Seckhmet

During the week of 04/27/2026 to 05/04/2026, 188 vulnerability(ies) affecting WordPress were published in the Seckhmet database. Find below the details of these vulnerabilities and the week’s news.

Vulnerability Details

CVE-2026-7567Critical 9.8

Component : Temporary Login (Plugin)

CWE : CWE-288

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybe_login_temporary_user() function, which fails to verify that the ‘temp-login-token’ GET parameter is a scalar string before processing it. When the parameter is supplied as an array, PHP’s empty() check is bypassed and sanitize_key() returns an empty string, which is then passed as the meta_value to get_users(). WordPress ignores an empty meta_value and returns all users matching the meta_key ‘_temporary_login_token’, allowing authentication without a valid token. This makes it possible for unauthenticated attackers to authenticate as any active temporary login user by sending a single crafted GET request.

CVE-2026-7458Critical 9.8

Component : User Verification by PickPlugins (Plugin)

CWE : CWE-288

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the “user_verification_form_wrap_process_otpLogin” function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a “true” OTP value.

CVE-2026-4882Critical 9.8

Component : User Registration Advanced Fields (Plugin)

CWE : CWE-434

The User Registration Advanced Fields plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ‘URAF_AJAX::method_upload’ function in all versions up to, and including, 1.6.20. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. Note: The vulnerability can only be exploited if a “Profile Picture” field is added to the form.

CVE-2026-6741High 8.8

Component : LatePoint – Calendar Booking Plugin for Appointments and Events (Plugin)

CWE : CWE-269

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator’s WordPress account and subsequently reset the administrator’s password via the normal customer password-reset flow, resulting in full site takeover.

CVE-2026-3772High 8.8

Component : WP Editor (Plugin)

CWE : CWE-352

The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the ‘add_plugins_page’ and ‘add_themes_page’ functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.

CVE-2026-6963High 8.8

Component : WP Mail Gateway (Plugin)

CWE : CWE-862

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmg_save_provider_config AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update SMTP settings and redirect mail which can be used for privilege escalation by triggering a password reset email and using that to access and administrator’s account.

CVE-2026-7641High 8.8

Component : Import and export users and customers (Plugin)

CWE : CWE-269

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the ‘Show fields in profile?’ option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page.

CVE-2026-2052High 8.8

Component : Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets (Plugin)

CWE : CWE-94

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0.

CVE-2026-2052High 8.8

Component : Widget Options – Extended (Plugin)

CWE : CWE-94

CVE-2026-7647High 8.1

Component : Profile Builder Pro (Plugin)

CWE : CWE-502

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP’s maybe_unserialize() function on the attacker-controlled ‘args’ POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory.

CVE-2026-2554High 8.1

Component : WCFM – Frontend Manager for WooCommerce (Plugin)

CWE : CWE-639

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the ‘wcfm_delete_wcfm_customer’ due to missing validation on the ‘customerid’ user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.

CVE-2026-2892High 7.5

Component : Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE (Plugin)

CWE : CWE-285

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the ‘get_customer_data’ method relying on an unsigned ‘o_stripe_data’ cookie to determine Stripe product ownership for unauthenticated users. The ‘check_purchase’ method trusts this cookie data without performing server-side verification against the Stripe API for one-time ‘payment’ mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the ‘o_stripe_data’ cookie with a target product ID, which is publicly exposed in the checkout block’s HTML source.

CVE-2026-4062High 7.5

Component : Geo Mashup (Plugin)

CWE : CWE-89

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the ‘object_ids’ and ‘exclude_object_ids’ parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(…)` / `NOT IN(…)` SQL context — `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.

CVE-2026-6320High 7.5

Component : Salon Booking System – Free Version (Plugin)

CWE : CWE-22

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachments. This makes it possible for unauthenticated attackers to read arbitrary local files and exfiltrate them via booking confirmation email attachments.

CVE-2026-4061High 7.5

Component : Geo Mashup (Plugin)

CWE : CWE-89

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the ‘map_post_type’ parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(…)` clause without `esc_sql()` or `$wpdb->prepare()`. The ‘any’ branch of the same code correctly applies `array_map(‘esc_sql’, …)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings.

CVE-2026-4060High 7.5

Component : Geo Mashup (Plugin)

CWE : CWE-89

The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the ‘sort’ parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach.

CVE-2026-7649High 7.5

Component : ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup (Plugin)

CWE : CWE-89

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2026-7049High 7.2

Component : PixelYourSite Pro (Plugin)

CWE : CWE-918

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The SSRF is blind because fetched response bodies are only parsed internally for YouTube/Vimeo patterns and are never returned to the attacker.

CVE-2026-5113High 7.2

Component : Gravity Forms (Plugin)

CWE : CWE-79

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wp_kses(), combined with insufficient output escaping. The state validation logic creates two hashes (raw input and wp_kses-sanitized input) and only fails validation if BOTH hashes don’t match the original state. When an attacker injects XSS payloads using tags stripped by wp_kses() (like <svg>), the sanitized hash matches while the malicious raw value is preserved and saved to the database. When administrators view the Entries List page, the stored malicious consent label is retrieved and output without escaping, causing the XSS payload to execute. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entries that will execute whenever an authenticated administrator accesses the entries list page.

CVE-2026-5324High 7.2

Component : Brizy – Page Builder (Plugin)

CWE : CWE-79

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when no file is uploaded, and the reversal of security encoding via html_entity_decode() followed by unescaped output in the admin view. The submit_form() function skips nonce verification for non-logged-in users (api.php:198). The handleFileTypeFields() function fails to overwrite user-supplied values when no file is attached. While htmlentities() is applied during storage, html_entity_decode() reverses this on display (form-entries.php:79). The form-data.php template outputs FileUpload values directly in href attributes without esc_url(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form Leads page.

CVE-2026-6229High 7.2

Component : Royal Addons for Elementor – Addons and Templates Kit for Elementor (Plugin)

CWE : CWE-918

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs in the render_csv_data() function, which can be bypassed by including ‘docs.google.com/spreadsheets’ in a query parameter, and the subsequent use of these URLs in fopen() calls without blocking internal or private network addresses. This makes it possible for authenticated attackers, with Contributor-level access and above, to make requests to arbitrary URLs and retrieve sensitive information from internal services.

CVE-2026-5111High 7.2

Component : Gravity Forms (Plugin)

CWE : CWE-79

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden Product field values when used inside Repeater fields, where repeater subfields bypass state validation checks and the Hidden Product validate() method only validates the quantity field while ignoring the product name field that is later output without proper escaping in the get_value_entry_detail() method. This makes it possible for unauthenticated attackers to inject arbitrary web scripts through form submissions that will execute whenever an administrator views the entry details.

CVE-2026-5112High 7.2

Component : Gravity Forms (Plugin)

CWE : CWE-79

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validate() method in the GF_Field_Calculation class only validates the quantity field (.3) and completely ignores the product name field (.1), allowing malicious HTML to pass through validation. When the value is saved, the sanitize_entry_value() method returns the raw value without sanitization for fields where HTML is not expected. Subsequently, when an entry is viewed in wp-admin, the get_value_entry_detail() method concatenates the unescaped product name directly into the output string, which is then rendered by the repeater’s get_value_entry_detail() method without further escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via form submissions that will execute whenever an authenticated administrator with the gravityforms_view_entries capability accesses the entry detail page.

CVE-2026-5110High 7.2

Component : Gravity Forms (Plugin)

CWE : CWE-79

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are nested within Repeater fields, the validation flow bypasses the state validation mechanism (failed_state_validation()) that would normally prevent tampering with field values. The validate_subfield() method only calls the field’s validate() method, which for SingleProduct fields only validates the quantity field and does not check the product name field for tampering. As a result, an attacker can inject arbitrary HTML and JavaScript into the product name field (input .1). This malicious input is then saved to the database without sanitization because sanitize_entry_value() returns raw values when HTML is not expected for the field type. When an administrator views the entry in wp-admin/admin.php?page=gf_entries, the get_value_entry_detail() method outputs the product name without escaping, causing the stored XSS payload to execute in the administrator’s browser. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses an entry containing the malicious payload.

CVE-2026-5109High 7.2

Component : Gravity Forms (Plugin)

CWE : CWE-79

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted values where the wp_kses()-sanitized version matches a legitimate option value, but then stores the raw unsanitized value in the database. When administrators view entry details via the Order Summary section, the option_label is output directly without escaping (view-order-summary.php line 32), executing the injected JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in entry data that will execute whenever an administrator accesses the entry details page.

CVE-2026-5063High 7.2

Component : NEX-Forms – Ultimate Forms Plugin for WordPress (Plugin)

CWE : CWE-79

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via POST parameter key names in the submit_nex_form() function in versions up to, and including, 9.1.11 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-4100High 7.1

Component : Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions (Plugin)

CWE : CWE-862

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the `wp_ajax_pmpro_stripe_create_webhook`, `wp_ajax_pmpro_stripe_delete_webhook`, and `wp_ajax_pmpro_stripe_rebuild_webhook` AJAX handlers. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete, create, or rebuild the site’s Stripe webhook, disrupting all payment processing, subscription renewal synchronization, cancellation handling, and failed payment management.

CVE-2026-6457Medium 6.5

Component : Geo Mashup (Plugin)

CWE : CWE-89

The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘geo_mashup_null_fields’ parameter in all versions up to, and including, 1.13.19 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVE-2025-14726Medium 6.5

Component : Widgets for Social Photo Feed (Plugin)

CWE : CWE-200

The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the ‘/trustindex_feed_hook_instagram/troubleshooting’ and ‘/trustindex_feed_hook_instagram/submit-data’ REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings.

CVE-2026-6725Medium 6.4

Component : WPC Smart Messages for WooCommerce (Plugin)

CWE : CWE-79

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘text’ attribute of the `wpcsm_text_rotator` shortcode in all versions up to, and including, 4.2.8. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-6551Medium 6.4

Component : Timeline Blocks for Gutenberg (Plugin)

CWE : CWE-79

The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘titleTag’ attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-6809Medium 6.4

Component : Social Post Embed (Plugin)

CWE : CWE-79

The Social Post Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Threads embed handler in all versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on the user-supplied URL. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-6127Medium 6.4

Component : Elementor Website Builder – more than just a page builder (Plugin)

CWE : CWE-79

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _elementor_data meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the _elementor_data meta field with show_in_rest but omits a sanitize_callback, relying instead on a rest_pre_insert_post filter (sanitize_post_data function) that only sanitizes JSON-encoded request bodies. When a contributor sends a form-encoded PATCH request to the WordPress REST API, the json_decode() call on the raw body returns null, causing all sanitization to be skipped. The unsanitized data is then stored via update_post_meta() and later output without escaping through multiple widget sinks including the HTML widget’s print_unescaped_setting() function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-6378Medium 6.4

Component : MaxiBlocks Builder | 17,000+ Design Assets, Patterns, Icons & Starter Sites (Plugin)

CWE : CWE-79

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the `sc_styles` parameter. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute on every page where the plugin’s style card styles are loaded, including across the entire WordPress admin panel.

CVE-2026-4658Medium 6.4

Component : Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns (Plugin)

CWE : CWE-79

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block (essential-blocks/add-to-cart) in all versions up to, and including, 6.0.4. This is due to insufficient output escaping in the render_callback() function where these attributes are placed into class and data-id HTML attributes using raw sprintf() and implode() without esc_attr() escaping. While the outer wrapper div uses get_block_wrapper_attributes() which properly escapes, the inner divs do not. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-7209Medium 6.4

Component : Simple Link Directory (Plugin)

CWE : CWE-79

The Simple Link Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `qcopd-directory` shortcode in all versions up to, and including, 8.9.2. This is due to insufficient input sanitization and output escaping on user supplied attributes such as `title_font_size`. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-6916Medium 6.4

Component : Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress (Plugin)

CWE : CWE-79

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘sg_content_number_prefix’ parameter in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-0703Medium 6.4

Component : NextMove Lite – Thank You Page for WooCommerce (Plugin)

CWE : CWE-79

The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘xlwcty_current_date’ shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-4805Medium 6.4

Component : Woostify (Theme)

CWE : CWE-79

The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-2902Medium 6.1

Component : WP Meteor Website Speed Optimization Addon (Plugin)

CWE : CWE-79

The WP Meteor Website Speed Optimization Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘frontend_rewrite’ function’s ‘WPMETEOR[N]WPMETEOR’ placeholder content in all versions up to, and including, 3.4.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2024-13362Medium 6.1

Component : AEH Speed Optimization: Browser Cache, Optimized Minify, Lazy Loading & Image Optimization (Plugin)

CWE : CWE-79

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVE-2024-13362Medium 6.1

Component : Custom WooCommerce Checkout Fields Editor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Ivory Search – WordPress Search Plugin (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : AWCA – The Great Analytics Insights for Your eStore (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Advanced Classifieds & Directory Pro (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Advanced Scrollbar – Custom Scrollbar Styling and Behavior (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Image Alt Text Manager – Bulk & Dynamic Alt Tags For image SEO Optimization + AI (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Auto-Install Free SSL – Generate & Install Free SSL Certificates (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Automatic Internal Links for SEO by Pagup (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Automatic YouTube Gallery (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : bBlocks – Essential Gutenberg Blocks & Patterns Collection (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Knowledge Base documentation & wiki plugin – BasePress Docs (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Forumax – AI Powered Advanced Community Forum Plugin (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : BlockSpare — News, Magazine and Blog Addons for (Gutenberg) Block Editor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Blog Designer Pack – Blog, Post Grid, Post Slider, Post Carousel, Category Post, News (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO) (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Announcement & Notification Banner – Bulletin (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Message Filter for Contact Form 7 (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WOW Styler for CF7 – Visual Styler for Contact Form 7 Forms (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Code Manager (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Contact Form 7 Multi-Step Forms (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Page Templates (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Custom PHP Settings (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Delete Posts automatically (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Meta Field Block – Display custom fields in the Block Editor without coding (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Dracula Dark Mode – Accessibility, Reading Mode & Dark Mode for WordPress (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Dynamic Copyright Year (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Easy Age Verify (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Easy Social Feed – Social Photos Gallery and Post Feed for WordPress (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Marijuana Age Verify (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : EazyDocs – AI Powered Knowledge Base, Wiki, Documentation & FAQ Builder (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : EleSpare – News, Magazine and Blog Addons for Elementor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Embedder for Google Reviews (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Events Addon for Elementor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Featured Images in RSS for Mailchimp & More (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Five-Star Ratings Shortcode (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Notification Bar, Announcement and Cookie Notice WordPress Plugin – FooBar (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Lightbox & Modal Popup WordPress Plugin – FooBox (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Gallery by FooGallery (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Full Screen Background (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Anti-Spam Protection – No API Key, GDPR Friendly (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : GA4WP – Analytics Dashboard for the Website (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Geo Mashup (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Glossary (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Go Fetch Jobs (for WP Job Manager) (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Goal Tracker – Custom Event Tracking for GA4 (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : AI Puffer – Chat. Create. Automate. (formerly AI Power) (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Team Members – A WordPress Team Plugin with Gallery, Grid, Carousel, Slider, Table, List, and More (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Solid Testimonials – Testimonial Slider, Video Testimonials & Customer Reviews (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Inavii Social Feed (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Independent Analytics (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : File Manager for Google Drive – Integrate Google Drive (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : MapGeo – Interactive Geo Maps (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Internal Link Juicer: SEO Auto Linker for WordPress (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Joli Table Of Contents (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Justified Gallery (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Logo Showcase – Responsive Logo Carousel, Logo Slider & Logo Grid (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Kikote – Location Picker at Checkout & Google Address AutoFill Plugin for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Mapster WP Maps (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Menu Image, Icons made easy (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Mobile Menu – The Mobile-Friendly Responsive Menu (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Music Player for Elementor – Audio Player & Podcast Player (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Ocean Extra (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Open User Map (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : PDF Poster – Display PDF Files with Custom Viewer (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Post List Designer – Category Post, Recent Post, Post List (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Post Slider and Post Carousel with Post Vertical Scrolling Widget – A Responsive Post Slider (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Post to Google My Business (Google Business Profile) (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Premmerce Product Filter for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Primary Addon for Elementor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Product Layouts for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Radio Station by netmix® – Manage and play your Show Schedule in WordPress! (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Remove Add to Cart WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Restaurant & Cafe Addon for Elementor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Restrict – membership, site, content and user access restrictions for WordPress (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Role Based Pricing for Woo by Meow Crew (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Security Ninja – WordPress Security & Firewall (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Send Users Email – Email Subscribers, Email Marketing Newsletter (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Share This Image (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Shortcodes Plugin — Shortcodes Ultimate (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Mixed Media Gallery Blocks (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Smart phone field for Gravity Forms (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Carousel, Recent Post Slider and Banner Slider (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Spotlight Social Feeds – Block, Shortcode, and Widget (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : StreamWeasels Twitch Integration (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : TablePress – Tables in WordPress made easy (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Text To Speech TTS Accessibility (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : TreePress – Easy Family Trees & Ancestor Profiles (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WordPress form builder plugin for contact forms, surveys and quizzes – Tripetto (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Ultimeter (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Unlimited Elements For Elementor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : URL Shortify – Simple and Easy URL Shortener (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Checkout with Cash App on WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Payment Gateway for ACBA BANK (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Place Order Without Payment for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Thank You Page for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Easy Appointment Booking & Scheduling System – Webba Booking Calendar (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Display Eventbrite Events (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Widgets on Pages (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Secure Gateway for Authorize.net and WooCommerce by Pledged Plugins (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Disable Payment Methods based on cart conditions for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Coupon Affiliates – Affiliate Plugin for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : XT Floating Cart for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Premmerce Permalink Manager for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Pay For Post with WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : StoreCustomizer – A plugin to Customize all WooCommerce Pages (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : RevivePress – Keep your Old Content Evergreen (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Books Gallery – Build Stunning Book Showcases & Libraries in Minutes (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Coupons and Deals – Coupon Plugin For Affiliate Marketers (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Data Access – App Builder for Tables, Forms, Charts, Maps & Dashboards (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP fail2ban – Advanced Security (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Meta and Date Remover (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Notification Bell (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WP Post Author – Author Box, Multiple Authors, Guest Authors & Custom Avatars (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Bulk Edit Posts and Products in Spreadsheet (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : AidWP – Donation & Payment Forms (Stripe Powered) (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : TopNewsWp – Display Tikcer News, RSS Feed Widget and Many More (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WPBITS Addons For Elementor Page Builder (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : WPIDE – File Manager & Code Editor (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : Team Members Showcase (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : XT Quick View for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : XT Variation Swatches for WooCommerce (Plugin)

CWE : CWE-79

CVE-2024-13362Medium 6.1

Component : YASR – Yet Another Star Rating Plugin for WordPress (Plugin)

CWE : CWE-79

CVE-2026-6817Medium 5.8

Component : Quiz Maker by AYS (Plugin)

CWE : CWE-79

The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rate_reason’ parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-5306Medium 5.4

Component : Check & Log Email – Easy Email Testing & Mail logging (Plugin)

CWE : CWE-79

The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled

CVE-2026-6446Medium 5.4

Component : My Social Feeds – Social Feeds Embedder Plugin for WP (Plugin)

CWE : CWE-522

The My Social Feeds – Social Feeds Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 1.0.4 via the ‘ttp_get_accounts’ AJAX action. This is due to the complete absence of authorization checks (no capability verification) and nonce verification in the get_accounts() function, which returns the full contents of the ‘ttp_tiktok_accounts’ WordPress option. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive TikTok OAuth credentials, including access_token and refresh_token values, that belong to administrator-connected TikTok accounts, enabling them to impersonate the site owner when interacting with the TikTok API.

CVE-2026-4790Medium 5.4

Component : Premium Addons for Elementor – Powerful Elementor Templates & Widgets (Plugin)

CWE : CWE-79

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘custom_svg’ parameter in versions up to, and including, 4.11.70 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-5077Medium 5.4

Component : Total (Theme)

CWE : CWE-79

The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section.

CVE-2026-4911Medium 5.3

Component : Booking Package (Plugin)

CWE : CWE-472

The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST[‘amount’] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is never validated against or used to update the PaymentIntent because the critical code in CreditCard.php that would include the calculated amount in the PaymentIntent update is commented out. This makes it possible for unauthenticated attackers to book services at arbitrary prices (e.g., $0.01 instead of $500.00) by manipulating the amount parameter during PaymentIntent creation and completing the booking with the fraudulent payment.

CVE-2026-4019Medium 5.3

Component : Complianz – GDPR/CCPA Cookie Consent (Plugin)

CWE : CWE-862

The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts.

CVE-2026-6498Medium 5.3

Component : Five Star Restaurant Reservations – WordPress Booking Plugin (Plugin)

CWE : CWE-345

The Five Star Restaurant Reservations plugin for WordPress is vulnerable to a payment bypass via PHP type juggling in versions up to, and including, 2.7.16 This is due to the valid_payment() function using a PHP loose comparison (==) between the attacker-controlled payment_id POST parameter and the booking’s stripe_payment_intent_id property. When an unauthenticated attacker submits a request to the nopriv AJAX handler rtb_stripe_pmt_succeed before the Stripe payment intent has been created for a booking (i.e., before the JavaScript-triggered create_stripe_pmtIntnt() call has stored an intent ID in post meta), the stripe_payment_intent_id property on the booking object remains null. The comparison sanitize_text_field(”) == null evaluates to TRUE in PHP loose comparison, causing the payment verification check to pass with zero actual payment. This makes it possible for unauthenticated attackers to mark any existing payment_pending booking as paid without completing a Stripe payment by submitting an empty payment_id parameter.

CVE-2026-3143Medium 5.3

Component : Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid (Plugin)

CWE : CWE-862

The Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wp_ajax_cli_cancel’ function in all versions up to, and including, 1.17.1. This makes it possible for unauthenticated attackers to cancel a pending rollback, potentially preventing a WordPress installation from automatically reverting a failed update.

CVE-2026-7638Medium 5.3

Component : App Builder – Create Native Android & iOS Apps On The Flight (Plugin)

CWE : CWE-639

The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint.

CVE-2026-6449Medium 5.3

Component : Booking for Appointments and Events Calendar – Amelia (Plugin)

CWE : CWE-285

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking has a ‘waiting’ status. This makes it possible for unauthenticated attackers to approve any booking that is in ‘waiting’ status by sending a crafted request to the publicly-accessible admin-ajax endpoint.

CVE-2026-4024Medium 5.3

Component : Royal Addons for Elementor – Addons and Templates Kit for Elementor (Plugin)

CWE : CWE-862

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs.

CVE-2026-4650Medium 5.3

Component : FundPress – WordPress Donation Plugin (Plugin)

CWE : CWE-862

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the donate_action_status() AJAX handler, which is registered to be accessible to unauthenticated users via wp_ajax_nopriv. The function only validates that the schema parameter equals ‘donate-ajax’ and that the required POST parameters are present, but fails to verify user capabilities, nonce tokens, or donation ownership. This makes it possible for unauthenticated attackers to modify the status of any donation by providing its ID (which are sequential integers and easily enumerable), allowing them to mark donations as completed, pending, cancelled, or any arbitrary status, potentially triggering email notifications and related side effects.

CVE-2026-3504Medium 5.3

Component : Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy (Plugin)

CWE : CWE-200

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the ‘/dokan/v1/stores/{id}/reviews’ REST API endpoint. This is due to the ‘prepare_reviews_for_response’ method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor’s store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability.

CVE-2026-6447Medium 4.4

Component : Call for Price for WooCommerce (Plugin)

CWE : CWE-79

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

CVE-2026-6812Medium 4.4

Component : Ona (Theme)

CWE : CWE-918

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

CVE-2026-3140Medium 4.3

Component : Ultimate Dashboard – Custom WordPress Dashboard (Plugin)

CWE : CWE-352

The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the ‘handle_module_actions’ function. This makes it possible for unauthenticated attackers to toggle plugin modules on or off via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vulnerabilities by CWE

CWE	Count
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	154
CWE-862 Missing Authorization	6
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	5
CWE-918 Server-Side Request Forgery (SSRF)	3
CWE-288 Authentication Bypass Using an Alternate Path or Channel	2
CWE-269 Improper Privilege Management	2
CWE-352 Cross-Site Request Forgery (CSRF)	2
CWE-94 Improper Control of Generation of Code (‘Code Injection’)	2
CWE-639 Authorization Bypass Through User-Controlled Key	2
CWE-285 Improper Authorization	2
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor	2
CWE-434 Unrestricted Upload of File with Dangerous Type	1
CWE-502 Deserialization of Untrusted Data	1
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	1
CWE-522 Insufficiently Protected Credentials	1
CWE-472 External Control of Assumed-Immutable Web Parameter	1
CWE-345 Insufficient Verification of Data Authenticity	1

Weekly News

40,000+ Sites Exposed: Critical 9.8 CVSS Flaw Grants Total WordPress Account Takeover

Source : SecurityOnline

A critical vulnerability (CVE-2026-7567, CVSS 9.8) in the WordPress Temporary Login plugin allows unauthenticated attackers to bypass authentication via a parameter handling flaw and gain full administrative access to over 40,000 sites.

Source : BleepingComputer

The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites. […]

WordPress Student Clubs Build Momentum

Source : WordPress

WordPress Student Clubs are beginning to take shape as a new way to carry the momentum of WordPress Campus Connect beyond one-time workshops. What starts as an introduction to WordPress and open source is now continuing on campus through student-led groups that create space for learning, peer support, and early community participation. That shift matters […]

Find more statistics on WordPress vulnerabilities at https://seckhmet.com/en/stats.php

Seckhmet – Weekly WordPress Vulnerability Report (04/27/2026 to 05/04/2026)

Vulnerability Details

Vulnerabilities by CWE

Weekly News

Leave a Reply Cancel reply