CVE Database

CVE-2026-0862

The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions u…

6,1 Medium Gen 24, 2026

CVE-2026-0593

The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on…

5,3 Medium Gen 24, 2026

CVE-2025-6461

The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.…

4,3 Medium Gen 25, 2026

CVE-2025-13920

The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_pub…

5,3 Medium Gen 24, 2026

CVE-2026-0911

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type…

7,5 High Gen 24, 2026

CVE-2025-13139

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and includin…

4,3 Medium Gen 24, 2026

CVE-2025-13194

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cr…

4,3 Medium Gen 24, 2026

CVE-2025-13205

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cr…

4,3 Medium Gen 24, 2026

CVE-2025-14630

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missin…

4,3 Medium Gen 24, 2026

CVE-2025-14907

The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due t…

4,3 Medium Gen 24, 2026

CVE-2025-15516

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_ca…

4,3 Medium Gen 24, 2026

CVE-2026-0633

The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in…

3,7 Low Gen 24, 2026

CVE-2026-0687

The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery…

4,3 Medium Gen 24, 2026

CVE-2026-0800

The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the …

7,2 High Gen 24, 2026

CVE-2026-1098

The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' shortcode attribute in all versions up to, and inc…

6,4 Medium Gen 24, 2026

CVE-2026-1127

The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and inc…

6,1 Medium Gen 24, 2026

CVE-2026-1189

The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' sh…

6,4 Medium Gen 24, 2026

CVE-2026-1191

The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1…

4,4 Medium Gen 24, 2026

CVE-2026-1208

The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This…

4,3 Medium Gen 24, 2026

CVE-2026-1266

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due…

4,4 Medium Gen 24, 2026

CVE-2026-1300

The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to…

4,4 Medium Gen 24, 2026

CVE-2026-1302

The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3…

4,4 Medium Gen 24, 2026

CVE-2025-12836

The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, …

6,4 Medium Gen 24, 2026

CVE-2025-13374

The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX a…

9,8 Critical Gen 24, 2026

CVE-2025-13676

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is du…

6,1 Medium Gen 24, 2026

CVE-2025-14609

The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing ca…

5,3 Medium Gen 24, 2026

CVE-2025-14629

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_fil…

5,3 Medium Gen 24, 2026

CVE-2025-14797

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versi…

5,4 Medium Gen 24, 2026

CVE-2025-14843

The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and inclu…

5,3 Medium Gen 24, 2026

CVE-2025-14903

The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to…

4,3 Medium Gen 24, 2026

CVE-2025-14906

The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due …

4,3 Medium Gen 24, 2026

CVE-2025-14941

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0…

6,4 Medium Gen 24, 2026

CVE-2025-14985

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and inc…

6,4 Medium Gen 24, 2026

CVE-2026-0806

The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to in…

4,9 Medium Gen 24, 2026

CVE-2026-0807

The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insu…

7,2 High Gen 24, 2026

CVE-2026-1070

The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to miss…

4,3 Medium Gen 24, 2026

CVE-2026-1075

The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper …

4,3 Medium Gen 24, 2026

CVE-2026-1076

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to …

4,3 Medium Gen 24, 2026

CVE-2026-1081

The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due …

4,3 Medium Gen 24, 2026

CVE-2026-1084

The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up t…

4,4 Medium Gen 24, 2026

CVE-2026-1088

The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to miss…

4,3 Medium Gen 24, 2026

CVE-2026-1095

The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and …

6,4 Medium Gen 24, 2026

CVE-2026-1097

The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and…

6,4 Medium Gen 24, 2026

CVE-2026-1099

The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in …

6,4 Medium Gen 24, 2026

CVE-2026-1103

The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API…

5,4 Medium Gen 24, 2026

CVE-2026-1257

The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' a…

7,5 High Gen 24, 2026

CVE-2025-13952

A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in t…

Gen 24, 2026

CVE-2026-24420

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download…

6,5 Medium Gen 24, 2026

CVE-2026-24422

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user informat…

5,3 Medium Gen 24, 2026

CVE-2026-24469

C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Trave…

7,5 High Gen 24, 2026