Search criteria
8586 vulnerabilities
CVE-2026-1165 (GCVE-0-2026-1165)
Vulnerability from cvelistv5 – Published: 2026-01-31 14:22 – Updated: 2026-01-31 14:22
VLAI?
Title
Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change
Summary
The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the 'publish_unpublish_popupbox' function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups |
Affected:
* , ≤ 6.1.1
(semver)
|
Credits
Bui Van Y
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Popup Box \u2013 Create Countdown, Coupon, Video, Contact Form Popups",
"vendor": "ays-pro",
"versions": [
{
"lessThanOrEqual": "6.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bui Van Y"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the \u0027publish_unpublish_popupbox\u0027 function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T14:22:29.035Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3439514@ays-popup-box/tags/6.1.1/\u0026new=3444612@ays-popup-box/tags/6.1.2/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T01:31:18.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Popup Box \u003c= 6.1.1 - Cross-Site Request Forgery to Popup Status Change"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1165",
"datePublished": "2026-01-31T14:22:29.035Z",
"dateReserved": "2026-01-19T01:15:36.466Z",
"dateUpdated": "2026-01-31T14:22:29.035Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14554 (GCVE-0-2025-14554)
Vulnerability from cvelistv5 – Published: 2026-01-31 13:24 – Updated: 2026-01-31 13:24
VLAI?
Title
Sell BTC - Cryptocurrency Selling Calculator <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'orderform_data' AJAX Action
Summary
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hayyatapps | Sell BTC – Cryptocurrency Selling Calculator |
Affected:
* , ≤ 1.5
(semver)
|
Credits
Sarawut Poolkhet
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sell BTC \u2013 Cryptocurrency Selling Calculator",
"vendor": "hayyatapps",
"versions": [
{
"lessThanOrEqual": "1.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sarawut Poolkhet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027orderform_data\u0027 AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T13:24:23.967Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f8612ba9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_tab.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3433480/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3450361/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-03T11:17:11.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Sell BTC - Cryptocurrency Selling Calculator \u003c= 1.5 - Unauthenticated Stored Cross-Site Scripting via \u0027orderform_data\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14554",
"datePublished": "2026-01-31T13:24:23.967Z",
"dateReserved": "2025-12-12T01:37:39.254Z",
"dateUpdated": "2026-01-31T13:24:23.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1251 (GCVE-0-2026-1251)
Vulnerability from cvelistv5 – Published: 2026-01-31 06:39 – Updated: 2026-01-31 06:39
VLAI?
Title
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference
Summary
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'add_reply' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the 'description_attachments' parameter, re-associating those files to their own tickets and removing access from the original owners.
Severity ?
5.4 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| psmplugins | SupportCandy – Helpdesk & Customer Support Ticket System |
Affected:
* , ≤ 3.4.4
(semver)
|
Credits
Theklis Stefani
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
"vendor": "psmplugins",
"versions": [
{
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Theklis Stefani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the \u0027add_reply\u0027 function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the \u0027description_attachments\u0027 parameter, re-associating those files to their own tickets and removing access from the original owners."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T06:39:23.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448376/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T19:19:37.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-23T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1251",
"datePublished": "2026-01-31T06:39:23.182Z",
"dateReserved": "2026-01-20T19:04:14.485Z",
"dateUpdated": "2026-01-31T06:39:23.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0683 (GCVE-0-2026-0683)
Vulnerability from cvelistv5 – Published: 2026-01-31 05:52 – Updated: 2026-01-31 05:52
VLAI?
Title
SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter
Summary
The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| psmplugins | SupportCandy – Helpdesk & Customer Support Ticket System |
Affected:
* , ≤ 3.4.4
(semver)
|
Credits
Supakiad S.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System",
"vendor": "psmplugins",
"versions": [
{
"lessThanOrEqual": "3.4.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T05:52:46.922Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288"
},
{
"url": "https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448376/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-07T18:46:59.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "SupportCandy \u2013 Helpdesk \u0026 Customer Support Ticket System \u003c= 3.4.4 - Authenticated (Subscriber+) SQL Injection via Number Field Filter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0683",
"datePublished": "2026-01-31T05:52:46.922Z",
"dateReserved": "2026-01-07T18:31:17.181Z",
"dateUpdated": "2026-01-31T05:52:46.922Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15525 (GCVE-0-2025-15525)
Vulnerability from cvelistv5 – Published: 2026-01-31 04:35 – Updated: 2026-01-31 04:35
VLAI?
Title
Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure
Summary
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dcooney | Ajax Load More – Infinite Scroll, Load More, & Lazy Load |
Affected:
* , ≤ 7.8.1
(semver)
|
Credits
Angus Girvan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ajax Load More \u2013 Infinite Scroll, Load More, \u0026 Lazy Load",
"vendor": "dcooney",
"versions": [
{
"lessThanOrEqual": "7.8.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ajax Load More \u2013 Infinite Scroll, Load More, \u0026 Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T04:35:15.222Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d01f4e67-a463-4973-97b1-41a64398686a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ajax-load-more/tags/7.8.1/core/classes/class-alm-queryargs.php#L500"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-31T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-30T16:20:53.000+00:00",
"value": "Disclosed"
}
],
"title": "Ajax Load More \u2013 Infinite Scroll, Lazy Load \u0026 Load More \u003c= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15525",
"datePublished": "2026-01-31T04:35:15.222Z",
"dateReserved": "2026-01-15T10:30:43.321Z",
"dateUpdated": "2026-01-31T04:35:15.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1431 (GCVE-0-2026-1431)
Vulnerability from cvelistv5 – Published: 2026-01-31 04:35 – Updated: 2026-01-31 04:35
VLAI?
Title
Booking Calendar <= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure
Summary
The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdevelop | Booking Calendar |
Affected:
* , ≤ 10.14.13
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Calendar",
"vendor": "wpdevelop",
"versions": [
{
"lessThanOrEqual": "10.14.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T04:35:14.563Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-26T11:15:30.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T16:06:31.000+00:00",
"value": "Disclosed"
}
],
"title": "Booking Calendar \u003c= 10.14.13 - Missing Authorization to Unauthenticated Booking Details Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1431",
"datePublished": "2026-01-31T04:35:14.563Z",
"dateReserved": "2026-01-26T10:49:01.641Z",
"dateUpdated": "2026-01-31T04:35:14.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15510 (GCVE-0-2025-15510)
Vulnerability from cvelistv5 – Published: 2026-01-31 01:23 – Updated: 2026-01-31 01:23
VLAI?
Title
NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure
Summary
The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webaways | NEX-Forms – Ultimate Forms Plugin for WordPress |
Affected:
* , ≤ 9.1.8
(semver)
|
Credits
Deadbee
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress",
"vendor": "webaways",
"versions": [
{
"lessThanOrEqual": "9.1.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deadbee"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NEX-Forms \u2013 Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-31T01:23:02.888Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.7/includes/classes/class.export.php#L11"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-16T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-12T09:33:22.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-30T12:12:07.000+00:00",
"value": "Disclosed"
}
],
"title": "NEX-Forms \u2013 Ultimate Forms Plugin for WordPress \u003c= 9.1.8 - Missing Authorization to Unauthenticated Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15510",
"datePublished": "2026-01-31T01:23:02.888Z",
"dateReserved": "2026-01-12T09:18:03.372Z",
"dateUpdated": "2026-01-31T01:23:02.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1060 (GCVE-0-2026-1060)
Vulnerability from cvelistv5 – Published: 2026-01-28 14:25 – Updated: 2026-01-28 14:42
VLAI?
Title
WP Adminify <= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via 'get-addons-list' REST API
Summary
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| litonice13 | WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer |
Affected:
* , ≤ 4.0.7.7
(semver)
|
Credits
yiğit ibrahim sağlam
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1060",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:41:44.872345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:42:12.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Adminify \u2013 White Label WordPress, Admin Menu Editor, Login Customizer",
"vendor": "litonice13",
"versions": [
{
"lessThanOrEqual": "4.0.7.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "yi\u011fit ibrahim sa\u011flam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:25:11.551Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3442928/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T19:20:40.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Adminify \u003c= 4.0.7.7 - Unauthenticated Sensitive Information Exposure via \u0027get-addons-list\u0027 REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1060",
"datePublished": "2026-01-28T14:25:11.551Z",
"dateReserved": "2026-01-16T19:04:24.186Z",
"dateUpdated": "2026-01-28T14:42:12.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14795 (GCVE-0-2025-14795)
Vulnerability from cvelistv5 – Published: 2026-01-28 13:26 – Updated: 2026-01-28 14:28
VLAI?
Title
Stop Spammers Classic <= 2026.1 - Cross-Site Request Forgery via Email Allowlist
Summary
The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| webguyio | Stop Spammers Classic |
Affected:
* , ≤ 2026.1
(semver)
|
Credits
Stephanie Walters
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:26:16.361442Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:28:44.994Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Stop Spammers Classic",
"vendor": "webguyio",
"versions": [
{
"lessThanOrEqual": "2026.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Stephanie Walters"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T13:26:14.651Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3436357/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3440788/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Stop Spammers Classic \u003c= 2026.1 - Cross-Site Request Forgery via Email Allowlist"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14795",
"datePublished": "2026-01-28T13:26:14.651Z",
"dateReserved": "2025-12-16T18:04:36.930Z",
"dateUpdated": "2026-01-28T14:28:44.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14865 (GCVE-0-2025-14865)
Vulnerability from cvelistv5 – Published: 2026-01-28 12:28 – Updated: 2026-01-28 14:56
VLAI?
Title
Passster – Password Protect Pages and Content <= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'content_protector' shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpchill | Passster – Password Protect Pages and Content |
Affected:
* , ≤ 4.2.24
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14865",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:56:16.570698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:56:32.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Passster \u2013 Password Protect Pages and Content",
"vendor": "wpchill",
"versions": [
{
"lessThanOrEqual": "4.2.24",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Passster \u2013 Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027content_protector\u0027 shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T12:28:37.446Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422595/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3439532/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-18T01:44:42.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Passster \u2013 Password Protect Pages and Content \u003c= 4.2.24 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14865",
"datePublished": "2026-01-28T12:28:37.446Z",
"dateReserved": "2025-12-18T01:29:23.705Z",
"dateUpdated": "2026-01-28T14:56:32.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1056 (GCVE-0-2026-1056)
Vulnerability from cvelistv5 – Published: 2026-01-28 12:28 – Updated: 2026-01-28 14:58
VLAI?
Title
Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal
Summary
The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| inc2734 | Snow Monkey Forms |
Affected:
* , ≤ 12.0.3
(semver)
|
Credits
Sarawut Poolkhet
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:57:38.289845Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:58:00.639Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Snow Monkey Forms",
"vendor": "inc2734",
"versions": [
{
"lessThanOrEqual": "12.0.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sarawut Poolkhet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027generate_user_dirpath\u0027 function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T12:28:36.867Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186"
},
{
"url": "https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58"
},
{
"url": "https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3448278/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T17:43:16.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Snow Monkey Forms \u003c= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1056",
"datePublished": "2026-01-28T12:28:36.867Z",
"dateReserved": "2026-01-16T17:27:23.666Z",
"dateUpdated": "2026-01-28T14:58:00.639Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1398 (GCVE-0-2026-1398)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 15:50
VLAI?
Title
Change WP URL <= 1.0 - Cross-Site Request Forgery to Settings Update
Summary
The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'change-wp-url' page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chrisnowak | Change WP URL |
Affected:
* , ≤ 1.0
(semver)
|
Credits
Muhammad Nur Ibnu Hubab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1398",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:50:24.575988Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:50:37.635Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Change WP URL",
"vendor": "chrisnowak",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the \u0027change-wp-url\u0027 page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:42.461Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:48:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Change WP URL \u003c= 1.0 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1398",
"datePublished": "2026-01-28T11:23:42.461Z",
"dateReserved": "2026-01-23T21:32:03.372Z",
"dateUpdated": "2026-01-28T15:50:37.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1399 (GCVE-0-2026-1399)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 15:51
VLAI?
Title
WP Google Ad Manager Plugin <= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings
Summary
The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| miles99 | WP Google Ad Manager Plugin |
Affected:
* , ≤ 1.1.0
(semver)
|
Credits
Abdualrhman Muzamil
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1399",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:51:38.396016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:51:55.729Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Google Ad Manager Plugin",
"vendor": "miles99",
"versions": [
{
"lessThanOrEqual": "1.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdualrhman Muzamil"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:42.082Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f3185d82-a785-4165-8469-abc0be38f852?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/trunk/WP-Google-Ad-Manager.php#L194"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/tags/1.1.0/WP-Google-Ad-Manager.php#L194"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:47:39.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Google Ad Manager Plugin \u003c= 1.1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Admin Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1399",
"datePublished": "2026-01-28T11:23:42.082Z",
"dateReserved": "2026-01-23T21:34:55.715Z",
"dateUpdated": "2026-01-28T15:51:55.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1280 (GCVE-0-2026-1280)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 15:56
VLAI?
Title
Frontend File Manager Plugin <= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via 'file_id' Parameter
Summary
The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the 'wpfm_send_file_in_email' AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nmedia | Frontend File Manager Plugin |
Affected:
* , ≤ 23.5
(semver)
|
Credits
Md. Moniruzzaman Prodhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:55:41.777784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:56:06.302Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Frontend File Manager Plugin",
"vendor": "nmedia",
"versions": [
{
"lessThanOrEqual": "23.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the \u0027wpfm_send_file_in_email\u0027 AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:41.307Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:50:20.000+00:00",
"value": "Disclosed"
}
],
"title": "Frontend File Manager Plugin \u003c= 23.5 - Missing Authorization to Unauthenticated Arbitrary File Sharing via \u0027file_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1280",
"datePublished": "2026-01-28T11:23:41.307Z",
"dateReserved": "2026-01-20T22:17:51.761Z",
"dateUpdated": "2026-01-28T15:56:06.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14616 (GCVE-0-2025-14616)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 15:55
VLAI?
Title
Recooty <= 1.0.6 - Cross-Site Request Forgery to Settings Update
Summary
The Recooty – Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| recooty | Recooty – Job Widget (Old Dashboard) |
Affected:
1.0.1 , ≤ 1.0.6
(semver)
|
Credits
omer yeshayahu
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:54:56.585581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:55:14.348Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Recooty \u2013 Job Widget (Old Dashboard)",
"vendor": "recooty",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "1.0.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "omer yeshayahu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Recooty \u2013 Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:41.712Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb14f084-6f36-4702-8a28-b62811739407?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/recooty/trunk/admin/init.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/admin/init.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/browser/recooty/trunk/init.php#L41"
},
{
"url": "https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/init.php#L41"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:48:45.000+00:00",
"value": "Disclosed"
}
],
"title": "Recooty \u003c= 1.0.6 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14616",
"datePublished": "2026-01-28T11:23:41.712Z",
"dateReserved": "2025-12-12T20:49:05.255Z",
"dateUpdated": "2026-01-28T15:55:14.348Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14063 (GCVE-0-2025-14063)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:32
VLAI?
Title
SEO Links Interlinking <= 1.7.5 - Reflected Cross-Site Scripting via 'google_error' Parameter
Summary
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| seomantis | SEO Links Interlinking |
Affected:
* , ≤ 1.7.5
(semver)
|
Credits
JohSka
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:32:29.617203Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:32:42.715Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SEO Links Interlinking",
"vendor": "seomantis",
"versions": [
{
"lessThanOrEqual": "1.7.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JohSka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027google_error\u0027 parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:40.286Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d71143d6-d477-4a63-8f99-f4cc8a590536?source=cve"
},
{
"url": "https://wordpress.org/plugins/seo-links-interlinking/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L504"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L504"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L512"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L512"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:46:45.000+00:00",
"value": "Disclosed"
}
],
"title": "SEO Links Interlinking \u003c= 1.7.5 - Reflected Cross-Site Scripting via \u0027google_error\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14063",
"datePublished": "2026-01-28T11:23:40.286Z",
"dateReserved": "2025-12-04T20:09:41.808Z",
"dateUpdated": "2026-01-28T14:32:42.715Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14283 (GCVE-0-2025-14283)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:31
VLAI?
Title
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting
Summary
The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpblockart | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library |
Affected:
* , ≤ 2.2.14
(semver)
|
Credits
Craig Smith
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14283",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:31:01.261793Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:31:14.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "BlockArt Blocks \u2013 Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections \u0026 Template Library",
"vendor": "wpblockart",
"versions": [
{
"lessThanOrEqual": "2.2.14",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The BlockArt Blocks \u2013 Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections \u0026 Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:40.744Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d9526a8b-fefe-4ca6-871f-1ead3f498679?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blockart-blocks/trunk/dist/counter.js"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:31:36.000+00:00",
"value": "Disclosed"
}
],
"title": "BlockArt Blocks \u2013 Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections \u0026 Template Library \u003c= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14283",
"datePublished": "2026-01-28T11:23:40.744Z",
"dateReserved": "2025-12-08T18:30:39.600Z",
"dateUpdated": "2026-01-28T14:31:14.092Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0844 (GCVE-0-2026-0844)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:33
VLAI?
Title
Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field
Summary
The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the 'wp_capabilities' parameter during a profile update.
Severity ?
8.8 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nmedia | Simple User Registration |
Affected:
* , ≤ 6.7
(semver)
|
Credits
JohSka
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0844",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:33:25.446860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:33:44.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple User Registration",
"vendor": "nmedia",
"versions": [
{
"lessThanOrEqual": "6.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JohSka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the \u0027profile_save_field\u0027 function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the \u0027wp_capabilities\u0027 parameter during a profile update."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:39.860Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:50:50.000+00:00",
"value": "Disclosed"
}
],
"title": "Simple User Registration \u003c= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_save_field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0844",
"datePublished": "2026-01-28T11:23:39.860Z",
"dateReserved": "2026-01-10T14:13:05.549Z",
"dateUpdated": "2026-01-28T14:33:44.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1380 (GCVE-0-2026-1380)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:34
VLAI?
Title
Bitcoin Donate Button <= 1.0 - Cross-Site Request Forgery to Settings Update
Summary
The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lxicon | Bitcoin Donate Button |
Affected:
* , ≤ 1.0
(semver)
|
Credits
Muhammad Nur Ibnu Hubab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:34:39.824540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:34:56.900Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Bitcoin Donate Button",
"vendor": "lxicon",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin\u0027s settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:39.083Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c973dd9-cfa3-4f06-a25a-c2786e3dca4d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/trunk/btcbutton.php#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/tags/1.0/btcbutton.php#L1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:49:55.000+00:00",
"value": "Disclosed"
}
],
"title": "Bitcoin Donate Button \u003c= 1.0 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1380",
"datePublished": "2026-01-28T11:23:39.083Z",
"dateReserved": "2026-01-23T18:34:44.736Z",
"dateUpdated": "2026-01-28T14:34:56.900Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14386 (GCVE-0-2025-14386)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:34
VLAI?
Title
Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover
Summary
The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the 'nonce_token' authentication value to log in to the first Administrator's account.
Severity ?
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shahrukhlinkgraph | Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization |
Affected:
2.4.4 , ≤ 2.5.12
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:34:08.782457Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:34:19.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Search Atlas SEO \u2013 Premier SEO Plugin for One-Click WP Publishing \u0026 Integrated AI Optimization",
"vendor": "shahrukhlinkgraph",
"versions": [
{
"lessThanOrEqual": "2.5.12",
"status": "affected",
"version": "2.4.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Search Atlas SEO \u2013 Premier SEO Plugin for One-Click WP Publishing \u0026 Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the \u0027generate_sso_url\u0027 and \u0027validate_sso_token\u0027 functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the \u0027nonce_token\u0027 authentication value to log in to the first Administrator\u0027s account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:39.459Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f63d2c4-cbae-4177-8494-daca96449ecc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1042"
},
{
"url": "https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L851"
},
{
"url": "https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1141"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:31:02.000+00:00",
"value": "Disclosed"
}
],
"title": "Search Atlas SEO \u2013 Premier SEO Plugin for One-Click WP Publishing \u0026 Integrated AI Optimization 2.4.4 - 2.5.12 - Missing Authorization to Authenticated (Subscriber+) Authentication Bypass via Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14386",
"datePublished": "2026-01-28T11:23:39.459Z",
"dateReserved": "2025-12-09T20:09:33.493Z",
"dateUpdated": "2026-01-28T14:34:19.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1391 (GCVE-0-2026-1391)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:37
VLAI?
Title
Vzaar Media Management <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
Summary
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
5.3 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mamunreza | Vzaar Media Management |
Affected:
* , ≤ 1.2
(semver)
|
Credits
Abdulsamad Yusuf
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1391",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:37:18.528247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:37:57.013Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Vzaar Media Management",
"vendor": "mamunreza",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdulsamad Yusuf"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER[\u0027PHP_SELF\u0027] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:38.696Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/398a75b1-6470-44b3-aaea-d5e8b10db115?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vzaar-media-management/trunk/admin/vzaar-media-upload.php#L103"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vzaar-media-management/tags/1.2/admin/vzaar-media-upload.php#L103"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:49:36.000+00:00",
"value": "Disclosed"
}
],
"title": "Vzaar Media Management \u003c= 1.2 - Reflected Cross-Site Scripting via $_SERVER[\u0027PHP_SELF\u0027]"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1391",
"datePublished": "2026-01-28T11:23:38.696Z",
"dateReserved": "2026-01-23T20:54:04.542Z",
"dateUpdated": "2026-01-28T14:37:57.013Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15511 (GCVE-0-2025-15511)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 15:56
VLAI?
Title
Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
Summary
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rupantorpay | Rupantorpay |
Affected:
* , ≤ 2.0.0
(semver)
|
Credits
Md. Moniruzzaman Prodhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15511",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:56:32.037029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:56:42.370Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rupantorpay",
"vendor": "rupantorpay",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:38.266Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-16T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-27T21:47:14.000+00:00",
"value": "Disclosed"
}
],
"title": "Rupantorpay \u003c= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15511",
"datePublished": "2026-01-28T11:23:38.266Z",
"dateReserved": "2026-01-12T09:39:53.146Z",
"dateUpdated": "2026-01-28T15:56:42.370Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1377 (GCVE-0-2026-1377)
Vulnerability from cvelistv5 – Published: 2026-01-28 11:23 – Updated: 2026-01-28 14:38
VLAI?
Title
imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update
Summary
The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Credits
Muhammad Afnaan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:38:18.747259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:38:35.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "imwptip",
"vendor": "hu_chao",
"versions": [
{
"lessThanOrEqual": "1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin\u0027s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T11:23:37.683Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe987f0-6887-4ad1-a748-eb987bb574fa?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/imwptip/trunk/classes/imwptipadmin.php#L11"
},
{
"url": "https://plugins.trac.wordpress.org/browser/imwptip/tags/1.1/classes/imwptipadmin.php#L11"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T21:49:03.000+00:00",
"value": "Disclosed"
}
],
"title": "imwptip \u003c= 1.1 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1377",
"datePublished": "2026-01-28T11:23:37.683Z",
"dateReserved": "2026-01-23T18:27:44.043Z",
"dateUpdated": "2026-01-28T14:38:35.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1400 (GCVE-0-2026-1400)
Vulnerability from cvelistv5 – Published: 2026-01-28 08:26 – Updated: 2026-01-28 16:06
VLAI?
Title
AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in update_media_metadata Endpoint
Summary
The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory.
Severity ?
7.2 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tigroumeow | AI Engine – The Chatbot and AI Framework for WordPress |
Affected:
* , ≤ 3.3.2
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:06:48.366374Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:06:59.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "AI Engine \u2013 The Chatbot and AI Framework for WordPress",
"vendor": "tigroumeow",
"versions": [
{
"lessThanOrEqual": "3.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The AI Engine \u2013 The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T08:26:56.110Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1104"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1141"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T21:59:21.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:28:10.000+00:00",
"value": "Disclosed"
}
],
"title": "AI Engine \u003c= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via \u0027filename\u0027 Parameter in update_media_metadata Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1400",
"datePublished": "2026-01-28T08:26:56.110Z",
"dateReserved": "2026-01-23T21:44:13.311Z",
"dateUpdated": "2026-01-28T16:06:59.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1053 (GCVE-0-2026-1053)
Vulnerability from cvelistv5 – Published: 2026-01-28 08:26 – Updated: 2026-01-28 16:09
VLAI?
Title
Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse' and 'nothing_found_text' Parameters
Summary
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| vinod-dalvi | Ivory Search – WordPress Search Plugin |
Affected:
* , ≤ 5.5.13
(semver)
|
Credits
JongHwan Shin
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1053",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:09:02.843440Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:09:19.903Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ivory Search \u2013 WordPress Search Plugin",
"vendor": "vinod-dalvi",
"versions": [
{
"lessThanOrEqual": "5.5.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JongHwan Shin"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ivory Search \u2013 WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T08:26:55.731Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc5ef6a-32d8-4c4b-b459-d9b543b56898?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/add-search-to-menu/tags/5.5.13/public/class-is-public.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L204"
},
{
"url": "https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L249"
},
{
"url": "https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/partials/is-ajax-results.php#L148"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3444659%40add-search-to-menu\u0026new=3444659%40add-search-to-menu\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T11:25:07.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:35:51.000+00:00",
"value": "Disclosed"
}
],
"title": "Ivory Search \u003c= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027menu_gcse\u0027 and \u0027nothing_found_text\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1053",
"datePublished": "2026-01-28T08:26:55.731Z",
"dateReserved": "2026-01-16T16:57:13.383Z",
"dateUpdated": "2026-01-28T16:09:19.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0702 (GCVE-0-2026-0702)
Vulnerability from cvelistv5 – Published: 2026-01-28 08:26 – Updated: 2026-01-28 16:10
VLAI?
Title
VidShop – Shoppable Videos for WooCommerce <= 1.1.4 - Unauthenticated Time-Based SQL Injection via 'fields'
Summary
The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpcreatix | VidShop – Shoppable Videos for WooCommerce |
Affected:
* , ≤ 1.1.4
(semver)
|
Credits
Athiwat Tiprasaharn
Itthidej Aramsri
Peerapat Samatathanyakorn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0702",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T16:09:48.004488Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T16:10:33.513Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "VidShop \u2013 Shoppable Videos for WooCommerce",
"vendor": "wpcreatix",
"versions": [
{
"lessThanOrEqual": "1.1.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Peerapat Samatathanyakorn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The VidShop \u2013 Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the \u0027fields\u0027 parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T08:26:55.318Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a61d8d2a-742f-45f1-9146-f733b80ef195?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L297"
},
{
"url": "https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/utils/class-query-builder.php#L778"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3441106/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T17:27:55.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "VidShop \u2013 Shoppable Videos for WooCommerce \u003c= 1.1.4 - Unauthenticated Time-Based SQL Injection via \u0027fields\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0702",
"datePublished": "2026-01-28T08:26:55.318Z",
"dateReserved": "2026-01-07T23:31:05.534Z",
"dateUpdated": "2026-01-28T16:10:33.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1381 (GCVE-0-2026-1381)
Vulnerability from cvelistv5 – Published: 2026-01-28 08:26 – Updated: 2026-01-28 15:57
VLAI?
Title
Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields
Summary
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpcodefactory | Order Minimum/Maximum Amount Limits for WooCommerce |
Affected:
* , ≤ 4.6.8
(semver)
|
Credits
Daniel Basta
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1381",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:57:17.259472Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:57:25.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Order Minimum/Maximum Amount Limits for WooCommerce",
"vendor": "wpcodefactory",
"versions": [
{
"lessThanOrEqual": "4.6.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Daniel Basta"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T08:26:54.692Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3f54f117-0dde-49f9-8014-7650bc1a00ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/settings/class-alg-wc-oma-settings-general.php"
},
{
"url": "https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/class-alg-wc-oma-core.php#L86"
},
{
"url": "https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/tags/4.6.8/includes/class-alg-wc-oma-core.php#L86"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3447432%40order-minimum-amount-for-woocommerce\u0026new=3447432%40order-minimum-amount-for-woocommerce\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T19:00:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:38:12.000+00:00",
"value": "Disclosed"
}
],
"title": "Order Minimum/Maximum Amount Limits for WooCommerce \u003c= 4.6.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Hide Add to Cart Content Fields"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1381",
"datePublished": "2026-01-28T08:26:54.692Z",
"dateReserved": "2026-01-23T18:45:26.540Z",
"dateUpdated": "2026-01-28T15:57:25.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1054 (GCVE-0-2026-1054)
Vulnerability from cvelistv5 – Published: 2026-01-28 07:27 – Updated: 2026-01-28 14:43
VLAI?
Title
RegistrationMagic <= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification
Summary
The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| metagauss | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login |
Affected:
* , ≤ 6.0.7.4
(semver)
|
Credits
Md. Moniruzzaman Prodhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1054",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:43:07.271146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:43:48.192Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RegistrationMagic \u2013 Custom Registration Forms, User Registration, Payment, and User Login",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "6.0.7.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T07:27:35.396Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3444777/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T06:45:14.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:10:54.000+00:00",
"value": "Disclosed"
}
],
"title": "RegistrationMagic \u003c= 6.0.7.4 - Missing Authorization to Unauthenticated Arbitrary Settings Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1054",
"datePublished": "2026-01-28T07:27:35.396Z",
"dateReserved": "2026-01-16T17:03:05.877Z",
"dateUpdated": "2026-01-28T14:43:48.192Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1389 (GCVE-0-2026-1389)
Vulnerability from cvelistv5 – Published: 2026-01-28 07:27 – Updated: 2026-01-28 14:45
VLAI?
Title
Document Embedder <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion
Summary
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Severity ?
5.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | Document Embedder – Embed PDFs, Word, Excel, and Other Files |
Affected:
* , ≤ 2.0.4
(semver)
|
Credits
Itthidej Aramsri
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1389",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:45:32.505700Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:45:49.405Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Document Embedder \u2013 Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the \u0027bplde_save_document_library\u0027, \u0027bplde_get_single\u0027, and \u0027bplde_delete_document_library\u0027 AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the \u0027id\u0027 parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T07:27:34.729Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159"
},
{
"url": "https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-23T21:07:02.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T19:18:50.000+00:00",
"value": "Disclosed"
}
],
"title": "Document Embedder \u003c= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1389",
"datePublished": "2026-01-28T07:27:34.729Z",
"dateReserved": "2026-01-23T20:51:53.837Z",
"dateUpdated": "2026-01-28T14:45:49.405Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0832 (GCVE-0-2026-0832)
Vulnerability from cvelistv5 – Published: 2026-01-28 06:43 – Updated: 2026-01-28 14:48
VLAI?
Title
New User Approve <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure
Summary
The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users.
Severity ?
7.3 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| saadiqbal | New User Approve |
Affected:
* , ≤ 3.2.2
(semver)
|
Credits
Deadbee
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T14:47:32.158492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T14:48:01.546Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "New User Approve",
"vendor": "saadiqbal",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Deadbee"
}
],
"descriptions": [
{
"lang": "en",
"value": "The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T06:43:45.651Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60"
},
{
"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3425140%40new-user-approve\u0026new=3425140%40new-user-approve\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3442291%40new-user-approve\u0026new=3442291%40new-user-approve\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-09T21:37:04.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-27T17:49:02.000+00:00",
"value": "Disclosed"
}
],
"title": "New User Approve \u003c= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary User Approval, Denial, and Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0832",
"datePublished": "2026-01-28T06:43:45.651Z",
"dateReserved": "2026-01-09T21:21:53.121Z",
"dateUpdated": "2026-01-28T14:48:01.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}