Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9506 vulnerabilities
CVE-2026-3844 (GCVE-0-2026-3844)
Vulnerability from cvelistv5 – Published: 2026-04-23 02:25 – Updated: 2026-04-23 02:25
VLAI?
Title
Breeze Cache <= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote
Summary
The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetch_gravatar_from_remote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability can only be exploited if "Host Files Locally - Gravatars" is enabled, which is disabled by default.
Severity ?
9.8 (Critical)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cloudways | Breeze Cache |
Affected:
0 , ≤ 2.4.4
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Breeze Cache",
"vendor": "cloudways",
"versions": [
{
"lessThanOrEqual": "2.4.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Hung Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027fetch_gravatar_from_remote\u0027 function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible. The vulnerability can only be exploited if \"Host Files Locally - Gravatars\" is enabled, which is disabled by default."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T02:25:21.927Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e342b1c0-6e7f-4e2c-8a52-018df12c12a0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L119"
},
{
"url": "https://plugins.trac.wordpress.org/browser/breeze/tags/2.4.1/inc/class-breeze-cache-cronjobs.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3511463/breeze"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T13:59:41.000Z",
"value": "Disclosed"
}
],
"title": "Breeze Cache \u003c= 2.4.4 - Unauthenticated Arbitrary File Upload via fetch_gravatar_from_remote"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3844",
"datePublished": "2026-04-23T02:25:21.927Z",
"dateReserved": "2026-03-09T18:35:58.751Z",
"dateUpdated": "2026-04-23T02:25:21.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2951 (GCVE-0-2026-2951)
Vulnerability from cvelistv5 – Published: 2026-04-23 02:25 – Updated: 2026-04-23 02:25
VLAI?
Title
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML
Summary
The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gutentor | Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor |
Affected:
0 , ≤ 3.5.5
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
"vendor": "gutentor",
"versions": [
{
"lessThanOrEqual": "3.5.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T02:25:21.258Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7c639b8-35f5-4eaf-a663-1adab3ba2a16?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3495930/gutentor"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T13:44:42.000Z",
"value": "Disclosed"
}
],
"title": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor \u003c= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2951",
"datePublished": "2026-04-23T02:25:21.258Z",
"dateReserved": "2026-02-21T20:23:25.224Z",
"dateUpdated": "2026-04-23T02:25:21.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1923 (GCVE-0-2026-1923)
Vulnerability from cvelistv5 – Published: 2026-04-23 01:24 – Updated: 2026-04-23 01:24
VLAI?
Title
Social Rocket – Social Sharing Plugin <= 1.3.4.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via id
Summary
The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| socialrocket | Social Rocket – Social Sharing Plugin |
Affected:
0 , ≤ 1.3.4.2
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Social Rocket \u2013 Social Sharing Plugin",
"vendor": "socialrocket",
"versions": [
{
"lessThanOrEqual": "1.3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tarc\u00edsio Luchesi De Almeida Silva"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Social Rocket \u2013 Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018id\u2019 parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T01:24:32.284Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d92fc04e-201e-4fc3-bbf0-4f2f3de3ee95?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3467694/social-rocket"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-22T12:47:30.000Z",
"value": "Disclosed"
}
],
"title": "Social Rocket \u2013 Social Sharing Plugin \u003c= 1.3.4.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via id"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1923",
"datePublished": "2026-04-23T01:24:32.284Z",
"dateReserved": "2026-02-04T18:52:24.771Z",
"dateUpdated": "2026-04-23T01:24:32.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1913 (GCVE-0-2026-1913)
Vulnerability from cvelistv5 – Published: 2026-04-22 09:27 – Updated: 2026-04-22 09:27
VLAI?
Title
Gallagher Website Design <= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'prefix' Shortcode Attribute
Summary
The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the 'prefix' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gallagherwebsitedesign | Gallagher Website Design |
Affected:
0 , ≤ 2.6.4
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gallagher Website Design",
"vendor": "gallagherwebsitedesign",
"versions": [
{
"lessThanOrEqual": "2.6.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gallagher Website Design plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s login_link shortcode in all versions up to, and including, 2.6.4 due to insufficient input sanitization and output escaping on the \u0027prefix\u0027 attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T09:27:20.844Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8d013ae-a512-454a-bcfc-8725a6928fee?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gallagher-website-design/trunk/gallagher-website-design.php#L203"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gallagher-website-design/tags/2.6.4/gallagher-website-design.php#L203"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3454227%40gallagher-website-design\u0026new=3454227%40gallagher-website-design\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T20:36:56.000Z",
"value": "Disclosed"
}
],
"title": "Gallagher Website Design \u003c= 2.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027prefix\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1913",
"datePublished": "2026-04-22T09:27:20.844Z",
"dateReserved": "2026-02-04T15:37:47.705Z",
"dateUpdated": "2026-04-22T09:27:20.844Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1395 (GCVE-0-2026-1395)
Vulnerability from cvelistv5 – Published: 2026-04-22 09:27 – Updated: 2026-04-22 12:05
VLAI?
Title
Gutentools <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Slider Block Attributes
Summary
The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block's block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| gutentools | Gutentools |
Affected:
0 , ≤ 1.1.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1395",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:05:30.070860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:05:44.174Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Gutentools",
"vendor": "gutentools",
"versions": [
{
"lessThanOrEqual": "1.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gutentools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Slider block\u0027s block_id attribute in all versions up to, and including, 1.1.3. This is due to insufficient input sanitization and output escaping combined with a custom unescaping routine that reintroduces dangerous characters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T09:27:20.476Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2683b4e-b993-4c84-b7cc-a2cb511b4097?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gutentools/trunk/core/blocks/post-slider.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gutentools/tags/1.1.3/core/blocks/post-slider.php#L232"
},
{
"url": "https://plugins.trac.wordpress.org/browser/gutentools/trunk/core/gutentools_block.php#L123"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3476597/gutentools/trunk/core/blocks/post-slider.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T20:38:53.000Z",
"value": "Disclosed"
}
],
"title": "Gutentools \u003c= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Slider Block Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1395",
"datePublished": "2026-04-22T09:27:20.476Z",
"dateReserved": "2026-01-23T21:14:51.848Z",
"dateUpdated": "2026-04-22T12:05:44.174Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1930 (GCVE-0-2026-1930)
Vulnerability from cvelistv5 – Published: 2026-04-22 09:27 – Updated: 2026-04-22 13:45
VLAI?
Title
Emailchef <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion
Summary
The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1930",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:45:36.239460Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:45:47.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Emailchef",
"vendor": "hanicker",
"versions": [
{
"lessThanOrEqual": "3.5.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin\u0027s settings via the \u0027emailchef_disconnect\u0027 AJAX action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T09:27:19.900Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3ae02595-17f0-472d-bc4f-6169cce7a583?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L121"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailchef/trunk/admin/class-emailchef-admin.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/browser/emailchef/tags/3.5.1/admin/class-emailchef-admin.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3474353%40emailchef\u0026new=3474353%40emailchef\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T20:35:30.000Z",
"value": "Disclosed"
}
],
"title": "Emailchef \u003c= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1930",
"datePublished": "2026-04-22T09:27:19.900Z",
"dateReserved": "2026-02-04T20:54:31.865Z",
"dateUpdated": "2026-04-22T13:45:47.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4353 (GCVE-0-2026-4353)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 14:21
VLAI?
Title
CI HUB Connector <= 1.2.106 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Summary
The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cihubconnector | CI HUB Connector |
Affected:
0 , ≤ 1.2.106
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4353",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:21:19.744444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:21:53.608Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CI HUB Connector",
"vendor": "cihubconnector",
"versions": [
{
"lessThanOrEqual": "1.2.106",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CI HUB Connector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027id\u0027 attribute of the `cihub_metadata` shortcode in all versions up to, and including, 1.2.106 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:43.152Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b36468-319a-4de3-9112-bd4a3cf7d637?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ci-hub-connector/tags/1.2.106/ci-hub-wordpress-connector.php#L645"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ci-hub-connector/trunk/ci-hub-wordpress-connector.php#L645"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:07:58.000Z",
"value": "Disclosed"
}
],
"title": "CI HUB Connector \u003c= 1.2.106 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027id\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4353",
"datePublished": "2026-04-22T07:45:43.152Z",
"dateReserved": "2026-03-17T17:53:47.917Z",
"dateUpdated": "2026-04-22T14:21:53.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4138 (GCVE-0-2026-4138)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 14:17
VLAI?
Title
DX Unanswered Comments <= 1.7 - Cross-Site Request Forgery via Settings Update
Summary
The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nofearinc | DX Unanswered Comments |
Affected:
0 , ≤ 1.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:16:35.654510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:17:42.821Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DX Unanswered Comments",
"vendor": "nofearinc",
"versions": [
{
"lessThanOrEqual": "1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin\u0027s settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for unauthenticated attackers to modify plugin settings (dxuc_authors_list and dxuc_comment_count) via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:42.794Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e44dbd0e-d6a7-438b-b1bf-a6628734fec4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L13"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/trunk/dxuc-unanswered-comments-admin-page.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dx-unanswered-comments/tags/1.7/dxuc-unanswered-comments-admin-page.php#L40"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:05:53.000Z",
"value": "Disclosed"
}
],
"title": "DX Unanswered Comments \u003c= 1.7 - Cross-Site Request Forgery via Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4138",
"datePublished": "2026-04-22T07:45:42.794Z",
"dateReserved": "2026-03-13T15:27:34.203Z",
"dateUpdated": "2026-04-22T14:17:42.821Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6294 (GCVE-0-2026-6294)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:07
VLAI?
Title
Google PageRank Display <= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page
Summary
The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin's settings (stored via update_option()), such as the display style used to render the PageRank badge.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| byybora | Google PageRank Display |
Affected:
0 , ≤ 1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6294",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:07:13.630785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:07:22.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Google PageRank Display",
"vendor": "byybora",
"versions": [
{
"lessThanOrEqual": "1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Google PageRank Display plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.4. This is due to missing nonce validation in the gpdisplay_option() function, which handles the plugin settings page. The settings form does not include a wp_nonce_field(), and the form handler does not call check_admin_referer() or wp_verify_nonce() before processing the POST request. This makes it possible for unauthenticated attackers to trick a logged-in administrator into submitting a crafted request that changes the plugin\u0027s settings (stored via update_option()), such as the display style used to render the PageRank badge."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:42.426Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e39ebe27-7780-48b6-8dca-7da7a78fce69?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/trunk/gpdisplay.php#L56"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-pagerank-display/tags/1.4/gpdisplay.php#L56"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:02:33.000Z",
"value": "Disclosed"
}
],
"title": "Google PageRank Display \u003c= 1.4 - Cross-Site Request Forgery to Settings Update via Settings Page"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6294",
"datePublished": "2026-04-22T07:45:42.426Z",
"dateReserved": "2026-04-14T18:03:33.157Z",
"dateUpdated": "2026-04-22T12:07:22.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6236 (GCVE-0-2026-6236)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 13:51
VLAI?
Title
Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute
Summary
The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:51:03.183146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:51:37.615Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Posts map",
"vendor": "lucdecri",
"versions": [
{
"lessThanOrEqual": "0.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nail majdeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027name\u0027 shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:42.052Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e02c5817-7a54-4958-a076-71e5e7729cda?source=cve"
},
{
"url": "https://wordpress.org/plugins/posts-map/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L33"
},
{
"url": "https://plugins.trac.wordpress.org/browser/posts-map/tags/0.1.3/posts-map.php#L78"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:03:41.000Z",
"value": "Disclosed"
}
],
"title": "Posts map \u003c= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027name\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6236",
"datePublished": "2026-04-22T07:45:42.052Z",
"dateReserved": "2026-04-13T16:12:39.669Z",
"dateUpdated": "2026-04-22T13:51:37.615Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4117 (GCVE-0-2026-4117)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:10
VLAI?
Title
CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action
Summary
The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the requesting user has the 'manage_options' capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin's API key setting and clear the Shabbat cache, effectively taking control of the plugin's API integration.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| calj | CalJ Shabbat Times |
Affected:
0 , ≤ 1.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4117",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:09:58.174649Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:10:09.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CalJ Shabbat Times",
"vendor": "calj",
"versions": [
{
"lessThanOrEqual": "1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the \u0027save-obtained-key\u0027 operation directly from POST data without verifying that the requesting user has the \u0027manage_options\u0027 capability, and without any nonce verification. The plugin bootstrap file (calj.php) instantiates CalJSettingsPage whenever is_admin() returns true, which is the case for any authenticated user making requests to wp-admin URLs (including admin-ajax.php). This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the plugin\u0027s API key setting and clear the Shabbat cache, effectively taking control of the plugin\u0027s API integration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:41.691Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1c7df8e-2f82-4474-88ef-8c8ddaeb4656?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/CalJSettingsPage.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/CalJSettingsPage.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/trunk/calj.php#L17"
},
{
"url": "https://plugins.trac.wordpress.org/browser/calj/tags/1.5/calj.php#L17"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:40.000Z",
"value": "Disclosed"
}
],
"title": "CalJ \u003c= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via \u0027save-obtained-key\u0027 Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4117",
"datePublished": "2026-04-22T07:45:41.691Z",
"dateReserved": "2026-03-13T13:19:56.963Z",
"dateUpdated": "2026-04-22T12:10:09.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4119 (GCVE-0-2026-4119)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 18:32
VLAI?
Title
Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php
Summary
The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST['db_table'] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation.
Severity ?
9.1 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jppreus | Create DB Tables |
Affected:
0 , ≤ 1.2.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:31:57.438067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:32:06.632Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Create DB Tables",
"vendor": "jppreus",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Youcef Hamdani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Create DB Tables plugin for WordPress is vulnerable to authorization bypass in all versions up to and including 1.2.1. The plugin registers admin_post action hooks for creating tables (admin_post_add_table) and deleting tables (admin_post_delete_db_table) without implementing any capability checks via current_user_can() or nonce verification via wp_verify_nonce()/check_admin_referer(). The admin_post hook only requires the user to be logged in, meaning any authenticated user including Subscribers can access these endpoints. The cdbt_delete_db_table() function takes a user-supplied table name from $_POST[\u0027db_table\u0027] and executes a DROP TABLE SQL query, allowing any authenticated attacker to delete any database table including critical WordPress core tables such as wp_users or wp_options. The cdbt_create_new_table() function similarly allows creating arbitrary tables. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary database tables and delete any existing database table, potentially destroying the entire WordPress installation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:41.323Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a3bc4b-cc17-4728-b242-13841b5f7660?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L376"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L370"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L370"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-new-table.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-new-table.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L405"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L405"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/trunk/create-db-tables.php#L408"
},
{
"url": "https://plugins.trac.wordpress.org/browser/create-db-tables/tags/1.2.1/create-db-tables.php#L408"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:50.000Z",
"value": "Disclosed"
}
],
"title": "Create DB Tables \u003c= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4119",
"datePublished": "2026-04-22T07:45:41.323Z",
"dateReserved": "2026-03-13T13:27:41.833Z",
"dateUpdated": "2026-04-22T18:32:06.632Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4132 (GCVE-0-2026-4132)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 18:19
VLAI?
Title
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters
Summary
The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the 'hh_htpasswd_path' option and lack of sanitization on the 'hh_www_authenticate_user' option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf('%s:{SHA}%s', $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution.
Severity ?
7.2 (High)
CWE
- CWE-73 - External Control of File Name or Path
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zinoui | HTTP Headers |
Affected:
0 , ≤ 1.19.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4132",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:18:43.623560Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:19:04.073Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTTP Headers",
"vendor": "zinoui",
"versions": [
{
"lessThanOrEqual": "1.19.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chiao-Lin Yu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HTTP Headers plugin for WordPress is vulnerable to External Control of File Name or Path leading to Remote Code Execution in all versions up to and including 1.19.2. This is due to insufficient validation of the file path stored in the \u0027hh_htpasswd_path\u0027 option and lack of sanitization on the \u0027hh_www_authenticate_user\u0027 option value. The plugin allows administrators to set an arbitrary file path for the htpasswd file location and does not validate that the path has a safe file extension (e.g., restricting to .htpasswd). Additionally, the username field used for HTTP Basic Authentication is written directly into the file without sanitization. The apache_auth_credentials() function constructs the file content using the unsanitized username via sprintf(\u0027%s:{SHA}%s\u0027, $user, ...), and update_auth_credentials() writes this content to the attacker-controlled path via file_put_contents(). This makes it possible for authenticated attackers, with Administrator-level access and above, to write arbitrary content (including PHP code) to arbitrary file paths on the server, effectively achieving Remote Code Execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "CWE-73 External Control of File Name or Path",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:40.959Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ce010c6f-16bd-4178-a621-31ba6378946a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1403"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1403"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1298"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1298"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1296"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1296"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L671"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L671"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L722"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L722"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:13:19.000Z",
"value": "Disclosed"
}
],
"title": "HTTP Headers \u003c= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via \u0027hh_htpasswd_path\u0027 and \u0027hh_www_authenticate_user\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4132",
"datePublished": "2026-04-22T07:45:40.959Z",
"dateReserved": "2026-03-13T14:17:17.140Z",
"dateUpdated": "2026-04-22T18:19:04.073Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2719 (GCVE-0-2026-2719)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 07:45
VLAI?
Title
Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting
Summary
The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Exceptions' setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| fpoller | Private WP suite |
Affected:
0 , ≤ 0.4.1
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Private WP suite",
"vendor": "fpoller",
"versions": [
{
"lessThanOrEqual": "0.4.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Private WP suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Exceptions\u0027 setting in all versions up to, and including, 0.4.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:40.547Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/af88a631-c4ec-47ec-ad9b-1ef38ea1be09?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/private-wp-suite/trunk/private-wp-suite.php#L153"
},
{
"url": "https://plugins.trac.wordpress.org/browser/private-wp-suite/tags/0.4.1/private-wp-suite.php#L153"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:15:55.000Z",
"value": "Disclosed"
}
],
"title": "Private WP suite \u003c= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027Exceptions\u0027 Setting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2719",
"datePublished": "2026-04-22T07:45:40.547Z",
"dateReserved": "2026-02-18T21:11:15.769Z",
"dateUpdated": "2026-04-22T07:45:40.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4121 (GCVE-0-2026-4121)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 07:45
VLAI?
Title
Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update
Summary
The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb->update(). This makes it possible for unauthenticated attackers to modify the plugin's CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Kcaptcha",
"vendor": "ksolves",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin\u0027s settings page handler (admin/setting.php). The settings form does not include a wp_nonce_field() and the form processing code does not call wp_verify_nonce() or check_admin_referer() before saving settings to the database via $wpdb-\u003eupdate(). This makes it possible for unauthenticated attackers to modify the plugin\u0027s CAPTCHA settings (enabling or disabling CAPTCHA on login, registration, lost password, and comment forms) via a forged request, granted they can trick a site administrator into performing an action such as clicking a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:40.047Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a6c1c73b-76e3-4cb9-ad53-9d5d4e7519c9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/trunk/admin/setting.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/kcaptcha/tags/1.0.1/admin/setting.php#L47"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:07:38.000Z",
"value": "Disclosed"
}
],
"title": "Kcaptcha \u003c= 1.0.1 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4121",
"datePublished": "2026-04-22T07:45:40.047Z",
"dateReserved": "2026-03-13T13:31:45.845Z",
"dateUpdated": "2026-04-22T07:45:40.047Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5748 (GCVE-0-2026-5748)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 15:31
VLAI?
Title
Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w' Shortcode Attribute
Summary
The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| snedled | Text Snippets |
Affected:
0 , ≤ 0.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:26:29.296127Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:31:23.711Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Text Snippets",
"vendor": "snedled",
"versions": [
{
"lessThanOrEqual": "0.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nail majdeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `ts` shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:39.662Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cc7a0f3-6a58-4e42-9341-aecf55d2ccb1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/text-snippet/tags/0.0.1/text-snippet.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/text-snippet/trunk/text-snippet.php#L78"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:02:47.000Z",
"value": "Disclosed"
}
],
"title": "Text Snippets \u003c= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027w\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5748",
"datePublished": "2026-04-22T07:45:39.662Z",
"dateReserved": "2026-04-07T15:09:42.695Z",
"dateUpdated": "2026-04-22T15:31:23.711Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4074 (GCVE-0-2026-4074)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 15:31
VLAI?
Title
Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline <script> blocks using PHP short tags (<?=$cheikh;?> and <?=$lang;?>) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within <script> tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| karim42 | Quran Live Multilanguage |
Affected:
0 , ≤ 1.0.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4074",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:26:15.634329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:31:29.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quran Live Multilanguage",
"vendor": "karim42",
"versions": [
{
"lessThanOrEqual": "1.0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gilang Asra Bilhadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027cheikh\u0027 and \u0027lang\u0027 shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The quran_live_render() function of quran-live.php receives shortcode attributes and passes them directly through shortcode_atts() and extract() without any sanitization. These values are then passed to Render_Quran_Live::render_verse_quran_live() where they are echoed directly into inline \u003cscript\u003e blocks using PHP short tags (\u003c?=$cheikh;?\u003e and \u003c?=$lang;?\u003e) at lines 191, 216, 217, 245, and 246 of Class_QuranLive.php. Since the output occurs inside a JavaScript context within \u003cscript\u003e tags, an attacker can break out of the JavaScript string and inject arbitrary script code. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:39.289Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/883484dd-d48d-46f9-ae96-223626c50039?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L191"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L191"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L217"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L217"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L246"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L246"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L216"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L216"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/inc/Class_QuranLive.php#L245"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/inc/Class_QuranLive.php#L245"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/trunk/quran-live.php#L110"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quran-live/tags/1.0.3/quran-live.php#L110"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:06:14.000Z",
"value": "Disclosed"
}
],
"title": "Quran Live Multilanguage \u003c= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4074",
"datePublished": "2026-04-22T07:45:39.289Z",
"dateReserved": "2026-03-12T19:52:43.714Z",
"dateUpdated": "2026-04-22T15:31:29.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4085 (GCVE-0-2026-4085)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 18:30
VLAI?
Title
Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute
Summary
The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper_class' shortcode attribute of the 'my-instagram-feed' shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the 'wrapper_class' attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| maltathemes | Easy Social Photos Gallery – MIF |
Affected:
0 , ≤ 3.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4085",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:30:21.731097Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:30:36.223Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Social Photos Gallery \u2013 MIF",
"vendor": "maltathemes",
"versions": [
{
"lessThanOrEqual": "3.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Social Photos Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027wrapper_class\u0027 shortcode attribute of the \u0027my-instagram-feed\u0027 shortcode in all versions up to, and including, 3.1.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. Specifically, the plugin uses sanitize_text_field() instead of esc_attr() when outputting the \u0027wrapper_class\u0027 attribute inside a double-quoted HTML class attribute. Since sanitize_text_field() does not encode double quotes, an attacker can break out of the class attribute and inject arbitrary HTML event handlers. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:38.938Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8640724c-0bd4-4684-9fd1-027f2af64e67?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/class-my-instagram-feed-frontend.php#L53"
},
{
"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/views/feed.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/tags/3.1.2/frontend/views/feed.php#L102"
},
{
"url": "https://plugins.trac.wordpress.org/browser/my-instagram-feed/trunk/frontend/class-my-instagram-feed-frontend.php#L53"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:06:46.000Z",
"value": "Disclosed"
}
],
"title": "Easy Social Photos Gallery \u003c= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027wrapper_class\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4085",
"datePublished": "2026-04-22T07:45:38.938Z",
"dateReserved": "2026-03-12T20:51:56.076Z",
"dateUpdated": "2026-04-22T18:30:36.223Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6246 (GCVE-0-2026-6246)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 15:31
VLAI?
Title
Simple Random Posts Shortcode <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'container_right_width' Shortcode Attribute
Summary
The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'container_right_width' attribute of the 'simple_random_posts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mkerstner | Simple Random Posts Shortcode |
Affected:
0 , ≤ 0.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6246",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:25:55.370240Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:31:34.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Simple Random Posts Shortcode",
"vendor": "mkerstner",
"versions": [
{
"lessThanOrEqual": "0.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nail majdeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027container_right_width\u0027 attribute of the \u0027simple_random_posts\u0027 shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:38.582Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d61e6ea-4975-452a-8f9c-1c6d428372ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-random-posts-shortcode/tags/0.3/simple-random-posts-shortcode.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/simple-random-posts-shortcode/trunk/simple-random-posts-shortcode.php#L54"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:02:04.000Z",
"value": "Disclosed"
}
],
"title": "Simple Random Posts Shortcode \u003c= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027container_right_width\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6246",
"datePublished": "2026-04-22T07:45:38.582Z",
"dateReserved": "2026-04-13T17:44:25.829Z",
"dateUpdated": "2026-04-22T15:31:34.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4142 (GCVE-0-2026-4142)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:55
VLAI?
Title
Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field
Summary
The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (<?= ?>). An attacker can break out of the textarea element using a closing </textarea> tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin's settings page.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| eazyserver | Sentence To SEO (keywords, description and tags) |
Affected:
0 , ≤ 1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4142",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:55:48.354776Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:55:54.212Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sentence To SEO (keywords, description and tags)",
"vendor": "eazyserver",
"versions": [
{
"lessThanOrEqual": "1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sentence To SEO (keywords, description and tags) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Permanent keywords\u0027 field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via filter_input_array(INPUT_POST) which applies no HTML sanitization (FILTER_DEFAULT), stores it unsanitized to the WordPress options table via update_option(), and then outputs the stored value directly into a textarea element without any escaping using PHP short echo tags (\u003c?= ?\u003e). An attacker can break out of the textarea element using a closing \u003c/textarea\u003e tag and inject arbitrary HTML/JavaScript. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the plugin\u0027s settings page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:38.230Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d11b2db-d097-433f-923c-f49ef2951c0e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L81"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L81"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L262"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L262"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L87"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L87"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/trunk/index.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sentence-to-seo/tags/1.0/index.php#L75"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:05:43.000Z",
"value": "Disclosed"
}
],
"title": "Sentence To SEO (keywords, description and tags) \u003c= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027Permanent keywords\u0027 Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4142",
"datePublished": "2026-04-22T07:45:38.230Z",
"dateReserved": "2026-03-13T15:37:12.112Z",
"dateUpdated": "2026-04-22T12:55:54.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6235 (GCVE-0-2026-6235)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 07:45
VLAI?
Title
Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests
Summary
The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the 'manage_admin_requests' function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin's SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails).
Severity ?
9.8 (Critical)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sendmachine | Sendmachine for WordPress |
Affected:
0 , ≤ 1.0.20
(semver)
|
Credits
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Sendmachine for WordPress",
"vendor": "sendmachine",
"versions": [
{
"lessThanOrEqual": "1.0.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Sendmachine for WordPress plugin for WordPress is vulnerable to authorization bypass via the \u0027manage_admin_requests\u0027 function in all versions up to, and including, 1.0.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the plugin\u0027s SMTP configuration, which can be leveraged to intercept all outbound emails from the site (including password reset emails)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:37.881Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7889e071-84a8-46ec-abe5-5c98980ce275?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L183"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/sendmachine_wp_admin.php#L174"
},
{
"url": "https://plugins.trac.wordpress.org/browser/sendmachine/tags/1.0.20/includes/sendmachine_email_manager.php#L39"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-10T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-04-21T19:01:50.000Z",
"value": "Disclosed"
}
],
"title": "Sendmachine for WordPress \u003c= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6235",
"datePublished": "2026-04-22T07:45:37.881Z",
"dateReserved": "2026-04-13T16:12:01.215Z",
"dateUpdated": "2026-04-22T07:45:37.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4090 (GCVE-0-2026-4090)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 15:59
VLAI?
Title
Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form
Summary
The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin's settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ravster | Inquiry cart |
Affected:
0 , ≤ 3.4.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4090",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:53:03.311078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:59:46.866Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Inquiry cart",
"vendor": "ravster",
"versions": [
{
"lessThanOrEqual": "3.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rd_ic_settings_page function when processing settings form submissions. This makes it possible for unauthenticated attackers to update the plugin\u0027s settings, including injecting malicious scripts that will be stored and executed in the admin area, via a forged request granted they can trick an administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:37.529Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/772e9b2b-b2d5-4950-804b-d0914004710c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L46"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L6"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L6"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L48"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/settings-page.php#L49"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/settings-page.php#L49"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/trunk/includes/inquiry-cart-shortcode.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/inquiry-cart/tags/0.0.0.0/includes/inquiry-cart-shortcode.php#L34"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:19.000Z",
"value": "Disclosed"
}
],
"title": "Inquiry cart \u003c= 3.4.2 - Cross-Site Request Forgery via Settings Form"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4090",
"datePublished": "2026-04-22T07:45:37.529Z",
"dateReserved": "2026-03-12T21:14:19.934Z",
"dateUpdated": "2026-04-22T15:59:46.866Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2717 (GCVE-0-2026-2717)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 18:29
VLAI?
Title
HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values
Summary
The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the 'Custom Headers' settings, leading to Apache configuration parse errors and potential site-wide denial of service.
Severity ?
5.5 (Medium)
CWE
- CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zinoui | HTTP Headers |
Affected:
0 , ≤ 1.19.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T18:29:07.769656Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T18:29:28.392Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HTTP Headers",
"vendor": "zinoui",
"versions": [
{
"lessThanOrEqual": "1.19.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kai Aizen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via `insert_with_markers()`. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary newline characters and additional Apache directives into the .htaccess configuration file via the \u0027Custom Headers\u0027 settings, leading to Apache configuration parse errors and potential site-wide denial of service."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:37.169Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7716e77f-e899-4046-9421-86fc0c36c245?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L1098"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L1098"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/tags/1.19.2/http-headers.php#L745"
},
{
"url": "https://plugins.trac.wordpress.org/browser/http-headers/trunk/http-headers.php#L745"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:13:17.000Z",
"value": "Disclosed"
}
],
"title": "HTTP Headers \u003c= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2717",
"datePublished": "2026-04-22T07:45:37.169Z",
"dateReserved": "2026-02-18T21:00:50.620Z",
"dateUpdated": "2026-04-22T18:29:28.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4118 (GCVE-0-2026-4118)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:58
VLAI?
Title
Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update
Summary
The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb->update(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tmarek | Call To Action Plugin |
Affected:
0 , ≤ 3.1.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4118",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:58:33.401890Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:58:39.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Call To Action Plugin",
"vendor": "tmarek",
"versions": [
{
"lessThanOrEqual": "3.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cbox_options_page() function which handles saving, creating, and deleting plugin settings. The form rendered on the settings page does not include a wp_nonce_field(), and the save handler does not call wp_verify_nonce() or check_admin_referer() before processing settings updates via $wpdb-\u003eupdate(). This makes it possible for unauthenticated attackers to modify plugin settings such as call-to-action box title, content, link URL, image URL, colors, and other configuration options via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:36.813Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6d15f5de-9ec9-466d-aafe-6304356ccb39?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L41"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L41"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L69"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/trunk/call-to-action-plugin.php#L76"
},
{
"url": "https://plugins.trac.wordpress.org/browser/call-to-action-plugin/tags/3.1.3/call-to-action-plugin.php#L76"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:07:28.000Z",
"value": "Disclosed"
}
],
"title": "Call To Action Plugin \u003c= 3.1.3 - Cross-Site Request Forgery via Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4118",
"datePublished": "2026-04-22T07:45:36.813Z",
"dateReserved": "2026-03-13T13:21:19.956Z",
"dateUpdated": "2026-04-22T12:58:39.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4139 (GCVE-0-2026-4139)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 15:31
VLAI?
Title
mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function
Summary
The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the compute_post() function, which processes settings updates. The compute_post() function is called in the plugin constructor on every page load via the plugins_loaded hook, and it directly processes $_POST data to modify plugin settings via update_option() without any CSRF token validation. This makes it possible for unauthenticated attackers to modify all plugin settings, including category exclusion rules, feed exclusion flags, and tag page exclusion flags, via a forged POST request, granted they can trick a site administrator into performing an action such as clicking a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| chsxf | mCatFilter |
Affected:
0 , ≤ 0.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4139",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T15:25:46.505397Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T15:31:40.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "mCatFilter",
"vendor": "chsxf",
"versions": [
{
"lessThanOrEqual": "0.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the compute_post() function, which processes settings updates. The compute_post() function is called in the plugin constructor on every page load via the plugins_loaded hook, and it directly processes $_POST data to modify plugin settings via update_option() without any CSRF token validation. This makes it possible for unauthenticated attackers to modify all plugin settings, including category exclusion rules, feed exclusion flags, and tag page exclusion flags, via a forged POST request, granted they can trick a site administrator into performing an action such as clicking a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:36.467Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/622ee6c8-7739-44ae-b88f-63a93c0a9b20?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L339"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L320"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L320"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mcatfilter/trunk/mcatfilter.php#L138"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mcatfilter/tags/0.5.2/mcatfilter.php#L138"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:06:04.000Z",
"value": "Disclosed"
}
],
"title": "mCatFilter \u003c= 0.5.2 - Cross-Site Request Forgery via compute_post() Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4139",
"datePublished": "2026-04-22T07:45:36.467Z",
"dateReserved": "2026-03-13T15:29:31.027Z",
"dateUpdated": "2026-04-22T15:31:40.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4125 (GCVE-0-2026-4125)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 14:13
VLAI?
Title
WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk_block_shortcode() function, the 'class' attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element's class attribute without any escaping (e.g., esc_attr()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpmkorg | WPMK Block |
Affected:
0 , ≤ 1.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4125",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:08:12.740201Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:13:03.230Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPMK Block",
"vendor": "wpmkorg",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zakaria"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPMK Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027class\u0027 shortcode attribute in all versions up to and including 1.0.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the wpmk_block_shortcode() function, the \u0027class\u0027 attribute is extracted from user-controllable shortcode attributes and directly concatenated into an HTML div element\u0027s class attribute without any escaping (e.g., esc_attr()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:36.110Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e397c7a-2aef-4c23-a224-e324ea4bb4b1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpmk-block/trunk/classes/wpmk-block-class.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpmk-block/tags/1.0.1/classes/wpmk-block-class.php#L97"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpmk-block/trunk/classes/wpmk-block-class.php#L82"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpmk-block/tags/1.0.1/classes/wpmk-block-class.php#L82"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:05:22.000Z",
"value": "Disclosed"
}
],
"title": "WPMK Block \u003c= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4125",
"datePublished": "2026-04-22T07:45:36.110Z",
"dateReserved": "2026-03-13T13:47:13.693Z",
"dateUpdated": "2026-04-22T14:13:03.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4128 (GCVE-0-2026-4128)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:11
VLAI?
Title
TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action
Summary
The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| tplugins | TP Restore Categories And Taxonomies |
Affected:
0 , ≤ 1.0.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4128",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:11:20.647147Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:11:34.991Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TP Restore Categories And Taxonomies",
"vendor": "tplugins",
"versions": [
{
"lessThanOrEqual": "1.0.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the \u0027tpmcattt_delete_term\u0027 AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin\u0027s trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:35.777Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a0749f-86e9-4f62-9de2-a6759c78ba2f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:08:29.000Z",
"value": "Disclosed"
}
],
"title": "TP Restore Categories And Taxonomies \u003c= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via \u0027tpmcattt_delete_term\u0027 AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4128",
"datePublished": "2026-04-22T07:45:35.777Z",
"dateReserved": "2026-03-13T14:11:25.304Z",
"dateUpdated": "2026-04-22T12:11:34.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5767 (GCVE-0-2026-5767)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 12:13
VLAI?
Title
SlideShowPro SC <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'album' Shortcode Attribute
Summary
The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `slideShowProSC` shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| luetkemj | SlideShowPro SC |
Affected:
0 , ≤ 1.0.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5767",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T12:12:48.844309Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T12:13:14.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SlideShowPro SC",
"vendor": "luetkemj",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nail majdeddine"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SlideShowPro SC plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `slideShowProSC` shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:35.415Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/51467cef-9624-4dd9-a368-d3b5fac7bb3d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/slideshowpro-shortcode/tags/1.0.2/slideshowpro_sc.php#L287"
},
{
"url": "https://plugins.trac.wordpress.org/browser/slideshowpro-shortcode/trunk/slideshowpro_sc.php#L287"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:02:18.000Z",
"value": "Disclosed"
}
],
"title": "SlideShowPro SC \u003c= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027album\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5767",
"datePublished": "2026-04-22T07:45:35.415Z",
"dateReserved": "2026-04-07T20:03:01.665Z",
"dateUpdated": "2026-04-22T12:13:14.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4089 (GCVE-0-2026-4089)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 14:05
VLAI?
Title
Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Summary
The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| johnnie2u | Twittee Text Tweet |
Affected:
0 , ≤ 1.0.8
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4089",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T14:04:45.797152Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T14:05:17.972Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Twittee Text Tweet",
"vendor": "johnnie2u",
"versions": [
{
"lessThanOrEqual": "1.0.8",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "zakaria"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Twittee Text Tweet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027id\u0027 shortcode attribute in all versions up to and including 1.0.8. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The ttt_twittee_tweeter() function uses extract() to pull shortcode attributes into local variables and then directly concatenates them into HTML output without any escaping. Specifically, the $id parameter is inserted into an HTML id attribute context without esc_attr(), allowing an attacker to break out of the attribute and inject arbitrary HTML event handlers. Additionally, the $tweet, $content, $balloon, and $theme attributes are similarly injected into inline JavaScript without escaping (lines 87, 93, 101, 117). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:35.056Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4d678e97-f466-4640-83ee-a3a24550e8d8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/twittee-text-tweet/trunk/ttt-twittee-text-tweet.php#L87"
},
{
"url": "https://plugins.trac.wordpress.org/browser/twittee-text-tweet/tags/1.0.8/ttt-twittee-text-tweet.php#L87"
},
{
"url": "https://plugins.trac.wordpress.org/browser/twittee-text-tweet/trunk/ttt-twittee-text-tweet.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/twittee-text-tweet/tags/1.0.8/ttt-twittee-text-tweet.php#L55"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:07:17.000Z",
"value": "Disclosed"
}
],
"title": "Twittee Text Tweet \u003c= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027id\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-4089",
"datePublished": "2026-04-22T07:45:35.056Z",
"dateReserved": "2026-03-12T21:03:18.626Z",
"dateUpdated": "2026-04-22T14:05:17.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3362 (GCVE-0-2026-3362)
Vulnerability from cvelistv5 – Published: 2026-04-22 07:45 – Updated: 2026-04-22 13:48
VLAI?
Title
Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting
Summary
The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Minimum Count' settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input's value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| itsananderson | Short Comment Filter |
Affected:
0 , ≤ 2.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3362",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-22T13:48:14.443181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T13:48:36.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Short Comment Filter",
"vendor": "itsananderson",
"versions": [
{
"lessThanOrEqual": "2.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Short Comment Filter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Minimum Count\u0027 settings field in all versions up to and including 2.2. This is due to insufficient input sanitization (no sanitize callback on register_setting) and missing output escaping (no esc_attr() on the echoed value in the input\u0027s value attribute). The option value is stored via update_option() and rendered unescaped in an HTML attribute context. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses that page. This is particularly impactful in WordPress multisite installations or when DISALLOW_UNFILTERED_HTML is set, where administrators are not granted the unfiltered_html capability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T07:45:34.704Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ba46475-bf54-49a8-9b0e-fae3fb4e1df9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/views/settings.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/views/settings.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L61"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L61"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/trunk/classes/short-comment-filter-settings.php#L21"
},
{
"url": "https://plugins.trac.wordpress.org/browser/short-comment-filter/tags/2.2/classes/short-comment-filter-settings.php#L21"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-21T19:16:14.000Z",
"value": "Disclosed"
}
],
"title": "Short Comment Filter \u003c= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027Minimum Count\u0027 Setting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3362",
"datePublished": "2026-04-22T07:45:34.704Z",
"dateReserved": "2026-02-27T19:52:23.019Z",
"dateUpdated": "2026-04-22T13:48:36.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}