58.782649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T14:54:08.409Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026 Restrict Content \u2013 ProfilePress",
"vendor": "properfraction",
"versions": [
{
"lessThanOrEqual": "4.16.18",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "skyv3il"
},
{
"lang": "en",
"type": "finder",
"value": "Chirita Catalin-Andrei (CC99IE)"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026 Restrict Content \u2013 ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowed_mime_types function. This is due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. This filter is registered globally on every request regardless of whether the digital products feature is configured or in use, meaning the expanded MIME allowlist affects all WordPress upload contexts site-wide."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:41.800Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9bb520df-e838-4335-bd4f-97026082a204?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.18/src/Membership/DigitalProducts/UploadHandler.php#L49"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.18/src/Membership/DigitalProducts/UploadHandler.php#L18"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.18/src/Membership/DigitalProducts/Init.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.14/src/Membership/DigitalProducts/UploadHandler.php#L49"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.14/src/Membership/DigitalProducts/UploadHandler.php#L18"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-avatar/tags/4.16.14/src/Membership/DigitalProducts/Init.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3599012%40wp-user-avatar\u0026new=3599012%40wp-user-avatar"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-25T16:39:22.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T14:43:52.000Z",
"value": "Disclosed"
}
],
"title": "Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile \u0026 Restrict Content \u003c= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13352",
"datePublished": "2026-07-17T03:43:41.800Z",
"dateReserved": "2026-06-25T16:24:12.456Z",
"dateUpdated": "2026-07-17T14:54:08.409Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15349 (GCVE-0-2026-15349)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 13:59
VLAI
EPSS
VEX
Title
ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce <= 1.17.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Company Location Creation via wp_ajax_erp-company-location AJAX Handler
Summary
The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary company locations in the ERP database.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wedevs | ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce |
Affected:
0 , ≤ 1.17.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T13:59:35.313201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T13:59:46.504Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ERP: Complete HR, Accounting \u0026 CRM Suite Built for WooCommerce",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "1.17.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ERP: Complete HR, Accounting \u0026 CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary company locations in the ERP database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:41.410Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0c943b6b-9b54-4569-a027-11571f152b6c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/Ajax.php#L516"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/Ajax.php#L516"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/Ajax.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/AdminPage.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.6/includes/Admin/views/address.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/Ajax.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/AdminPage.php#L23"
},
{
"url": "https://plugins.trac.wordpress.org/browser/erp/tags/1.17.5/includes/Admin/views/address.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3609754%40erp\u0026new=3609754%40erp"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T20:56:01.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T14:45:19.000Z",
"value": "Disclosed"
}
],
"title": "ERP: Complete HR, Accounting \u0026 CRM Suite Built for WooCommerce \u003c= 1.17.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Company Location Creation via wp_ajax_erp-company-location AJAX Handler"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15349",
"datePublished": "2026-07-17T03:43:41.410Z",
"dateReserved": "2026-07-09T20:40:51.432Z",
"dateUpdated": "2026-07-17T13:59:46.504Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14503 (GCVE-0-2026-14503)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 10:24
VLAI
EPSS
VEX
Title
pCloud WP Backup <= 2.0.3 - Missing Authorization on the 'start_backup' AJAX Method to Authenticated (Subscriber+) Arbitrary File Read
Summary
The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ploudapp | pCloud WP Backup |
Affected:
0 , ≤ 2.0.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14503",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T10:11:14.948244Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T10:24:31.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "pCloud WP Backup",
"vendor": "ploudapp",
"versions": [
{
"lessThanOrEqual": "2.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Civitasmass"
}
],
"descriptions": [
{
"lang": "en",
"value": "The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin\u0027s unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:41.024Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b301c6e-a3c5-4435-9bc9-fab18085fe2d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pcloud-wp-backup/tags/2.0.2/pcloud-wp-backup.php#L572"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pcloud-wp-backup/tags/2.0.2/pcloud-wp-backup.php#L210"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pcloud-wp-backup/tags/2.0.2/pcloud-wp-backup.php#L1635"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pcloud-wp-backup/tags/2.0.2/Pcloud/Classes/class-wp2pcloudfilebackup.php#L111"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pcloud-wp-backup/tags/2.0.2/pcloud-wp-backup.php#L217"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3597399%40pcloud-wp-backup\u0026new=3597399%40pcloud-wp-backup"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-06T07:25:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T15:14:49.000Z",
"value": "Disclosed"
}
],
"title": "pCloud WP Backup \u003c= 2.0.3 - Missing Authorization on the \u0027start_backup\u0027 AJAX Method to Authenticated (Subscriber+) Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14503",
"datePublished": "2026-07-17T03:43:41.024Z",
"dateReserved": "2026-07-02T18:06:48.735Z",
"dateUpdated": "2026-07-17T10:24:31.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15457 (GCVE-0-2026-15457)
Vulnerability from cvelistv5 – Published: 2026-07-17 03:43 – Updated: 2026-07-17 03:43
VLAI
EPSS
VEX
Title
Kirki <= 6.0.13 - Authenticated (Editor+) Path Traversal to Arbitrary Directory Deletion via 'family' Parameter
Summary
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.
Severity
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeum | Kirki – Freeform Page Builder, Website Builder & Customizer |
Affected:
0 , ≤ 6.0.13
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "6.0.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kirki \u2013 Freeform Page Builder, Website Builder \u0026 Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the \u0027family\u0027 parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T03:43:40.514Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01a52285-2d0c-4b29-8dab-18a3e3640e5c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/app/Services/FontService.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/app/Http/Controllers/Api/GlobalDataController.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/routes/api.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/includes/Ajax/Media.php#L996"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/app/Services/FontService.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/app/Http/Controllers/Api/GlobalDataController.php#L105"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/routes/api.php#L74"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/includes/Ajax/Media.php#L996"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3608888%40kirki\u0026new=3608888%40kirki"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T20:16:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T14:41:02.000Z",
"value": "Disclosed"
}
],
"title": "Kirki \u003c= 6.0.13 - Authenticated (Editor+) Path Traversal to Arbitrary Directory Deletion via \u0027family\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15457",
"datePublished": "2026-07-17T03:43:40.514Z",
"dateReserved": "2026-07-10T20:01:36.121Z",
"dateUpdated": "2026-07-17T03:43:40.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15395 (GCVE-0-2026-15395)
Vulnerability from cvelistv5 – Published: 2026-07-17 02:31 – Updated: 2026-07-17 14:02
VLAI
EPSS
VEX
Title
Kali Forms <= 2.4.18 - Unauthenticated Stored Cross-Site Scripting via 'digitalSignature' Field Value
Summary
The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The required form-submission nonce is publicly available on any page containing the form shortcode, making this exploitable by fully unauthenticated attackers without any precondition beyond the form being published.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpchill | Kali Forms — Contact Form & Drag-and-Drop Builder |
Affected:
0 , ≤ 2.4.18
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T14:01:07.821612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T14:02:05.279Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder",
"vendor": "wpchill",
"versions": [
{
"lessThanOrEqual": "2.4.18",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027digitalSignature\u0027 Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The required form-submission nonce is publicly available on any page containing the form shortcode, making this exploitable by fully unauthenticated attackers without any precondition beyond the form being published."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T02:31:32.279Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/90e39398-19d7-435d-b23f-e93b8cdbcae4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.17/Inc/Frontend/class-submission-shortcode.php#L198"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.18/Inc/Frontend/class-submission-shortcode.php#L198"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.18/Inc/Frontend/class-form-processor.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.18/Inc/Frontend/class-form-processor.php#L997"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.17/Inc/Frontend/class-form-processor.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.17/Inc/Frontend/class-form-processor.php#L997"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3609303%40kali-forms\u0026new=3609303%40kali-forms"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T13:26:33.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T14:00:19.000Z",
"value": "Disclosed"
}
],
"title": "Kali Forms \u003c= 2.4.18 - Unauthenticated Stored Cross-Site Scripting via \u0027digitalSignature\u0027 Field Value"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15395",
"datePublished": "2026-07-17T02:31:32.279Z",
"dateReserved": "2026-07-10T13:11:19.947Z",
"dateUpdated": "2026-07-17T14:02:05.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11324 (GCVE-0-2026-11324)
Vulnerability from cvelistv5 – Published: 2026-07-17 02:31 – Updated: 2026-07-17 18:05
VLAI
EPSS
VEX
Title
WooCommerce Placetopay Gateway <= 3.2.2 - Reflected Cross-Site Scripting via 'redirect-url'
Summary
The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| evertec | WooCommerce Placetopay Gateway Belice |
Affected:
0 , ≤ 3.2.2
(semver)
|
|
| evertec | WooCommerce Placetopay Gateway Ecuador |
Affected:
0 , ≤ 3.2.2
(semver)
|
|
| evertec | WooCommerce Placetopay Gateway Colombia |
Affected:
0 , ≤ 3.2.2
(semver)
|
|
| evertec | WooCommerce Placetopay Gateway Uruguay |
Affected:
0 , ≤ 3.2.2
(semver)
|
|
| evertec | WooCommerce Placetopay Gateway |
Affected:
0 , ≤ 3.2.2
(semver)
|
|
| evertec | WooCommerce Placetopay Gateway Honduras |
Affected:
0 , ≤ 3.2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T12:35:14.247454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T18:05:42.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WooCommerce Placetopay Gateway Belice",
"vendor": "evertec",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WooCommerce Placetopay Gateway Ecuador",
"vendor": "evertec",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WooCommerce Placetopay Gateway Colombia",
"vendor": "evertec",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WooCommerce Placetopay Gateway Uruguay",
"vendor": "evertec",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WooCommerce Placetopay Gateway",
"vendor": "evertec",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WooCommerce Placetopay Gateway Honduras",
"vendor": "evertec",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Provoste"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the \u0027redirect-url\u0027 parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T02:31:31.888Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8ca87868-357b-4d71-9bf9-cd3b15b2555d?source=cve"
},
{
"url": "https://banco.santander.cl/uploads/000/049/181/1705c2cf-fc73-4fc4-a29d-f56f3ea88103/original/woocommerce-gateway-placetopay-2_24_1-php-8_x.zip"
},
{
"url": "https://github.com/placetopay/woocommerce-gateway-placetopay/releases/tag/3.2.2"
},
{
"url": "https://github.com/placetopay/woocommerce-gateway-placetopay/blob/3.2.2/src/GatewayMethod.php#L600"
},
{
"url": "https://github.com/placetopay/woocommerce-gateway-placetopay/blob/3.2.2/src/GatewayMethod.php#L718"
},
{
"url": "https://github.com/placetopay/woocommerce-gateway-placetopay/blob/3.2.2/src/GatewayMethod.php#L1824"
},
{
"url": "https://github.com/placetopay/woocommerce-gateway-placetopay/blob/3.2.2/src/GatewayMethod.php#L1852"
},
{
"url": "https://evertecinc.com/en/solution/placetopay/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-16T13:36:44.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Placetopay Gateway \u003c= 3.2.2 - Reflected Cross-Site Scripting via \u0027redirect-url\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11324",
"datePublished": "2026-07-17T02:31:31.888Z",
"dateReserved": "2026-06-04T22:10:12.885Z",
"dateUpdated": "2026-07-17T18:05:42.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15159 (GCVE-0-2026-15159)
Vulnerability from cvelistv5 – Published: 2026-07-17 02:31 – Updated: 2026-07-17 10:24
VLAI
EPSS
VEX
Title
Ninja Forms - Excel Export <= 3.3.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Data Disclosure via 'spreadsheet_export_form_id' Parameter
Summary
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data — including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms — as a downloadable XLSX file.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SaturdayDrive | Ninja Forms - Excel Export |
Affected:
0 , ≤ 3.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T10:24:43.731856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T10:24:54.455Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ninja Forms - Excel Export",
"vendor": "SaturdayDrive",
"versions": [
{
"lessThanOrEqual": "3.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chu Thao Mai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the \u0027spreadsheet_export_form_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data \u2014 including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms \u2014 as a downloadable XLSX file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T02:31:31.480Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/783ccf21-db16-4aac-9a3c-992b3aac5526?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ninja-forms-excel-export/trunk/ninja-forms-excel-export.php#L187"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T20:50:55.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T13:43:17.000Z",
"value": "Disclosed"
}
],
"title": "Ninja Forms - Excel Export \u003c= 3.3.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Data Disclosure via \u0027spreadsheet_export_form_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15159",
"datePublished": "2026-07-17T02:31:31.480Z",
"dateReserved": "2026-07-08T20:16:32.126Z",
"dateUpdated": "2026-07-17T10:24:54.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15160 (GCVE-0-2026-15160)
Vulnerability from cvelistv5 – Published: 2026-07-17 02:31 – Updated: 2026-07-17 12:01
VLAI
EPSS
VEX
Title
Ninja Forms - Excel Export <= 3.3.6 - Missing Authorization to Authenticated (Subscriber+) XLS Write via Path Traversal
Summary
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SaturdayDrive | Ninja Forms - Excel Export |
Affected:
0 , ≤ 3.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T12:00:57.057012Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T12:01:06.040Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ninja Forms - Excel Export",
"vendor": "SaturdayDrive",
"versions": [
{
"lessThanOrEqual": "3.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chu Thao Mai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the \u0027spreadsheet_export_tmp_name\u0027 parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T02:31:31.093Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/24fb24cc-c29f-4d2d-87ba-5d211386e7dd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ninja-forms-excel-export/trunk/includes/Handlers/ExportFile.php#L485"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ninja-forms-excel-export/trunk/includes/Admin/ExtractPostData.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ninja-forms-excel-export/trunk/ninja-forms-excel-export.php#L95"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T20:35:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T13:44:09.000Z",
"value": "Disclosed"
}
],
"title": "Ninja Forms - Excel Export \u003c= 3.3.6 - Missing Authorization to Authenticated (Subscriber+) XLS Write via Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15160",
"datePublished": "2026-07-17T02:31:31.093Z",
"dateReserved": "2026-07-08T20:20:17.675Z",
"dateUpdated": "2026-07-17T12:01:06.040Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8616 (GCVE-0-2026-8616)
Vulnerability from cvelistv5 – Published: 2026-07-17 02:31 – Updated: 2026-07-17 02:31
VLAI
EPSS
VEX
Title
Fense Proxy & VPN Blocker <= 3.0.1 - Missing Authorization to Unauthenticated Plugin Option/Transient Deletion via fense_bpvt_save_settings AJAX Action
Summary
The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks and unconditionally calls delete_option() on four plugin options and delete_transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| devozon | Fense Proxy & VPN Blocker |
Affected:
0 , ≤ 3.0.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fense Proxy \u0026 VPN Blocker",
"vendor": "devozon",
"versions": [
{
"lessThanOrEqual": "3.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Legion Hunter"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Fense Proxy \u0026 VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks and unconditionally calls delete_option() on four plugin options and delete_transient() on three transients tied to the plugin\u0027s API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin\u0027s API key/data cache and forcing the plugin to refetch state."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T02:31:30.556Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1208ac78-4a56-4daa-b935-d579f07f8e8e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fense-block-vpn-proxy/tags/2.9.0/includes/system/fense-bpvt-header-code.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fense-block-vpn-proxy/tags/2.9.0/includes/system/fense-bpvt-header-code.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fense-block-vpn-proxy/tags/3.0.2/includes/system/header-code.php?rev=3574545"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-15T21:43:06.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T14:07:41.000Z",
"value": "Disclosed"
}
],
"title": "Fense Proxy \u0026 VPN Blocker \u003c= 3.0.1 - Missing Authorization to Unauthenticated Plugin Option/Transient Deletion via fense_bpvt_save_settings AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8616",
"datePublished": "2026-07-17T02:31:30.556Z",
"dateReserved": "2026-05-14T17:37:53.682Z",
"dateUpdated": "2026-07-17T02:31:30.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14956 (GCVE-0-2026-14956)
Vulnerability from cvelistv5 – Published: 2026-07-17 01:30 – Updated: 2026-07-17 01:30
VLAI
EPSS
VEX
Title
Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter
Summary
The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. This makes it possible for unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action.
Severity
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Bricksforge | Bricksforge |
Affected:
0 , ≤ 3.1.8.6
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bricksforge",
"vendor": "Bricksforge",
"versions": [
{
"lessThanOrEqual": "3.1.8.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "0xd4rk5id3"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. This makes it possible for unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T01:30:52.281Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0538778-5ba4-4bec-a89d-ef90a9ba8375?source=cve"
},
{
"url": "https://bricksforge.io/version-changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T15:01:27.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T13:00:33.000Z",
"value": "Disclosed"
}
],
"title": "Bricksforge \u003c= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14956",
"datePublished": "2026-07-17T01:30:52.281Z",
"dateReserved": "2026-07-07T13:38:12.463Z",
"dateUpdated": "2026-07-17T01:30:52.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2594 (GCVE-0-2026-2594)
Vulnerability from cvelistv5 – Published: 2026-07-17 01:30 – Updated: 2026-07-17 15:07
VLAI
EPSS
VEX
Title
Smart Custom Fields <= 5.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title
Summary
The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in 5.0.7.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| inc2734 | Smart Custom Fields |
Affected:
0 , ≤ 5.0.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T15:07:20.423367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T15:07:53.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Smart Custom Fields",
"vendor": "inc2734",
"versions": [
{
"lessThanOrEqual": "5.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "lucsob"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in 5.0.7."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T01:30:50.365Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/110a1b28-50e0-430e-82d4-c254d73836e2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3485210/smart-custom-fields"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3609564/smart-custom-fields"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-16T17:34:52.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T13:18:27.000Z",
"value": "Disclosed"
}
],
"title": "Smart Custom Fields \u003c= 5.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2594",
"datePublished": "2026-07-17T01:30:50.365Z",
"dateReserved": "2026-02-16T17:19:23.910Z",
"dateUpdated": "2026-07-17T15:07:53.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14782 (GCVE-0-2026-14782)
Vulnerability from cvelistv5 – Published: 2026-07-16 21:30 – Updated: 2026-07-17 13:58
VLAI
EPSS
VEX
Title
Booking for Appointments and Events Calendar – Amelia <= 2.4.3 - Authenticated (Custom+) SQL Injection via Customer Import
Summary
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with wpamelia-manager role, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| melograno | Booking for Appointments and Events Calendar – Amelia |
Affected:
0 , ≤ 2.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14782",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T13:58:00.529640Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T13:58:09.144Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking for Appointments and Events Calendar \u2013 Amelia",
"vendor": "melograno",
"versions": [
{
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "F0DH1L"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking for Appointments and Events Calendar \u2013 Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with wpamelia-manager role, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T21:30:29.207Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3a58e68-d1f1-4d4f-ac64-bc6cb7dbdbfc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ameliabooking/tags/2.4.3/src/Infrastructure/Repository/User/UserRepository.php#L476"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-11T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-07-05T10:02:43.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-16T08:56:49.000Z",
"value": "Disclosed"
}
],
"title": "Booking for Appointments and Events Calendar \u2013 Amelia \u003c= 2.4.3 - Authenticated (Custom+) SQL Injection via Customer Import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-14782",
"datePublished": "2026-07-16T21:30:29.207Z",
"dateReserved": "2026-07-05T09:47:30.034Z",
"dateUpdated": "2026-07-17T13:58:09.144Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15324 (GCVE-0-2026-15324)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-17 14:07
VLAI
EPSS
VEX
Title
SysBasics Customize My Account for WooCommerce <= 4.4.14 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'row_type' Parameter
Summary
The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'row_type' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| phppoet | SysBasics Customize My Account for WooCommerce – Live My Account Customizer |
Affected:
0 , ≤ 4.4.14
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-17T14:07:48.616796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-17T14:07:57.987Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SysBasics Customize My Account for WooCommerce \u2013 Live My Account Customizer",
"vendor": "phppoet",
"versions": [
{
"lessThanOrEqual": "4.4.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SysBasics Customize My Account for WooCommerce \u2013 Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027row_type\u0027 parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:51.208Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2371b84-bb56-4e5d-afce-cd33f2ee9316?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.4.14/templates/myaccount/navigation/02.php#L187"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.4.14/include/admin/endpoint_form_response.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/tags/4.4.14/include/admin/admin_settings.php#L144"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/trunk/templates/myaccount/navigation/02.php#L187"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/trunk/include/admin/endpoint_form_response.php#L9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/customize-my-account-for-woocommerce/trunk/include/admin/admin_settings.php#L144"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3606867%40customize-my-account-for-woocommerce\u0026new=3606867%40customize-my-account-for-woocommerce"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-09T18:30:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:00:09.000Z",
"value": "Disclosed"
}
],
"title": "SysBasics Customize My Account for WooCommerce \u003c= 4.4.14 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via \u0027row_type\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15324",
"datePublished": "2026-07-16T08:26:51.208Z",
"dateReserved": "2026-07-09T18:15:48.011Z",
"dateUpdated": "2026-07-17T14:07:57.987Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15103 (GCVE-0-2026-15103)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 15:11
VLAI
EPSS
VEX
Title
WPFunnels <= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via 'group_id' Path Parameter
Summary
The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| getwpfunnels | WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell |
Affected:
0 , ≤ 3.12.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15103",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:28:22.085771Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T15:11:22.220Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPFunnels \u2013 Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell",
"vendor": "getwpfunnels",
"versions": [
{
"lessThanOrEqual": "3.12.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPFunnels \u2013 Funnel Builder for WooCommerce with Checkout \u0026 One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option \u2014 which satisfies the route\u0027s loose `[\\w-]+` regex \u2014 to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:50.831Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/76ad6d21-f277-496f-aa6b-f9d5cb8a3801?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L462"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/core/rest-api/Controllers/class-settings-controller.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpfunnels/tags/3.12.8/includes/utils/class-wpfnl-functions.php#L1216"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3607181%40wpfunnels\u0026new=3607181%40wpfunnels"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T17:13:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:13:20.000Z",
"value": "Disclosed"
}
],
"title": "WPFunnels \u003c= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via \u0027group_id\u0027 Path Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15103",
"datePublished": "2026-07-16T08:26:50.831Z",
"dateReserved": "2026-07-08T16:58:02.760Z",
"dateUpdated": "2026-07-16T15:11:22.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15727 (GCVE-0-2026-15727)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 12:24
VLAI
EPSS
VEX
Title
WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter
Summary
The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Bulk Delete |
Affected:
0 , ≤ 1.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:23:15.338871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:24:07.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Bulk Delete",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the \u0027delete_user_roles\u0027 parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:50.455Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39d325d4-073c-47b6-8ea4-30637417f0d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/class-delete-api.php#L1071"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/class-delete-api.php#L1113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/class-delete-api.php#L1071"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/ajax-delete-handler.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/ajax-delete-handler.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/class-delete-api.php#L1113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/ajax-delete-handler.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/ajax-delete-handler.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3608270/wp-bulk-delete/trunk/includes/class-delete-api.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T13:47:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:02:34.000Z",
"value": "Disclosed"
}
],
"title": "WP Bulk Delete \u003c= 1.4.2 - Authenticated (Administrator+) SQL Injection via \u0027delete_user_roles\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15727",
"datePublished": "2026-07-16T08:26:50.455Z",
"dateReserved": "2026-07-14T13:32:01.946Z",
"dateUpdated": "2026-07-16T12:24:07.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15021 (GCVE-0-2026-15021)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 13:40
VLAI
EPSS
VEX
Title
wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field
Summary
The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The sanitize_text_field() function applied at input does not encode double quotes, allowing attribute breakout via a payload that escapes the href attribute context and injects event handler attributes.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tomdever | wpForo Forum |
Affected:
0 , ≤ 3.1.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15021",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:40:42.462735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T13:40:50.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "wpForo Forum",
"vendor": "tomdever",
"versions": [
{
"lessThanOrEqual": "3.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "valent1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027location\u0027 Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The sanitize_text_field() function applied at input does not encode double quotes, allowing attribute breakout via a payload that escapes the href attribute context and injects event handler attributes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:50.097Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2cd364c5-c053-4c50-8232-bb47ab8e834b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.1.1/classes/Forms.php#L1035"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.1.1/classes/Members.php#L1031"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.1.1/classes/Forms.php#L1074"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.5/classes/Forms.php#L1035"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.5/classes/Members.php#L1031"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforo/tags/3.0.5/classes/Forms.php#L1074"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3603849%40wpforo\u0026new=3603849%40wpforo"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T01:13:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T19:51:26.000Z",
"value": "Disclosed"
}
],
"title": "wpForo Forum \u003c= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via \u0027location\u0027 Profile Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15021",
"datePublished": "2026-07-16T08:26:50.097Z",
"dateReserved": "2026-07-08T00:57:49.863Z",
"dateUpdated": "2026-07-16T13:40:50.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15005 (GCVE-0-2026-15005)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 12:26
VLAI
EPSS
VEX
Title
Loco Translate <= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via 'template' Parameter
Summary
The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| timwhitlock | Loco Translate |
Affected:
0 , ≤ 2.8.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15005",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:25:40.902679Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:26:31.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Loco Translate",
"vendor": "timwhitlock",
"versions": [
{
"lessThanOrEqual": "2.8.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "mikemyers"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the \u0027template\u0027 parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:49.721Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/241d7a82-5fa5-40e3-9336-823644ca17f0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.5/src/mvc/View.php#L274"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.5/src/mvc/View.php#L273"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.5/src/mvc/AdminController.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.5/src/mvc/AdminRouter.php#L128"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.3/src/mvc/View.php#L274"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.3/src/mvc/View.php#L273"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.3/src/mvc/AdminController.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/loco-translate/tags/2.8.3/src/mvc/AdminRouter.php#L128"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3603894%40loco-translate\u0026new=3603894%40loco-translate"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-15T20:13:46.000Z",
"value": "Disclosed"
}
],
"title": "Loco Translate \u003c= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via \u0027template\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15005",
"datePublished": "2026-07-16T08:26:49.721Z",
"dateReserved": "2026-07-07T20:30:34.194Z",
"dateUpdated": "2026-07-16T12:26:31.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13741 (GCVE-0-2026-13741)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 13:41
VLAI
EPSS
VEX
Title
Digits: WordPress Mobile Number Signup and Login <= 9.1.0.5 - Authenticated (Subscriber+) Privilege Escalation via 'digits_reg_userrole' Parameter
Summary
The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| UnitedOver | Digits: WordPress Mobile Number Signup and Login |
Affected:
0 , ≤ 9.1.0.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13741",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:41:48.688255Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T13:41:56.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Digits: WordPress Mobile Number Signup and Login",
"vendor": "UnitedOver",
"versions": [
{
"lessThanOrEqual": "9.1.0.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "h0xilo"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:49.183Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02a283b2-a369-4927-a54a-61f26bee6ace?source=cve"
},
{
"url": "https://digits.unitedover.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-30T14:34:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:26:08.000Z",
"value": "Disclosed"
}
],
"title": "Digits: WordPress Mobile Number Signup and Login \u003c= 9.1.0.5 - Authenticated (Subscriber+) Privilege Escalation via \u0027digits_reg_userrole\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13741",
"datePublished": "2026-07-16T08:26:49.183Z",
"dateReserved": "2026-06-29T15:00:47.793Z",
"dateUpdated": "2026-07-16T13:41:56.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13755 (GCVE-0-2026-13755)
Vulnerability from cvelistv5 – Published: 2026-07-16 07:51 – Updated: 2026-07-16 12:37
VLAI
EPSS
VEX
Title
Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute
Summary
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful execution of the injected script is limited to victims who have the referenced ticket ID present in their cart cookie, meaning the payload only fires for users who have previously added that ticket to their cart.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tickera | Tickera – Sell Tickets & Manage Events |
Affected:
0 , ≤ 3.6.0.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13755",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:37:06.507281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:37:26.767Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tickera \u2013 Sell Tickets \u0026 Manage Events",
"vendor": "tickera",
"versions": [
{
"lessThanOrEqual": "3.6.0.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tickera \u2013 Sell Tickets \u0026 Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027price_wrapper\u0027 Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful execution of the injected script is limited to victims who have the referenced ticket ID present in their cart cookie, meaning the payload only fires for users who have previously added that ticket to their cart."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T07:51:06.236Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f266f9db-a25e-4f50-b3c8-3bea3a7e86ce?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tickera-event-ticketing-system/tags/3.6.0.0/includes/classes/class.shortcodes.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tickera-event-ticketing-system/tags/3.6.0.0/includes/classes/class.shortcodes.php#L212"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tickera-event-ticketing-system/tags/3.6.0.0/includes/classes/class.shortcodes.php#L33"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3605637%40tickera-event-ticketing-system\u0026new=3605637%40tickera-event-ticketing-system"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-30T07:34:36.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T19:29:50.000Z",
"value": "Disclosed"
}
],
"title": "Tickera \u003c= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027price_wrapper\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-13755",
"datePublished": "2026-07-16T07:51:06.236Z",
"dateReserved": "2026-06-29T16:55:44.725Z",
"dateUpdated": "2026-07-16T12:37:26.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15610 (GCVE-0-2026-15610)
Vulnerability from cvelistv5 – Published: 2026-07-16 07:51 – Updated: 2026-07-16 12:36
VLAI
EPSS
VEX
Title
WPBot <= 8.5.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary RAG Document Re-Sync via ajax_rag_manual_sync() Function
Summary
The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| quantumcloud | WPBot – AI ChatBot for Live Support, Lead Generation, AI Services |
Affected:
0 , ≤ 8.5.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15610",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:36:39.621686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:36:49.218Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBot \u2013 AI ChatBot for Live Support, Lead Generation, AI Services",
"vendor": "quantumcloud",
"versions": [
{
"lessThanOrEqual": "8.5.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBot \u2013 AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner\u0027s paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T07:51:05.820Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e905d146-66bf-4d6d-b2f5-fd3f862101af?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/class-qcld-bot-rag.php#L791"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.5.5/includes/class-qcld-bot-rag.php#L791"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.5.5/includes/class-qcld-bot-rag.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.5.5/qcld-wpwbot.php#L608"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/class-qcld-bot-rag.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/qcld-wpwbot.php#L608"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3608558%40chatbot\u0026new=3608558%40chatbot"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T16:22:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T19:49:36.000Z",
"value": "Disclosed"
}
],
"title": "WPBot \u003c= 8.5.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary RAG Document Re-Sync via ajax_rag_manual_sync() Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15610",
"datePublished": "2026-07-16T07:51:05.820Z",
"dateReserved": "2026-07-13T16:07:03.275Z",
"dateUpdated": "2026-07-16T12:36:49.218Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15106 (GCVE-0-2026-15106)
Vulnerability from cvelistv5 – Published: 2026-07-16 07:51 – Updated: 2026-07-16 12:38
VLAI
EPSS
VEX
Title
WPBot <= 8.5.6 - Missing Authorization to Unauthenticated Arbitrary Chat Session Deletion via 'userid' Parameter
Summary
The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary chat session records from the wpbot_user and wpbot_conversation tables, including chat history and conversation logs, by supplying a crafted userid value.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| quantumcloud | WPBot – AI ChatBot for Live Support, Lead Generation, AI Services |
Affected:
0 , ≤ 8.5.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:38:08.472952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:38:20.321Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPBot \u2013 AI ChatBot for Live Support, Lead Generation, AI Services",
"vendor": "quantumcloud",
"versions": [
{
"lessThanOrEqual": "8.5.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPBot \u2013 AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary chat session records from the wpbot_user and wpbot_conversation tables, including chat history and conversation logs, by supplying a crafted userid value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T07:51:05.397Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dc36ee53-81a9-416e-8e74-31d9c8802d6c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.5.0/includes/chat-sessions/wpbot-chat-sessions.php#L393"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.5.0/includes/chat-sessions/wpbot-chat-sessions.php#L372"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.5.0/includes/chat-sessions/wpbot-chat-sessions.php#L391"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L393"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L372"
},
{
"url": "https://plugins.trac.wordpress.org/browser/chatbot/tags/8.4.9/includes/chat-sessions/wpbot-chat-sessions.php#L391"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3608558%40chatbot\u0026new=3608558%40chatbot"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-08T17:22:33.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T19:50:01.000Z",
"value": "Disclosed"
}
],
"title": "WPBot \u003c= 8.5.6 - Missing Authorization to Unauthenticated Arbitrary Chat Session Deletion via \u0027userid\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15106",
"datePublished": "2026-07-16T07:51:05.397Z",
"dateReserved": "2026-07-08T17:07:24.977Z",
"dateUpdated": "2026-07-16T12:38:20.321Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15407 (GCVE-0-2026-15407)
Vulnerability from cvelistv5 – Published: 2026-07-16 07:51 – Updated: 2026-07-18 02:44
VLAI
EPSS
VEX
Title
Themify Builder <= 7.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Stylesheet Write/Delete via tb_generate_on_fly AJAX Action
Summary
The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themifyme | Themify Builder |
Affected:
0 , ≤ 7.7.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15407",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-18T02:44:25.630245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-18T02:44:35.429Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Themify Builder",
"vendor": "themifyme",
"versions": [
{
"lessThanOrEqual": "7.7.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T07:51:04.964Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b59e2773-31f0-4c19-b066-30982761bc44?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L160"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L313"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.7/classes/class-themify-builder-stylesheet.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L313"
},
{
"url": "https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.7.5/classes/class-themify-builder-stylesheet.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026old=3607906%40themify-builder\u0026new=3607906%40themify-builder"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-10T14:09:39.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Themify Builder \u003c= 7.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Stylesheet Write/Delete via tb_generate_on_fly AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15407",
"datePublished": "2026-07-16T07:51:04.964Z",
"dateReserved": "2026-07-10T13:54:17.109Z",
"dateUpdated": "2026-07-18T02:44:35.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15651 (GCVE-0-2026-15651)
Vulnerability from cvelistv5 – Published: 2026-07-16 07:51 – Updated: 2026-07-16 15:11
VLAI
EPSS
VEX
Title
WP TripAdvisor Review Slider <= 14.6 - Authenticated (Administrator+) SQL Injection via 'filtersource' Parameter
Summary
The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the 'filtersource' parameter in all versions up to, and including, 14.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| jgwhite33 | WP TripAdvisor Review Slider |
Affected:
0 , ≤ 14.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15651",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T13:28:37.896493Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T15:11:28.732Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP TripAdvisor Review Slider",
"vendor": "jgwhite33",
"versions": [
{
"lessThanOrEqual": "14.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the \u0027filtersource\u0027 parameter in all versions up to, and including, 14.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T07:51:04.530Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0d38788-5f90-4ab1-8df1-1c67c1052e6d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-tripadvisor-review-slider/tags/14.6/public/partials/wp-tripadvisor-review-slider-public-display.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-tripadvisor-review-slider/tags/14.6/public/partials/wp-tripadvisor-review-slider-public-display.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-tripadvisor-review-slider/tags/14.6/public/partials/wp-tripadvisor-review-slider-public-display-widget.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-tripadvisor-review-slider/tags/14.6/admin/class-wp-tripadvisor-review-slider-admin.php#L3310"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3607754/wp-tripadvisor-review-slider"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-13T19:33:29.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T19:43:21.000Z",
"value": "Disclosed"
}
],
"title": "WP TripAdvisor Review Slider \u003c= 14.6 - Authenticated (Administrator+) SQL Injection via \u0027filtersource\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15651",
"datePublished": "2026-07-16T07:51:04.530Z",
"dateReserved": "2026-07-13T19:18:18.869Z",
"dateUpdated": "2026-07-16T15:11:28.732Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}