Search
Find a vulnerability
Search criteria
8 vulnerabilities by xylus
CVE-2026-15727 (GCVE-0-2026-15727)
Vulnerability from nvd – Published: 2026-07-16 08:26 – Updated: 2026-07-16 12:24
VLAI
EPSS
VEX
Title
WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter
Summary
The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Bulk Delete |
Affected:
0 , ≤ 1.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:23:15.338871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:24:07.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Bulk Delete",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the \u0027delete_user_roles\u0027 parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:50.455Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39d325d4-073c-47b6-8ea4-30637417f0d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/class-delete-api.php#L1071"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/class-delete-api.php#L1113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/class-delete-api.php#L1071"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/ajax-delete-handler.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/ajax-delete-handler.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/class-delete-api.php#L1113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/ajax-delete-handler.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/ajax-delete-handler.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3608270/wp-bulk-delete/trunk/includes/class-delete-api.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T13:47:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:02:34.000Z",
"value": "Disclosed"
}
],
"title": "WP Bulk Delete \u003c= 1.4.2 - Authenticated (Administrator+) SQL Injection via \u0027delete_user_roles\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15727",
"datePublished": "2026-07-16T08:26:50.455Z",
"dateReserved": "2026-07-14T13:32:01.946Z",
"dateUpdated": "2026-07-16T12:24:07.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1941 (GCVE-0-2026-1941)
Vulnerability from nvd – Published: 2026-02-18 08:26 – Updated: 2026-04-08 16:52
VLAI
EPSS
VEX
Title
WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar |
Affected:
0 , ≤ 1.8.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T12:24:56.771998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:51:49.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wp_events\u0027 shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:25.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50d8f1e0-2022-4fe1-b384-ca762a032d3c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L567"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L567"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L761"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L761"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3455440/wp-event-aggregator#file18"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T06:47:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-17T20:12:40.000Z",
"value": "Disclosed"
}
],
"title": "WP Event Aggregator \u003c= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1941",
"datePublished": "2026-02-18T08:26:03.081Z",
"dateReserved": "2026-02-04T21:29:16.789Z",
"dateUpdated": "2026-04-08T16:52:25.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12701 (GCVE-0-2024-12701)
Vulnerability from nvd – Published: 2025-01-04 07:24 – Updated: 2026-04-08 16:42
VLAI
EPSS
VEX
Title
WP Smart Import : Import any XML File to WordPress <= 1.1.2 - Reflected Cross-Site Scripting
Summary
The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Smart Import : Import any XML File to WordPress |
Affected:
0 , ≤ 1.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T16:16:19.146992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T16:30:37.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Smart Import : Import any XML File to WordPress",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018 page\u2019 parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:51.388Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27153c13-6bdc-4873-8a05-8aab6ba4243d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-smart-import/trunk/controller/manage_controller.php#L82"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-smart-import/trunk/controller/file_manage_controller.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3212009/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Smart Import : Import any XML File to WordPress \u003c= 1.1.2 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12701",
"datePublished": "2025-01-04T07:24:23.207Z",
"dateReserved": "2024-12-17T01:18:20.371Z",
"dateUpdated": "2026-04-08T16:42:51.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12422 (GCVE-0-2024-12422)
Vulnerability from nvd – Published: 2024-12-14 05:34 – Updated: 2026-04-08 17:33
VLAI
EPSS
VEX
Title
Import Eventbrite Events <= 1.7.4 - Reflected Cross-Site Scripting
Summary
The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | Import Eventbrite Events |
Affected:
0 , ≤ 1.7.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:50:09.152160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:48:27.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Import Eventbrite Events",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vgo0"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u0027 parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:33:48.054Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f799db97-ca61-439d-94ec-a44270d1cd07?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3207381%40import-eventbrite-events\u0026new=3207381%40import-eventbrite-events\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Import Eventbrite Events \u003c= 1.7.4 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12422",
"datePublished": "2024-12-14T05:34:16.566Z",
"dateReserved": "2024-12-10T16:28:26.332Z",
"dateUpdated": "2026-04-08T17:33:48.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-15727 (GCVE-0-2026-15727)
Vulnerability from cvelistv5 – Published: 2026-07-16 08:26 – Updated: 2026-07-16 12:24
VLAI
EPSS
VEX
Title
WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter
Summary
The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Bulk Delete |
Affected:
0 , ≤ 1.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-15727",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-16T12:23:15.338871Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T12:24:07.859Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Bulk Delete",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "PRISM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the \u0027delete_user_roles\u0027 parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-16T08:26:50.455Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/39d325d4-073c-47b6-8ea4-30637417f0d7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/class-delete-api.php#L1071"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/class-delete-api.php#L1113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/class-delete-api.php#L1071"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/ajax-delete-handler.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.2/includes/ajax-delete-handler.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/class-delete-api.php#L1113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/ajax-delete-handler.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-bulk-delete/tags/1.4.1/includes/ajax-delete-handler.php#L118"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3608270/wp-bulk-delete/trunk/includes/class-delete-api.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-14T13:47:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-15T20:02:34.000Z",
"value": "Disclosed"
}
],
"title": "WP Bulk Delete \u003c= 1.4.2 - Authenticated (Administrator+) SQL Injection via \u0027delete_user_roles\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-15727",
"datePublished": "2026-07-16T08:26:50.455Z",
"dateReserved": "2026-07-14T13:32:01.946Z",
"dateUpdated": "2026-07-16T12:24:07.859Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1941 (GCVE-0-2026-1941)
Vulnerability from cvelistv5 – Published: 2026-02-18 08:26 – Updated: 2026-04-08 16:52
VLAI
EPSS
VEX
Title
WP Event Aggregator <= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar |
Affected:
0 , ≤ 1.8.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1941",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T12:24:56.771998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T12:51:49.408Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Event Aggregator: Import Eventbrite events, Meetup events, social events and any iCal Events into Event Calendar",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.8.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027wp_events\u0027 shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:52:25.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/50d8f1e0-2022-4fe1-b384-ca762a032d3c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L567"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L567"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/trunk/includes/class-wp-event-aggregator-cpt.php#L761"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-event-aggregator/tags/1.8.7/includes/class-wp-event-aggregator-cpt.php#L761"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3455440/wp-event-aggregator#file18"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T06:47:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-17T20:12:40.000Z",
"value": "Disclosed"
}
],
"title": "WP Event Aggregator \u003c= 1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1941",
"datePublished": "2026-02-18T08:26:03.081Z",
"dateReserved": "2026-02-04T21:29:16.789Z",
"dateUpdated": "2026-04-08T16:52:25.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12701 (GCVE-0-2024-12701)
Vulnerability from cvelistv5 – Published: 2025-01-04 07:24 – Updated: 2026-04-08 16:42
VLAI
EPSS
VEX
Title
WP Smart Import : Import any XML File to WordPress <= 1.1.2 - Reflected Cross-Site Scripting
Summary
The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘ page’ parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | WP Smart Import : Import any XML File to WordPress |
Affected:
0 , ≤ 1.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12701",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T16:16:19.146992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T16:30:37.889Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Smart Import : Import any XML File to WordPress",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Colin Xu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Smart Import : Import any XML File to WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u2018 page\u2019 parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:42:51.388Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/27153c13-6bdc-4873-8a05-8aab6ba4243d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-smart-import/trunk/controller/manage_controller.php#L82"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-smart-import/trunk/controller/file_manage_controller.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3212009/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-03T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP Smart Import : Import any XML File to WordPress \u003c= 1.1.2 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12701",
"datePublished": "2025-01-04T07:24:23.207Z",
"dateReserved": "2024-12-17T01:18:20.371Z",
"dateUpdated": "2026-04-08T16:42:51.388Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12422 (GCVE-0-2024-12422)
Vulnerability from cvelistv5 – Published: 2024-12-14 05:34 – Updated: 2026-04-08 17:33
VLAI
EPSS
VEX
Title
Import Eventbrite Events <= 1.7.4 - Reflected Cross-Site Scripting
Summary
The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| xylus | Import Eventbrite Events |
Affected:
0 , ≤ 1.7.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12422",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-16T16:50:09.152160Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-16T17:48:27.982Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Import Eventbrite Events",
"vendor": "xylus",
"versions": [
{
"lessThanOrEqual": "1.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vgo0"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Import Eventbrite Events plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027page\u0027 parameter in all versions up to, and including, 1.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:33:48.054Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f799db97-ca61-439d-94ec-a44270d1cd07?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/browser/import-eventbrite-events/tags/1.7.3/templates/admin/import-eventbrite-events-history.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3207381%40import-eventbrite-events\u0026new=3207381%40import-eventbrite-events\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Import Eventbrite Events \u003c= 1.7.4 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12422",
"datePublished": "2024-12-14T05:34:16.566Z",
"dateReserved": "2024-12-10T16:28:26.332Z",
"dateUpdated": "2026-04-08T17:33:48.054Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}