Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
10044 vulnerabilities
CVE-2026-5513 (GCVE-0-2026-5513)
Vulnerability from cvelistv5 – Published: 2026-06-13 11:25 – Updated: 2026-06-13 11:25
VLAI
Title
Online Scheduling and Appointment Booking System – Bookly <= 27.2 - Unauthenticated Stored Cross-Site Scripting via 'bookly-customer-full-name' Cookie
Summary
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires 'Remember personal information in cookies' setting to be enabled (disabled by default).
Severity
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| ladela | Online Scheduling and Appointment Booking System – Bookly |
Affected:
0 , ≤ 27.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Online Scheduling and Appointment Booking System \u2013 Bookly",
"vendor": "ladela",
"versions": [
{
"lessThanOrEqual": "27.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Naoya Takahashi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Online Scheduling and Appointment Booking System \u2013 Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027bookly-customer-full-name\u0027 cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires \u0027Remember personal information in cookies\u0027 setting to be enabled (disabled by default)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T11:25:24.786Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8ab6dfa-3764-470f-aa49-1964f42d93de?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3504922/bookly-responsive-appointment-booking-tool"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T19:56:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T22:03:33.000Z",
"value": "Disclosed"
}
],
"title": "Online Scheduling and Appointment Booking System \u2013 Bookly \u003c= 27.2 - Unauthenticated Stored Cross-Site Scripting via \u0027bookly-customer-full-name\u0027 Cookie"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5513",
"datePublished": "2026-06-13T11:25:24.786Z",
"dateReserved": "2026-04-03T19:39:40.223Z",
"dateUpdated": "2026-06-13T11:25:24.786Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1291 (GCVE-0-2026-1291)
Vulnerability from cvelistv5 – Published: 2026-06-13 08:29 – Updated: 2026-06-13 08:29
VLAI
Title
Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation
Summary
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| tigroumeow | Meow Gallery |
Affected:
0 , ≤ 5.4.4
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Meow Gallery",
"vendor": "tigroumeow",
"versions": [
{
"lessThanOrEqual": "5.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chawabhon Netisingha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T08:29:40.890Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3386ea07-9c61-4b54-a451-1178ca6325cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/meow-gallery/trunk/classes/rest.php"
},
{
"url": "https://wordpress.org/plugins/meow-gallery/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3469543/meow-gallery/trunk/classes/rest.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fmeow-gallery/tags/5.4.4\u0026new_path=%2Fmeow-gallery/tags/5.4.5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T16:34:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T19:54:13.000Z",
"value": "Disclosed"
}
],
"title": "Meow Gallery \u003c= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1291",
"datePublished": "2026-06-13T08:29:40.890Z",
"dateReserved": "2026-01-21T16:18:13.278Z",
"dateUpdated": "2026-06-13T08:29:40.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9629 (GCVE-0-2026-9629)
Vulnerability from cvelistv5 – Published: 2026-06-13 07:51 – Updated: 2026-06-13 07:51
VLAI
Title
Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Block Attribute
Summary
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| codesupplyco | Canvas |
Affected:
0 , ≤ 2.5.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Canvas",
"vendor": "codesupplyco",
"versions": [
{
"lessThanOrEqual": "2.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027tag\u0027 parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T07:51:22.473Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f93d70e4-01c5-44e8-b7d5-0837bee53b8d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canvas/tags/2.5.2/components/basic-elements/block-section-heading/render.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canvas/tags/2.5.2/components/basic-elements/block-section-heading/render.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/canvas/tags/2.5.2/gutenberg/custom-blocks/index.php#L798"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3553553/canvas/trunk/components/basic-elements/block-section-heading/render.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fcanvas/tags/2.5.2\u0026new_path=%2Fcanvas/tags/2.5.3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T19:04:54.000Z",
"value": "Disclosed"
}
],
"title": "Canvas \u003c= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027tag\u0027 Block Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9629",
"datePublished": "2026-06-13T07:51:22.473Z",
"dateReserved": "2026-05-26T17:33:23.661Z",
"dateUpdated": "2026-06-13T07:51:22.473Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2470 (GCVE-0-2026-2470)
Vulnerability from cvelistv5 – Published: 2026-06-13 07:51 – Updated: 2026-06-13 07:51
VLAI
Title
Pagelayer <= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via 'contacts'
Summary
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.
Severity
4.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| softaculous | Page Builder: Pagelayer – Drag and Drop website builder |
Affected:
0 , ≤ 2.0.9
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder",
"vendor": "softaculous",
"versions": [
{
"lessThanOrEqual": "2.0.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T07:51:22.099Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ef926bc7-b50f-40ac-9ace-7e01b26f34e1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3506022/pagelayer"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T16:31:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T19:20:35.000Z",
"value": "Disclosed"
}
],
"title": "Pagelayer \u003c= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration via \u0027contacts\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2470",
"datePublished": "2026-06-13T07:51:22.099Z",
"dateReserved": "2026-02-13T14:37:26.487Z",
"dateUpdated": "2026-06-13T07:51:22.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3297 (GCVE-0-2026-3297)
Vulnerability from cvelistv5 – Published: 2026-06-13 07:51 – Updated: 2026-06-13 07:51
VLAI
Title
Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block
Summary
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| softaculous | Page Builder: Pagelayer – Drag and Drop website builder |
Affected:
0 , ≤ 2.0.9
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Page Builder: Pagelayer \u2013 Drag and Drop website builder",
"vendor": "softaculous",
"versions": [
{
"lessThanOrEqual": "2.0.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Page Builder: Pagelayer \u2013 Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T07:51:21.555Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9dc23817-f5fe-420a-8204-8440935f0bd7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3506022/pagelayer"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-26T20:26:30.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T19:06:17.000Z",
"value": "Disclosed"
}
],
"title": "Page Builder: Pagelayer \u2013 Drag and Drop website builder \u003c= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Anchor Block"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3297",
"datePublished": "2026-06-13T07:51:21.555Z",
"dateReserved": "2026-02-26T20:10:52.812Z",
"dateUpdated": "2026-06-13T07:51:21.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9134 (GCVE-0-2026-9134)
Vulnerability from cvelistv5 – Published: 2026-06-13 06:47 – Updated: 2026-06-13 06:47
VLAI
Title
Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel <= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_attribute_key' Shortcode Parameter
Summary
The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| fooplugins | Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel |
Affected:
0 , ≤ 3.1.31
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery \u0026 Carousel",
"vendor": "fooplugins",
"versions": [
{
"lessThanOrEqual": "3.1.31",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027custom_attribute_key\u0027 shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as \u0027onmouseenter\u0027, combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T06:47:59.690Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dd9650e6-7c3c-4510-9749-a3503924855f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/foogallery/trunk/includes/functions.php#L480"
},
{
"url": "https://plugins.trac.wordpress.org/browser/foogallery/trunk/includes/class-gallery-advanced-settings.php#L148"
},
{
"url": "https://plugins.trac.wordpress.org/browser/foogallery/trunk/includes/functions.php#L1516"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3542524/foogallery/tags/3.1.32/includes/functions.php?old=3535930\u0026old_path=foogallery%2Ftags%2F3.1.31%2Fincludes%2Ffunctions.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T18:46:29.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T18:03:23.000Z",
"value": "Disclosed"
}
],
"title": "Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery \u0026 Carousel \u003c= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027custom_attribute_key\u0027 Shortcode Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9134",
"datePublished": "2026-06-13T06:47:59.690Z",
"dateReserved": "2026-05-20T18:31:17.531Z",
"dateUpdated": "2026-06-13T06:47:59.690Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9109 (GCVE-0-2026-9109)
Vulnerability from cvelistv5 – Published: 2026-06-13 05:32 – Updated: 2026-06-13 05:32
VLAI
Title
GPTranslate <= 2.31 - Unauthenticated Stored Cross-Site Scripting via REST API Translation Storage
Summary
The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition.
Severity
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| john-dagelmore | GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites |
Affected:
0 , ≤ 2.31
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GPTranslate \u2013 Multilingual AI Translation for WordPress: Automatically Translate Websites",
"vendor": "john-dagelmore",
"versions": [
{
"lessThanOrEqual": "2.31",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hardeep"
},
{
"lang": "en",
"type": "finder",
"value": "Chris"
}
],
"descriptions": [
{
"lang": "en",
"value": "The GPTranslate \u2013 Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T05:32:37.292Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c93b564-5428-4b0e-bbe8-f1e1e68940ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.31/assets/js/admin.js#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.31/gptranslate.php#L3654"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.31/gptranslate.php#L3578"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.31/gptranslate.php#L1134"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.27.5/assets/js/admin.js#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.27.5/gptranslate.php#L3654"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.27.5/gptranslate.php#L3578"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.27.5/gptranslate.php#L1134"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.32/assets/js/admin.js#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.32/gptranslate.php#L3574"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gptranslate/tags/2.32/gptranslate.php#L1104"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T17:00:41.000Z",
"value": "Disclosed"
}
],
"title": "GPTranslate \u003c= 2.31 - Unauthenticated Stored Cross-Site Scripting via REST API Translation Storage"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9109",
"datePublished": "2026-06-13T05:32:37.292Z",
"dateReserved": "2026-05-20T17:27:45.605Z",
"dateUpdated": "2026-06-13T05:32:37.292Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9848 (GCVE-0-2026-9848)
Vulnerability from cvelistv5 – Published: 2026-06-13 02:29 – Updated: 2026-06-13 02:29
VLAI
Title
WP Ticket <= 6.0.4 - Unauthenticated SQL Injection via WordPress Search 's' Parameter
Summary
The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress's `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query->query_vars['s']` — already wp_unslash()'d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped — and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb->prepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database.
Severity
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| emarket-design | Customer Support Ticket System & Helpdesk |
Affected:
0 , ≤ 6.0.4
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Customer Support Ticket System \u0026 Helpdesk",
"vendor": "emarket-design",
"versions": [
{
"lessThanOrEqual": "6.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "she11f"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Ticket plugin for WordPress is vulnerable to SQL Injection via the WordPress search query parameter (`s`) in versions up to, and including, 6.0.4 The plugin hooks WordPress\u0027s `posts_request` filter with `wp_ticket_com_posts_request()`, which calls `emd_author_search_results()` when the current request is an unauthenticated front-end search. That function reads `$query-\u003equery_vars[\u0027s\u0027]` \u2014 already wp_unslash()\u0027d by `WP_Query::parse_query()`, so wp_magic_quotes protection has been stripped \u2014 and concatenates the raw value into a SQL `LIKE` clause inside a UNION sub-SELECT appended to the main query, with no `$wpdb-\u003eprepare()` or escaping. This makes it possible for unauthenticated attackers to append additional SQL queries into already-existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:29:03.120Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/98f16e3a-4ef3-43f9-86b2-2cf8e26f9c80?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L174"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/common-functions.php#L164"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/query-filters.php#L57"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-ticket/tags/6.0.4/includes/filter-functions.php#L22"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3565099/wp-ticket/trunk/includes/common-functions.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwp-ticket/tags/6.0.4\u0026new_path=%2Fwp-ticket/tags/6.0.5"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T14:31:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-12T14:23:52.000Z",
"value": "Disclosed"
}
],
"title": "WP Ticket \u003c= 6.0.4 - Unauthenticated SQL Injection via WordPress Search \u0027s\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9848",
"datePublished": "2026-06-13T02:29:03.120Z",
"dateReserved": "2026-05-28T14:16:28.104Z",
"dateUpdated": "2026-06-13T02:29:03.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-12089 (GCVE-0-2026-12089)
Vulnerability from cvelistv5 – Published: 2026-06-13 02:29 – Updated: 2026-06-13 02:29
VLAI
Title
WS Optimize – All-in-One Speed Booster & Cache Tools <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read
Summary
The LWS Optimize – All-in-One Speed Booster & Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting <link rel="stylesheet" href="..."> values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files.
Severity
4.9 (Medium)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| aurelienlws | LWS Optimize – All-in-One Speed Booster & Cache Tools |
Affected:
0 , ≤ 3.3.19
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LWS Optimize \u2013 All-in-One Speed Booster \u0026 Cache Tools",
"vendor": "aurelienlws",
"versions": [
{
"lessThanOrEqual": "3.3.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Omar Elshopky"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LWS Optimize \u2013 All-in-One Speed Booster \u0026 Cache Tools plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 3.3.19. This is due to the combine_current_css() function trusting \u003clink rel=\"stylesheet\" href=\"...\"\u003e values harvested from page HTML and converting same-site URLs to absolute filesystem paths before reading them with file_get_contents()/Minify\\CSS::add(), without enforcing that the resolved path stay within ABSPATH or have a .css extension. This makes it possible for authenticated attackers, with Editor-level access and above, to read arbitrary files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:29:02.487Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5cb80db2-753c-40fa-aee4-7d8c1749d037?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lws-optimize/tags/3.3.19/Classes/Front/LwsOptimizeCSSManager.php#L289"
},
{
"url": "https://plugins.trac.wordpress.org/browser/lws-optimize/tags/3.3.19/Classes/Front/LwsOptimizeCSSManager.php#L61"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-12T14:06:04.000Z",
"value": "Disclosed"
}
],
"title": "WS Optimize \u2013 All-in-One Speed Booster \u0026 Cache Tools \u003c= 3.3.19 - Authenticated (Editor+) Arbitrary File Read"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-12089",
"datePublished": "2026-06-13T02:29:02.487Z",
"dateReserved": "2026-06-12T13:57:55.876Z",
"dateUpdated": "2026-06-13T02:29:02.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9125 (GCVE-0-2026-9125)
Vulnerability from cvelistv5 – Published: 2026-06-12 01:28 – Updated: 2026-06-13 02:48
VLAI
Title
The Ultimate Video Player For WordPress <= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link_url' Shortcode Attribute
Summary
The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link_url' parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 2winfactor | Presto Player |
Affected:
0 , ≤ 4.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-13T02:48:39.198721Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-13T02:48:52.871Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Presto Player",
"vendor": "2winfactor",
"versions": [
{
"lessThanOrEqual": "4.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Presto Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027link_url\u0027 parameter of the [presto_player_overlay] shortcode in versions up to, and including, 4.2.0 This is due to insufficient input sanitization and output escaping in the getOverlays() function, which copies the link_url shortcode attribute directly into the overlay configuration without scheme validation, allowing javascript: URIs to survive and be rendered as the href of a clickable anchor element by the presto-dynamic-overlay-ui web component. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-12T01:28:02.071Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c87e7f50-f14a-4751-abcb-3a5bdd214889?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L464"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/inc/Services/Shortcodes.php#L513"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/templates/video.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.4/dist/components/collection/components/core/features/presto-dynamic-overlays/component/presto-dynamic-overlays.js#L1"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/inc/Services/Shortcodes.php#L464"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/inc/Services/Shortcodes.php#L513"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/templates/video.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/browser/presto-player/tags/4.1.1/dist/components/collection/components/core/features/presto-dynamic-overlays/component/presto-dynamic-overlays.js#L1"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3553268/presto-player/trunk/inc/Services/Shortcodes.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T17:56:26.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-11T12:49:42.000Z",
"value": "Disclosed"
}
],
"title": "The Ultimate Video Player For WordPress \u003c= 4.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027link_url\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9125",
"datePublished": "2026-06-12T01:28:02.071Z",
"dateReserved": "2026-05-20T17:39:30.319Z",
"dateUpdated": "2026-06-13T02:48:52.871Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10795 (GCVE-0-2026-10795)
Vulnerability from cvelistv5 – Published: 2026-06-11 05:34 – Updated: 2026-06-11 14:37
VLAI
Title
UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc
Summary
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| davidanderson | UpdraftPlus: WP Backup & Migration Plugin |
Affected:
0 , ≤ 1.26.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T14:37:25.695215Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T14:37:38.538Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UpdraftPlus: WP Backup \u0026 Migration Plugin",
"vendor": "davidanderson",
"versions": [
{
"lessThanOrEqual": "1.26.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "XU WEI TING"
}
],
"descriptions": [
{
"lang": "en",
"value": "The UpdraftPlus: WP Backup \u0026 Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T05:34:20.360Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e901c2a0-2477-4b9a-8483-6002419e0a2f?source=cve"
},
{
"url": "https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php"
},
{
"url": "https://plugins.svn.wordpress.org/updraftplus/tags/1.26.4/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3561938/updraftplus/trunk/vendor/team-updraft/common-libs/src/updraft-rpc/class-udrpc2.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-03T21:23:51.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-10T16:41:29.000Z",
"value": "Disclosed"
}
],
"title": "UpdraftPlus: WP Backup \u0026 Migration Plugin \u003c= 1.26.4 - Unauthenticated Authentication Bypass via UpdraftCentral udrpc"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10795",
"datePublished": "2026-06-11T05:34:20.360Z",
"dateReserved": "2026-06-03T21:07:44.434Z",
"dateUpdated": "2026-06-11T14:37:38.538Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2827 (GCVE-0-2026-2827)
Vulnerability from cvelistv5 – Published: 2026-06-11 01:27 – Updated: 2026-06-11 15:57
VLAI
Title
Open User Map PRO <= 1.4.31 - Unauthenticated Stored Cross-Site Scripting via 'oum_location_notification'
Summary
The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
4.7 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 100plugins | Open User Map PRO |
Affected:
0 , ≤ 1.4.31
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2827",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-11T15:57:19.559646Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T15:57:32.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Open User Map PRO",
"vendor": "100plugins",
"versions": [
{
"lessThanOrEqual": "1.4.31",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hunter Jensen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027oum_location_notification\u0027 parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-11T01:27:56.479Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9963e0f8-600c-4b1f-935d-4ac1f967698f?source=cve"
},
{
"url": "https://www.open-user-map.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-23T17:20:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-10T13:18:50.000Z",
"value": "Disclosed"
}
],
"title": "Open User Map PRO \u003c= 1.4.31 - Unauthenticated Stored Cross-Site Scripting via \u0027oum_location_notification\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2827",
"datePublished": "2026-06-11T01:27:56.479Z",
"dateReserved": "2026-02-19T18:28:52.104Z",
"dateUpdated": "2026-06-11T15:57:32.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3018 (GCVE-0-2026-3018)
Vulnerability from cvelistv5 – Published: 2026-06-10 08:28 – Updated: 2026-06-10 12:46
VLAI
Title
Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter
Summary
The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| contrid | Newsletters |
Affected:
0 , ≤ 4.13
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3018",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T12:46:25.228045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T12:46:38.254Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Newsletters",
"vendor": "contrid",
"versions": [
{
"lessThanOrEqual": "4.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018wpmlsubscriber_id\u2019 parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T08:28:20.635Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8e2672b5-64a2-4b30-b0be-2a9303d46ac1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/newsletters-lite/tags/4.11/wp-mailinglist-plugin.php#L6040"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3566485/newsletters-lite"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-25T17:15:41.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T20:03:28.000Z",
"value": "Disclosed"
}
],
"title": "Newsletters \u003c= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3018",
"datePublished": "2026-06-10T08:28:20.635Z",
"dateReserved": "2026-02-23T11:03:25.560Z",
"dateUpdated": "2026-06-10T12:46:38.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-6254 (GCVE-0-2025-6254)
Vulnerability from cvelistv5 – Published: 2026-06-10 08:28 – Updated: 2026-06-10 14:38
VLAI
Title
Doctreat Core <= 1.6.8 - Unauthenticated Privilege Escalation
Summary
The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| AmentoTech | Doctreat Core |
Affected:
0 , ≤ 1.6.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-6254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T14:38:45.492186Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:38:53.494Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Doctreat Core",
"vendor": "AmentoTech",
"versions": [
{
"lessThanOrEqual": "1.6.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Friderika Baranyai"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Doctreat Core plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.6.8. This is due to the doctreat_process_registration() function not properly restricting the roles that a user can register with. This makes it possible for unauthenticated attackers to register as an administrator user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T08:28:20.052Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5fa37909-932c-4879-bbf0-8b44cc995cc0?source=cve"
},
{
"url": "https://themeforest.net/item/doctreat-doctors-directory-wordpress-theme/24867777"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-29T20:49:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T20:15:24.000Z",
"value": "Disclosed"
}
],
"title": "Doctreat Core \u003c= 1.6.8 - Unauthenticated Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-6254",
"datePublished": "2026-06-10T08:28:20.052Z",
"dateReserved": "2025-06-18T19:57:18.427Z",
"dateUpdated": "2026-06-10T14:38:53.494Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8613 (GCVE-0-2026-8613)
Vulnerability from cvelistv5 – Published: 2026-06-10 07:50 – Updated: 2026-06-10 14:42
VLAI
Title
aThemes Addons for Elementor <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting
Summary
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | aThemes Addons for Elementor |
Affected:
0 , ≤ 1.1.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8613",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T14:41:47.013406Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T14:42:03.318Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "aThemes Addons for Elementor",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.1.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Romain Deperne"
}
],
"descriptions": [
{
"lang": "en",
"value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027title_tag\u0027 Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:50:56.223Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7aed9e-1b56-4ce6-b338-1d9ab80594c3?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-timeline/class-posts-timeline.php#L1351"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/class-posts-carousel.php#L1413"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-banner.php#L226"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-modern.php#L208"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/functions.php#L1375"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/athemes-addons-for-elementor-lite/tags/1.1.8\u0026new_path=/athemes-addons-for-elementor-lite/tags/1.1.9"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.9/inc/functions.php#L1374"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-14T16:50:23.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T18:49:29.000Z",
"value": "Disclosed"
}
],
"title": "aThemes Addons for Elementor \u003c= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027title_tag\u0027 Widget Setting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8613",
"datePublished": "2026-06-10T07:50:56.223Z",
"dateReserved": "2026-05-14T16:31:49.699Z",
"dateUpdated": "2026-06-10T14:42:03.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8853 (GCVE-0-2026-8853)
Vulnerability from cvelistv5 – Published: 2026-06-10 07:50 – Updated: 2026-06-10 12:56
VLAI
Title
MW WP Form <= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via 'memo' Parameter
Summary
The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'memo' parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress's built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| websoudan | MW WP Form |
Affected:
0 , ≤ 5.1.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8853",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T12:56:06.379101Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T12:56:19.273Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MW WP Form",
"vendor": "websoudan",
"versions": [
{
"lessThanOrEqual": "5.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "S\u00e9rgio Charruadas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MW WP Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027memo\u0027 parameter in all versions up to, and including, 5.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the memo value is stored via update_post_meta() rather than wp_insert_post(), WordPress\u0027s built-in kses and unfiltered_html protections do not apply, allowing attackers to break out of the textarea element via injected closing tags regardless of role-based content filtering."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T07:50:55.322Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2a6dfdec-c1c6-4300-ab0a-9fd1c550d09f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.3/templates/contact-data/detail.php#L77"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.3/classes/controllers/class.contact-data.php#L134"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/templates/contact-data/detail.php#L77"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.contact-data.php#L134"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=mw-wp-form/tags/5.1.3\u0026new_path=mw-wp-form/tags/5.1.4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-18T16:30:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T18:48:34.000Z",
"value": "Disclosed"
}
],
"title": "MW WP Form \u003c= 5.1.3 - Authenticated (Editor+) Stored Cross-Site Scripting via \u0027memo\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8853",
"datePublished": "2026-06-10T07:50:55.322Z",
"dateReserved": "2026-05-18T16:14:39.011Z",
"dateUpdated": "2026-06-10T12:56:19.273Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9019 (GCVE-0-2026-9019)
Vulnerability from cvelistv5 – Published: 2026-06-10 06:48 – Updated: 2026-06-10 16:32
VLAI
Title
Easy Image Collage <= 1.13.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters
Summary
The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress's unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brechtvds | Easy Image Collage |
Affected:
0 , ≤ 1.13.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9019",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T16:27:32.888371Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T16:32:03.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Image Collage",
"vendor": "brechtvds",
"versions": [
{
"lessThanOrEqual": "1.13.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "younghun lee"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027grid[properties][borderColor]\u0027 and \u0027grid[images][N][attachment_url]\u0027 Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Because the data is stored via update_post_meta() rather than wp_insert_post() post content, WordPress\u0027s unfiltered_html restriction does not apply, meaning Authors cannot be blocked from this attack path by capability controls alone."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T06:48:28.873Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4feaad82-f94e-49f5-8e8b-67ba220b1c71?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/shortcode.php#L42"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/layouts.php#L261"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/models/grid.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-image-collage/tags/1.13.6/helpers/ajax.php#L16"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=easy-image-collage/tags/1.13.6\u0026new_path=easy-image-collage/tags/2.0.0"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T15:11:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T18:47:44.000Z",
"value": "Disclosed"
}
],
"title": "Easy Image Collage \u003c= 1.13.6 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027grid[properties][borderColor]\u0027 and \u0027grid[images][N][attachment_url]\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9019",
"datePublished": "2026-06-10T06:48:28.873Z",
"dateReserved": "2026-05-19T14:53:59.845Z",
"dateUpdated": "2026-06-10T16:32:03.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8444 (GCVE-0-2025-8444)
Vulnerability from cvelistv5 – Published: 2026-06-10 04:31 – Updated: 2026-06-10 12:47
VLAI
Title
Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates <= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters
Summary
The Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wealcoder | Animation Addons for Elementor – GSAP Motion Elementor Addons & Website Templates |
Affected:
0 , ≤ 2.6.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8444",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-10T12:47:06.466072Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T12:47:18.216Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Animation Addons for Elementor \u2013 GSAP Motion Elementor Addons \u0026 Website Templates",
"vendor": "wealcoder",
"versions": [
{
"lessThanOrEqual": "2.6.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Animation Addons for Elementor \u2013 GSAP Powered Elementor Addons \u0026 Website Templates plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the multiple parameters in all versions up to, and including, 2.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T04:31:00.888Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9d1cb486-f461-4a06-ae9a-39669109b2c0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/animation-addons-for-elementor/trunk/assets/js/wcf-addons.min.js"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-12T19:55:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-09T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Animation Addons for Elementor \u2013 GSAP Powered Elementor Addons \u0026 Website Templates \u003c= 2.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via Multiple Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8444",
"datePublished": "2026-06-10T04:31:00.888Z",
"dateReserved": "2025-07-31T19:16:21.041Z",
"dateUpdated": "2026-06-10T12:47:18.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4058 (GCVE-0-2026-4058)
Vulnerability from cvelistv5 – Published: 2026-06-09 09:28 – Updated: 2026-06-09 14:09
VLAI
Title
User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation
Summary
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user's subscription pack, including administrators.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wedevs | User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration |
Affected:
0 , ≤ 4.3.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4058",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:09:20.531777Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:09:41.250Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "4.3.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the user_subscription_cancel() function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cancel any user\u0027s subscription pack, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T09:28:31.713Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffdf34bb-a887-444c-8a76-12901fed6662?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3528244/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-24T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-12T17:20:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T20:48:06.000Z",
"value": "Disclosed"
}
],
"title": "User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership \u0026 User Registration \u003c= 4.3.2 - Missing Authorization to Authenticated (Subscriber+) Subscription Pack Cancellation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4058",
"datePublished": "2026-06-09T09:28:31.713Z",
"dateReserved": "2026-03-12T17:04:07.068Z",
"dateUpdated": "2026-06-09T14:09:41.250Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8365 (GCVE-0-2026-8365)
Vulnerability from cvelistv5 – Published: 2026-06-09 08:29 – Updated: 2026-06-09 12:56
VLAI
Title
Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
Summary
The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
13 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| creativethemeshq | Blocksy |
Affected:
0 , ≤ 2.1.41
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8365",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T12:55:53.628058Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T12:56:15.813Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blocksy",
"vendor": "creativethemeshq",
"versions": [
{
"lessThanOrEqual": "2.1.41",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the \u0027blocksy_meta\u0027 REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing \u0027\u003c\u0027 or \u0027\u003e\u0027 and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func()."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T08:29:40.638Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fd216743-ce8d-4632-9fd1-d63502c2dfcd?source=cve"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/trunk/inc/classes/db-versioning/utils/db-search-replacer.php#L98"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.41/inc/classes/db-versioning/utils/db-search-replacer.php#L98"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/trunk/admin/helpers/meta-boxes.php#L104"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.41/admin/helpers/meta-boxes.php#L104"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/trunk/admin/helpers/validator.php#L75"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.41/admin/helpers/validator.php#L75"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/trunk/inc/classes/raii.php#L12"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.41/inc/classes/raii.php#L12"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.35/inc/classes/db-versioning/utils/db-search-replacer.php#L98"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.35/admin/helpers/meta-boxes.php#L104"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.35/admin/helpers/validator.php#L75"
},
{
"url": "https://themes.trac.wordpress.org/browser/blocksy/2.1.35/inc/classes/raii.php#L12"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-12T06:30:57.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T20:11:29.000Z",
"value": "Disclosed"
}
],
"title": "Blocksy \u003c= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via \u0027blocksy_meta\u0027 REST API Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8365",
"datePublished": "2026-06-09T08:29:40.638Z",
"dateReserved": "2026-05-11T19:25:24.123Z",
"dateUpdated": "2026-06-09T12:56:15.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8677 (GCVE-0-2026-8677)
Vulnerability from cvelistv5 – Published: 2026-06-09 08:29 – Updated: 2026-06-09 15:13
VLAI
Title
Prime Elementor Addons <= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings
Summary
The Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., 'img src=x onerror=alert(document.domain)') contains no HTML angle brackets and therefore passes through Elementor's wp_kses_post() filter unchanged at save time.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
16 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpmessiah | Prime Elementor Addons – Lightweight Elementor Widgets for Faster Pages |
Affected:
0 , ≤ 1.3.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8677",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:02:21.740076Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:13:07.255Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages",
"vendor": "wpmessiah",
"versions": [
{
"lessThanOrEqual": "1.3.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Romain Deperne"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Prime Elementor Addons \u2013 Lightweight Elementor Widgets for Faster Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Widget HTML Tag Settings in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The exploit succeeds even for users without the unfiltered_html capability because the payload (e.g., \u0027img src=x onerror=alert(document.domain)\u0027) contains no HTML angle brackets and therefore passes through Elementor\u0027s wp_kses_post() filter unchanged at save time."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T08:29:39.999Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/95136083-58d7-4ee4-b894-6910c3992d20?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/InfoBox.php#L1645"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/InfoBox.php#L1623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/Counter.php#L1079"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/CallToAction.php#L1631"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/TeamMember.php#L2638"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Traits/PostGridRenderer.php#L164"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.2/includes/Widgets/AdvancedAccordion.php#L1396"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/InfoBox.php#L1645"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/InfoBox.php#L1623"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/Counter.php#L1079"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/CallToAction.php#L1631"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/TeamMember.php#L2638"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Traits/PostGridRenderer.php#L164"
},
{
"url": "https://plugins.trac.wordpress.org/browser/unlimited-elementor-inner-sections-by-boomdevs/tags/1.2.0/includes/Widgets/AdvancedAccordion.php#L1396"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.3\u0026new_path=unlimited-elementor-inner-sections-by-boomdevs/tags/1.3.4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-01T04:21:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T19:49:58.000Z",
"value": "Disclosed"
}
],
"title": "Prime Elementor Addons \u003c= 1.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget HTML Tag Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8677",
"datePublished": "2026-06-09T08:29:39.999Z",
"dateReserved": "2026-05-15T13:20:51.029Z",
"dateUpdated": "2026-06-09T15:13:07.255Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8599 (GCVE-0-2026-8599)
Vulnerability from cvelistv5 – Published: 2026-06-09 07:49 – Updated: 2026-06-09 19:05
VLAI
Title
MailerPress <= 2.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via Campaign HTML Content Field
Summary
The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mailerpress | MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails |
Affected:
0 , ≤ 2.0.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:05:22.171041Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:05:56.169Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MailerPress \u2013 Email Marketing, Newsletter, Email Automation \u0026 WooCommerce Emails",
"vendor": "mailerpress",
"versions": [
{
"lessThanOrEqual": "2.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Faizan Shaik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MailerPress \u2013 Email Marketing, Newsletter, Email Automation \u0026 WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T07:49:57.903Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c52cadb2-703f-4aad-85f2-aec1dd4befdc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2128"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Api/Campaigns.php#L2137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.3/src/Actions/Shortcodes/CampaignEmail.php#L161"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2128"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Api/Campaigns.php#L2137"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/trunk/src/Actions/Shortcodes/CampaignEmail.php#L161"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.5/src/Api/Campaigns.php#L4713"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailerpress/tags/2.0.5/src/Api/Campaigns.php#L2229"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-14T16:37:12.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T19:47:21.000Z",
"value": "Disclosed"
}
],
"title": "MailerPress \u003c= 2.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via Campaign HTML Content Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8599",
"datePublished": "2026-06-09T07:49:57.903Z",
"dateReserved": "2026-05-14T14:57:19.613Z",
"dateUpdated": "2026-06-09T19:05:56.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7542 (GCVE-0-2026-7542)
Vulnerability from cvelistv5 – Published: 2026-06-09 07:49 – Updated: 2026-06-09 16:03
VLAI
Title
Slider Revolution <= 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
Summary
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Revolution Slider | Slider Revolution |
Affected:
0 , ≤ 7.0.10
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7542",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:03:34.179689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:03:46.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Slider Revolution",
"vendor": "Revolution Slider",
"versions": [
{
"lessThanOrEqual": "7.0.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Luc Huynh from Noventiq RedTeam"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() \u0026\u0026 is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T07:49:57.401Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4f57cac9-5610-454b-affb-86384ea00881?source=cve"
},
{
"url": "https://www.sliderrevolution.com/changelog/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T19:04:51.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T19:07:40.000Z",
"value": "Disclosed"
}
],
"title": "Slider Revolution \u003c= 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7542",
"datePublished": "2026-06-09T07:49:57.401Z",
"dateReserved": "2026-04-30T18:43:22.295Z",
"dateUpdated": "2026-06-09T16:03:46.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11616 (GCVE-0-2026-11616)
Vulnerability from cvelistv5 – Published: 2026-06-09 07:49 – Updated: 2026-06-09 13:32
VLAI
Title
Events Calendar for GeoDirectory <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation
Summary
The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) — with no allow-list — to the attacker-controlled $_POST['type'] and $_POST['postid'] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user->ID, $rsvp_args['type'], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes ['subscriber'=>true,'administrator'=>'administrator'] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the 'administrator' array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| stiofansisland | Events Calendar for GeoDirectory |
Affected:
0 , ≤ 2.3.28
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11616",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T13:32:11.162009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T13:32:19.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Events Calendar for GeoDirectory",
"vendor": "stiofansisland",
"versions": [
{
"lessThanOrEqual": "2.3.28",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Hung"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajax_ayi_action() handler only applying strip_tags(esc_sql()) \u2014 with no allow-list \u2014 to the attacker-controlled $_POST[\u0027type\u0027] and $_POST[\u0027postid\u0027] values before forwarding them to update_ayi_data(), which calls update_user_meta($current_user-\u003eID, $rsvp_args[\u0027type\u0027], $posts). By passing type=wp_capabilities and postid=administrator, an attacker writes [\u0027subscriber\u0027=\u003etrue,\u0027administrator\u0027=\u003e\u0027administrator\u0027] into their own wp_capabilities user meta; WP_User::get_role_caps() then treats the \u0027administrator\u0027 array key as an active role on the next request. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T07:49:56.778Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/11ba187b-1fe4-4077-ad9d-a07660133e91?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/events-for-geodirectory/tags/2.3.28/includes/class-geodir-event-ayi.php#L357"
},
{
"url": "https://plugins.trac.wordpress.org/browser/events-for-geodirectory/tags/2.3.28/includes/class-geodir-event-ayi.php#L154"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3533585%40events-for-geodirectory\u0026new=3533585%40events-for-geodirectory\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T19:17:22.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-08T19:02:22.000Z",
"value": "Disclosed"
}
],
"title": "Events Calendar for GeoDirectory \u003c= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11616",
"datePublished": "2026-06-09T07:49:56.778Z",
"dateReserved": "2026-06-08T19:02:08.537Z",
"dateUpdated": "2026-06-09T13:32:19.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8895 (GCVE-0-2026-8895)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 16:02
VLAI
Title
kk blog card <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'blog-card' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode's 'href' and 'type' attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| kenz60 | kk blog card |
Affected:
0 , ≤ 1.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8895",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T16:02:33.811582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T16:02:46.631Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "kk blog card",
"vendor": "kenz60",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The kk blog card plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027blog-card\u0027 shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on the shortcode\u0027s \u0027href\u0027 and \u0027type\u0027 attributes, which are concatenated directly into HTML attribute contexts in the shortcode callback registered in kk-blog-card-shortcode.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:24.370Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f6ccddd4-89fe-4786-917b-944185b4510b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kk-blog-card/tags/1.3/kk-blog-card-shortcode.php#L8"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kk-blog-card/tags/1.3/kk-blog-card-shortcode.php#L4"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:07:46.000Z",
"value": "Disclosed"
}
],
"title": "kk blog card \u003c= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8895",
"datePublished": "2026-06-09T03:41:24.370Z",
"dateReserved": "2026-05-18T21:01:25.804Z",
"dateUpdated": "2026-06-09T16:02:46.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11603 (GCVE-0-2026-11603)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 15:19
VLAI
Title
Product Filter Widget for Elementor <= 1.0.6 - Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter
Summary
The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'args[filterFormArray]' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| brthumar1959 | Product Filter Widget for Elementor |
Affected:
0 , ≤ 1.0.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:13:53.269536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:19:33.016Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Product Filter Widget for Elementor",
"vendor": "brthumar1959",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JongWook Gong"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via \u0027args[filterFormArray]\u0027 Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The endpoint is registered via wp_ajax_nopriv_ with no nonce verification or capability check, and exploitation is delivered via a CSRF-style form auto-submission to the admin-ajax.php endpoint, requiring the attacker to trick a victim into visiting an attacker-controlled page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:23.979Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e25ef117-72c4-4696-9248-5caa937b47e9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/product-filter-widget-for-elementor/trunk/inc/controller/Eszpf_Ajax_Handler.php#L117"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:13:18.000Z",
"value": "Disclosed"
}
],
"title": "Product Filter Widget for Elementor \u003c= 1.0.6 - Reflected Cross-Site Scripting via \u0027args[filterFormArray]\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11603",
"datePublished": "2026-06-09T03:41:23.979Z",
"dateReserved": "2026-06-08T15:12:34.507Z",
"dateUpdated": "2026-06-09T15:19:33.016Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8904 (GCVE-0-2026-8904)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 19:07
VLAI
Title
FastPicker, an order picker and order management system (oms) for WooCommerce on steroids <= 1.0.2 - Cross-Site Request Forgery via Settings Save
Summary
The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin's settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| yuluma | FastPicker, an order picker and order management system (oms) for WooCommerce on steroids |
Affected:
0 , ≤ 1.0.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8904",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:07:06.531523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:07:16.667Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FastPicker, an order picker and order management system (oms) for WooCommerce on steroids",
"vendor": "yuluma",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FastPicker, an order picker and order management system (oms) for WooCommerce on steroids plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify the plugin\u0027s settings, including toggling the webhook integration and changing the FastPicker and KDZ API URLs via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:23.635Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1e3a7d8-d303-4638-8dc9-c62302cfa5fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fastpicker/trunk/src/WooOrderpicker/Admin.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/fastpicker/trunk/src/Views/Settings.php#L32"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:05:35.000Z",
"value": "Disclosed"
}
],
"title": "FastPicker, an order picker and order management system (oms) for WooCommerce on steroids \u003c= 1.0.2 - Cross-Site Request Forgery via Settings Save"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8904",
"datePublished": "2026-06-09T03:41:23.635Z",
"dateReserved": "2026-05-18T21:19:04.590Z",
"dateUpdated": "2026-06-09T19:07:16.667Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10553 (GCVE-0-2026-10553)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 19:10
VLAI
Title
jQuery Hover Footnotes <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update
Summary
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin's settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| weaverlancegmailcom | jQuery Hover Footnotes |
Affected:
0 , ≤ 1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10553",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T19:09:42.861325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T19:10:34.333Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "jQuery Hover Footnotes",
"vendor": "weaverlancegmailcom",
"versions": [
{
"lessThanOrEqual": "1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nishida azuka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes_options_subpanel function. This makes it possible for unauthenticated attackers to update the plugin\u0027s settings with arbitrary values that, because option values such as jqfoot_anchor_open, jqfoot_anchor_close, and jqfoot_title are echoed unescaped into frontend page content, can be chained into persistent Cross-Site Scripting affecting all site visitors via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Successful exploitation of the CSRF vulnerability can be chained into stored Cross-Site Scripting, as the overwritten option values are persisted via update_option() without sanitization and rendered unescaped on the frontend."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:23.259Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c174887b-e24d-4100-97da-8e0923ebafe5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L57"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L159"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:07:36.000Z",
"value": "Disclosed"
}
],
"title": "jQuery Hover Footnotes \u003c= 1.4 - Cross-Site Request Forgery to Plugin Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10553",
"datePublished": "2026-06-09T03:41:23.259Z",
"dateReserved": "2026-06-01T13:54:24.821Z",
"dateUpdated": "2026-06-09T19:10:34.333Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8910 (GCVE-0-2026-8910)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 14:10
VLAI
Title
WP Emoticon Rating <= 1.0.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via 'emo_settings' Parameter
Summary
The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
7 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rahulbhangale | WP Emoticon Rating |
Affected:
0 , ≤ 1.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8910",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:10:25.167199Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:10:48.801Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Emoticon Rating",
"vendor": "rahulbhangale",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:22.889Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2a0b560-3f5a-4d09-9cc1-e22b2a19dfe6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-emoticon-rating/trunk/admin/wp-emo-admin.php#L101"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-emoticon-rating/trunk/admin/wp-emo-admin.php#L76"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-emoticon-rating/trunk/admin/wp-emo-admin.php#L18"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-emoticon-rating/trunk/admin/wp-emo-admin.php#L107"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-emoticon-rating/trunk/admin/wp-emo-admin.php#L130"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-emoticon-rating/trunk/admin/wp-emo-admin.php#L136"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:06:05.000Z",
"value": "Disclosed"
}
],
"title": "WP Emoticon Rating \u003c= 1.0.1 - Cross-Site Request Forgery to Reflected Cross-Site Scripting via \u0027emo_settings\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8910",
"datePublished": "2026-06-09T03:41:22.889Z",
"dateReserved": "2026-05-18T21:50:49.407Z",
"dateUpdated": "2026-06-09T14:10:48.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10738 (GCVE-0-2026-10738)
Vulnerability from cvelistv5 – Published: 2026-06-09 03:41 – Updated: 2026-06-09 15:13
VLAI
Title
jQuery Hover Footnotes <= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax)
Summary
The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier ('{{...}}' Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core's wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| weaverlancegmailcom | jQuery Hover Footnotes |
Affected:
0 , ≤ 1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10738",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T15:01:58.347087Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T15:13:13.489Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "jQuery Hover Footnotes",
"vendor": "weaverlancegmailcom",
"versions": [
{
"lessThanOrEqual": "1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nishida azuka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The jQuery Hover Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Footnote Qualifier (\u0027{{...}}\u0027 Syntax) in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attribute-breakout payload (e.g., a double-quote followed by an event handler) contains no angle brackets and therefore bypasses WordPress core\u0027s wp_kses_post() filtering, which only strips disallowed HTML tags rather than sanitizing attribute contexts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T03:41:22.446Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b02bdf2a-1d99-4cc3-8f75-822ff0792e44?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L246"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L235"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L213"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-hover-footnotes/trunk/jqFootnotes.php#L222"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-08T15:07:26.000Z",
"value": "Disclosed"
}
],
"title": "jQuery Hover Footnotes \u003c= 1.4 - Authenticated (Author+) Stored Cross-Site Scripting via Footnote Qualifier (\u0027{{...}}\u0027 Syntax)"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10738",
"datePublished": "2026-06-09T03:41:22.446Z",
"dateReserved": "2026-06-03T13:04:14.546Z",
"dateUpdated": "2026-06-09T15:13:13.489Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}