Search criteria
88 vulnerabilities by smub
CVE-2026-7526 (GCVE-0-2026-7526)
Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
VLAI
Title
PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page
Summary
The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | PDF Embedder |
Affected:
0 , ≤ 4.9.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:25:00.865799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:32:52.986Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PDF Embedder",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.9.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T07:43:41.869Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e0f2516-0fa7-415e-868e-6bd259bc6546?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L224"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L204"
},
{
"url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L204"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.php?old=3429550\u0026old_path=pdf-embedder%2Ftrunk%2Fsrc%2FPlugin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T17:41:16.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T18:49:03.000Z",
"value": "Disclosed"
}
],
"title": "PDF Embedder \u003c= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7526",
"datePublished": "2026-05-28T07:43:41.869Z",
"dateReserved": "2026-04-30T17:26:08.252Z",
"dateUpdated": "2026-05-28T10:32:52.986Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7533 (GCVE-0-2026-7533)
Vulnerability from cvelistv5 – Published: 2026-05-28 05:30 – Updated: 2026-05-28 10:36
VLAI
Title
Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
Severity
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Affected:
0 , ≤ 3.6.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-28T10:28:04.823181Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T10:36:05.265Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.6.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store\u0027s Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T05:30:41.186Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L58"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L58"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.php#L114"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L47"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3536197%40easy-digital-downloads\u0026old=3511193%40easy-digital-downloads\u0026sfp_email=\u0026sfph_mail=#file6607"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T18:16:35.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-27T17:18:24.000Z",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u003c= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via \u0027square_tokens\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7533",
"datePublished": "2026-05-28T05:30:41.186Z",
"dateReserved": "2026-04-30T18:01:14.679Z",
"dateUpdated": "2026-05-28T10:36:05.265Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8832 (GCVE-0-2026-8832)
Vulnerability from cvelistv5 – Published: 2026-05-27 06:46 – Updated: 2026-05-27 10:30
VLAI
Title
WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost
Summary
The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
Severity
8.8 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager |
Affected:
0 , ≤ 2.3.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8832",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T10:20:22.252896Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T10:30:23.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPCode \u2013 Insert Headers and Footers + Custom Code Snippets \u2013 WordPress Code Manager",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "2.3.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yongtae Jeon"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the \u0027wpcode\u0027 custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-27T06:46:16.247Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a2e8b1-d5e0-4f7b-a70a-f0aadf58c778?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/post-type.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/shortcode.php#L26"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L415"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L374"
},
{
"url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/execute/class-wpcode-snippet-execute-php.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3549060/insert-headers-and-footers/trunk/includes/post-type.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Finsert-headers-and-footers/tags/2.3.5\u0026new_path=%2Finsert-headers-and-footers/tags/2.3.6"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-18T14:09:28.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-26T17:48:25.000Z",
"value": "Disclosed"
}
],
"title": "WPCode \u003c= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8832",
"datePublished": "2026-05-27T06:46:16.247Z",
"dateReserved": "2026-05-18T13:53:59.461Z",
"dateUpdated": "2026-05-27T10:30:23.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7636 (GCVE-0-2026-7636)
Vulnerability from cvelistv5 – Published: 2026-05-22 07:50 – Updated: 2026-05-22 13:46
VLAI
Title
Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint
Summary
The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Slider by Soliloquy – Responsive Image Slider for WordPress |
Affected:
0 , ≤ 2.8.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7636",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T13:45:57.318117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T13:46:24.435Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Slider by Soliloquy \u2013 Responsive Image Slider for WordPress",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "2.8.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kitch Global"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Slider by Soliloquy \u2013 Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T07:50:25.970Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54115a9a-dadd-4f18-a139-02ec89f0a571?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L90"
},
{
"url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L177"
},
{
"url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L177"
},
{
"url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L125"
},
{
"url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L90"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3538404/soliloquy-lite/trunk/includes/global/posttype.php?old=3395148\u0026old_path=soliloquy-lite%2Ftrunk%2Fincludes%2Fglobal%2Fposttype.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T15:43:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-21T19:23:24.000Z",
"value": "Disclosed"
}
],
"title": "Slider by Soliloquy \u003c= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7636",
"datePublished": "2026-05-22T07:50:25.970Z",
"dateReserved": "2026-05-01T15:28:15.500Z",
"dateUpdated": "2026-05-22T13:46:24.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6566 (GCVE-0-2026-6566)
Vulnerability from cvelistv5 – Published: 2026-05-20 05:31 – Updated: 2026-05-20 15:54
VLAI
Title
Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API
Summary
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).
Severity
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery |
Affected:
0 , ≤ 4.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T15:43:36.099126Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:54:05.752Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao Luu Gia Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks \u0027NextGEN Manage gallery\u0027 permissions and does not enforce gallery ownership or \u0027NextGEN Manage others gallery\u0027 permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and \u0027NextGEN Manage gallery\u0027 capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T05:31:10.536Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-18T20:42:58.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-19T17:01:55.000Z",
"value": "Disclosed"
}
],
"title": "Photo Gallery, Sliders, Proofing and Themes \u003c= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6566",
"datePublished": "2026-05-20T05:31:10.536Z",
"dateReserved": "2026-04-18T17:51:56.808Z",
"dateUpdated": "2026-05-20T15:54:05.752Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5075 (GCVE-0-2026-5075)
Vulnerability from cvelistv5 – Published: 2026-05-20 03:28 – Updated: 2026-05-20 14:17
VLAI
Title
All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data
Summary
The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
Severity
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic |
Affected:
0 , ≤ 4.9.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5075",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T14:16:48.492510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T14:17:02.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Riadh Bouchahoua"
}
],
"descriptions": [
{
"lang": "en",
"value": "The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via \u0027internalOptions\u0027 localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T03:28:14.037Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8bc203-c17a-4b31-8f9e-695f9e638cda?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3532318/all-in-one-seo-pack"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-28T13:24:43.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-19T14:51:29.000Z",
"value": "Disclosed"
}
],
"title": "All in One SEO \u003c= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via \u0027internalOptions\u0027 Localized Script Data"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5075",
"datePublished": "2026-05-20T03:28:14.037Z",
"dateReserved": "2026-03-28T13:09:05.383Z",
"dateUpdated": "2026-05-20T14:17:02.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5361 (GCVE-0-2026-5361)
Vulnerability from cvelistv5 – Published: 2026-05-14 03:27 – Updated: 2026-05-14 10:47
VLAI
Title
Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
Summary
The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More |
Affected:
0 , ≤ 1.12.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5361",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T10:39:14.280741Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T10:47:27.431Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.12.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T03:27:15.137Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2b1e973-f22d-4e69-b3b8-d6ea5df3f047?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L1067"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.4/includes/global/shortcode.php#L1067"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/rest.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.4/includes/global/rest.php#L163"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3514026/envira-gallery-lite/trunk/includes/global/shortcode.php?old=3465371\u0026old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fglobal%2Fshortcode.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T17:36:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-13T14:42:15.000Z",
"value": "Disclosed"
}
],
"title": "Envira Gallery \u003c= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027arrows\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5361",
"datePublished": "2026-05-14T03:27:15.137Z",
"dateReserved": "2026-04-01T17:20:59.284Z",
"dateUpdated": "2026-05-14T10:47:27.431Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6177 (GCVE-0-2026-6177)
Vulnerability from cvelistv5 – Published: 2026-05-13 12:29 – Updated: 2026-05-13 19:31
VLAI
Title
Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
Summary
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
Severity
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Custom Twitter Feeds – A Tweets Widget or X Feed Widget |
Affected:
0 , ≤ 2.5.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T19:23:25.801007Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:31:57.701Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Custom Twitter Feeds \u2013 A Tweets Widget or X Feed Widget",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "2.5.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "gidget smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin\u0027s ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site\u0027s feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:29:53.119Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4b2178f-e4da-4bfb-9c27-8c1884499769?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/custom-twitter-feed.php#L447"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/inc/CTF_Display_Elements.php#L505"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/inc/CTF_Display_Elements.php#L505"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/custom-twitter-feed.php#L447"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/inc/CTF_Display_Elements.php#L521"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/inc/CTF_Display_Elements.php#L521"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/templates/item.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/templates/item.php#L36"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3519584%40custom-twitter-feeds\u0026old=3481416%40custom-twitter-feeds"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-13T02:22:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Custom Twitter Feeds \u003c= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6177",
"datePublished": "2026-05-13T12:29:53.119Z",
"dateReserved": "2026-04-13T02:07:02.800Z",
"dateUpdated": "2026-05-13T19:31:57.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7619 (GCVE-0-2026-7619)
Vulnerability from cvelistv5 – Published: 2026-05-13 04:26 – Updated: 2026-05-13 10:22
VLAI
Title
Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
Summary
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More |
Affected:
0 , ≤ 1.8.10.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7619",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T10:08:28.056009Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T10:22:39.226Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.8.10.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abi Wiranata"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to generic SQL Injection via the \u0027s\u0027 parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T04:26:39.907Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950bed9d-8698-4aa0-86a4-fac9e07bb42b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/donations/class-charitable-donations.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/donations/class-charitable-donations.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php#L837"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/admin/donations/class-charitable-donation-list-table.php#L837"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/donations/class-charitable-donations.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/admin/donations/class-charitable-donation-list-table.php#L837"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3529172/charitable/trunk/includes/donations/class-charitable-donations.php?old=3209943\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fdonations%2Fclass-charitable-donations.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T13:34:24.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-05-12T15:46:10.000Z",
"value": "Disclosed"
}
],
"title": "Charitable \u003c= 1.8.10.4 - Authenticated (Custom+) SQL Injection via \u0027s\u0027 Search Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7619",
"datePublished": "2026-05-13T04:26:39.907Z",
"dateReserved": "2026-05-01T13:19:14.129Z",
"dateUpdated": "2026-05-13T10:22:39.226Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5488 (GCVE-0-2026-5488)
Vulnerability from cvelistv5 – Published: 2026-04-24 03:27 – Updated: 2026-04-24 18:17
VLAI
Title
ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) |
Affected:
0 , ≤ 9.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T16:50:54.527245Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:17:35.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T03:27:06.309Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a4359e4-5843-4d2c-b288-5c35f819241a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L167"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L167"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/admin-assets.php#L196"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/admin/admin-assets.php#L196"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3513041%40google-analytics-dashboard-for-wp\u0026new=3513041%40google-analytics-dashboard-for-wp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T14:47:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-23T14:48:15.000Z",
"value": "Disclosed"
}
],
"title": "ExactMetrics \u003c= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action \u0027exactmetrics_ads_get_token\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5488",
"datePublished": "2026-04-24T03:27:06.309Z",
"dateReserved": "2026-04-03T14:31:57.183Z",
"dateUpdated": "2026-04-24T18:17:35.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5464 (GCVE-0-2026-5464)
Vulnerability from cvelistv5 – Published: 2026-04-23 08:28 – Updated: 2026-04-23 14:51
VLAI
Title
ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboarding_key' transient to any user with the 'exactmetrics_view_dashboard' capability. This key is the sole authorization gate for the '/wp-json/exactmetrics/v1/onboarding/connect-url' REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the 'exactmetrics_connect_process' AJAX endpoint — which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution.
Severity
7.2 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) |
Affected:
0 , ≤ 9.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5464",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T14:50:46.837686Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T14:51:03.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "9.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Duc"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin) plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the \u0027onboarding_key\u0027 transient to any user with the \u0027exactmetrics_view_dashboard\u0027 capability. This key is the sole authorization gate for the \u0027/wp-json/exactmetrics/v1/onboarding/connect-url\u0027 REST endpoint, which returns a one-time hash (OTH) token. This OTH token is then the only credential checked by the \u0027exactmetrics_connect_process\u0027 AJAX endpoint \u2014 which has no capability check, no nonce verification, and accepts an arbitrary plugin ZIP URL via the file parameter for installation and activation. This makes it possible for authenticated attackers, with Editor-level access and above granted the report viewing permission, to install and activate arbitrary plugins from attacker-controlled URLs, leading to Remote Code Execution."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T08:28:25.836Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09127277-9e71-484d-b674-52af693c995b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L27"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/connect.php#L219"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/class-exactmetrics-onboarding.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.1.1/includes/admin/admin-assets.php#L932"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-03T06:10:01.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-22T19:44:42.000Z",
"value": "Disclosed"
}
],
"title": "ExactMetrics \u003c= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-5464",
"datePublished": "2026-04-23T08:28:25.836Z",
"dateReserved": "2026-04-03T05:53:05.632Z",
"dateUpdated": "2026-04-23T14:51:03.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3177 (GCVE-0-2026-3177)
Vulnerability from cvelistv5 – Published: 2026-04-07 07:40 – Updated: 2026-04-08 17:18
VLAI
Title
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook
Summary
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment.
Severity
5.3 (Medium)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More |
Affected:
0 , ≤ 1.8.9.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:19:16.985212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:19:24.638Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.8.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andr\u00e9s Cruciani"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:40.687Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc3b2645-7b57-4884-99c5-e37dbd4a9600?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3485023/charitable"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-25T00:25:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-04-06T18:46:47.000Z",
"value": "Disclosed"
}
],
"title": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More \u003c= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3177",
"datePublished": "2026-04-07T07:40:13.519Z",
"dateReserved": "2026-02-25T00:09:57.727Z",
"dateUpdated": "2026-04-08T17:18:40.687Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1463 (GCVE-0-2026-1463)
Vulnerability from cvelistv5 – Published: 2026-03-18 16:26 – Updated: 2026-04-08 16:44
VLAI
Title
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion
Summary
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity
8.8 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery |
Affected:
0 , ≤ 4.0.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1463",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-19T14:50:01.303952Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T14:50:17.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the \u0027template\u0027 parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:44:12.729Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d7bc556-cdaf-42a7-8801-ad2e4945a137?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nextgen-gallery/tags/4.0.3/src/DisplayType/LegacyTemplateLocator.php#L140"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nextgen-gallery/tags/4.0.3/src/DisplayType/Controller.php#L369"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3460327/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3423202\u0026old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-27T07:02:22.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery \u003c= 4.0.4 - Authenticated (Author+) Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1463",
"datePublished": "2026-03-18T16:26:26.755Z",
"dateReserved": "2026-01-27T06:46:59.960Z",
"dateUpdated": "2026-04-08T16:44:12.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1992 (GCVE-0-2026-1992)
Vulnerability from cvelistv5 – Published: 2026-03-11 09:25 – Updated: 2026-03-11 13:30
VLAI
Title
ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type.
Severity
8.8 (High)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) |
Affected:
8.0.0 , ≤ 9.0.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T13:29:03.679877Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T13:30:00.851Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "8.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ali S\u00fcnb\u00fcl"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user\u0027s ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator\u0027s user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T09:25:43.399Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/79b6b896-df66-4c3d-a4d4-d3dbeb630134?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php#L273"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/class-exactmetrics-onboarding.php?old=3309894\u0026old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Fclass-exactmetrics-onboarding.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T16:28:59.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-10T21:00:15.000Z",
"value": "Disclosed"
}
],
"title": "ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1992",
"datePublished": "2026-03-11T09:25:43.399Z",
"dateReserved": "2026-02-05T16:08:52.114Z",
"dateUpdated": "2026-03-11T13:30:00.851Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1993 (GCVE-0-2026-1993)
Vulnerability from cvelistv5 – Published: 2026-03-11 09:25 – Updated: 2026-03-11 13:28
VLAI
Title
ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update
Summary
The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site.
Severity
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | ExactMetrics – Google Analytics Dashboard for WordPress (Website Stats Plugin) |
Affected:
7.1.0 , ≤ 9.0.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T13:28:05.540107Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T13:28:36.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "9.0.2",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ali S\u00fcnb\u00fcl"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T09:25:42.207Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c1ce474-ecce-4d21-b174-cb54a2441b2b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.php#L201"
},
{
"url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/7.15.3/includes/admin/routes.php#L201"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/capabilities.php?old=2897321\u0026old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fcapabilities.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3473805/google-analytics-dashboard-for-wp/trunk/includes/admin/routes.php?old=3453934\u0026old_path=google-analytics-dashboard-for-wp%2Ftrunk%2Fincludes%2Fadmin%2Froutes.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T16:41:37.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-10T21:02:36.000Z",
"value": "Disclosed"
}
],
"title": "ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1993",
"datePublished": "2026-03-11T09:25:42.207Z",
"dateReserved": "2026-02-05T16:26:24.468Z",
"dateUpdated": "2026-03-11T13:28:36.760Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1236 (GCVE-0-2026-1236)
Vulnerability from cvelistv5 – Published: 2026-03-04 08:23 – Updated: 2026-04-08 17:18
VLAI
Title
Envira Gallery for WordPress <= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'justified_gallery_theme' Parameter via REST API
Summary
The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'justified_gallery_theme' parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More |
Affected:
0 , ≤ 1.12.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1236",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T21:27:45.608394Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T21:28:05.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.12.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Envira Gallery for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027justified_gallery_theme\u0027 parameter in all versions up to, and including, 1.12.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:18:43.927Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bc552d46-79ca-4540-8620-5a031238cd62?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L302"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.3/includes/global/shortcode.php#L302"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3465371%40envira-gallery-lite\u0026old=3444965%40envira-gallery-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-20T16:56:31.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-03T20:19:00.000Z",
"value": "Disclosed"
}
],
"title": "Envira Gallery for WordPress \u003c= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027justified_gallery_theme\u0027 Parameter via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1236",
"datePublished": "2026-03-04T08:23:56.092Z",
"dateReserved": "2026-01-20T16:37:15.337Z",
"dateUpdated": "2026-04-08T17:18:43.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2471 (GCVE-0-2026-2471)
Vulnerability from cvelistv5 – Published: 2026-02-28 06:27 – Updated: 2026-04-08 16:36
VLAI
Title
WP Mail Logging <= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Field
Summary
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on all properties retrieved from the database without validation. This makes it possible for unauthenticated attackers to inject a PHP Object by submitting a double-serialized payload through any public-facing form that sends email (e.g., Contact Form 7). When the email is logged and subsequently viewed by an administrator, the malicious payload is deserialized into an arbitrary PHP object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Severity
7.5 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | WP Mail Logging |
Affected:
0 , ≤ 1.15.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2471",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-02T19:40:13.816210Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T19:41:20.206Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Mail Logging",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.15.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Qu\u1ed1c Huy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on all properties retrieved from the database without validation. This makes it possible for unauthenticated attackers to inject a PHP Object by submitting a double-serialized payload through any public-facing form that sends email (e.g., Contact Form 7). When the email is logged and subsequently viewed by an administrator, the malicious payload is deserialized into an arbitrary PHP object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:08.455Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/10e4c52d-c82f-4393-9a56-5714b3a108d1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-mail-logging/tags/1.15.0/lib/vendor/brandonwamboldt/wp-orm/src/BaseModel.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-mail-logging/tags/1.15.0/src/WPML_Plugin.php#L553"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-mail-logging/tags/1.15.0/src/Renderer/WPML_MailRenderer_AJAX_Handler.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3464813%40wp-mail-logging\u0026old=3358334%40wp-mail-logging\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T15:40:49.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-02-27T17:58:35.000Z",
"value": "Disclosed"
}
],
"title": "WP Mail Logging \u003c= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2471",
"datePublished": "2026-02-28T06:27:42.492Z",
"dateReserved": "2026-02-13T15:25:20.955Z",
"dateUpdated": "2026-04-08T16:36:08.455Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14384 (GCVE-0-2025-14384)
Vulnerability from cvelistv5 – Published: 2026-01-16 04:44 – Updated: 2026-04-08 17:33
VLAI
Title
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure
Summary
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic |
Affected:
0 , ≤ 4.9.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14384",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-16T14:10:14.263468Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-16T14:10:21.442Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.9.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NosleeP"
}
],
"descriptions": [
{
"lang": "en",
"value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:33:09.679Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-09T19:56:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-15T16:24:16.000Z",
"value": "Disclosed"
}
],
"title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic \u003c= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14384",
"datePublished": "2026-01-16T04:44:36.103Z",
"dateReserved": "2025-12-09T19:40:21.846Z",
"dateUpdated": "2026-04-08T17:33:09.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14783 (GCVE-0-2025-14783)
Vulnerability from cvelistv5 – Published: 2025-12-31 06:24 – Updated: 2026-04-08 16:47
VLAI
Title
Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Severity
4.3 (Medium)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Affected:
0 , ≤ 3.6.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14783",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-31T16:25:43.153630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-31T16:25:51.162Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the \u0027edd_redirect\u0027 parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:47:21.110Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3c0fb43c-f576-412e-a144-4725356ed9a0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/users/lost-password.php#L187"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/includes/blocks/views/forms/lost-password.php#L24"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3426524/easy-digital-downloads/trunk/includes/users/lost-password.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-16T13:48:22.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-30T17:50:22.000Z",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u003c= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14783",
"datePublished": "2025-12-31T06:24:42.546Z",
"dateReserved": "2025-12-16T13:32:13.229Z",
"dateUpdated": "2026-04-08T16:47:21.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-13641 (GCVE-0-2025-13641)
Vulnerability from cvelistv5 – Published: 2025-12-18 09:21 – Updated: 2026-04-08 16:34
VLAI
Title
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'
Summary
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.
Severity
8.8 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery |
Affected:
0 , ≤ 3.59.12
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13641",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T14:19:16.564698Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T14:19:36.707Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.59.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the \u0027template\u0027 shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:34.861Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0a01e1c9-67f4-4cc1-b58b-9cc141889d66?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php#L152"
},
{
"url": "https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3415575/nextgen-gallery/trunk/src/DisplayType/LegacyTemplateLocator.php?old=3004370\u0026old_path=nextgen-gallery%2Ftrunk%2Fsrc%2FDisplayType%2FLegacyTemplateLocator.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-25T03:18:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-12-17T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery \u003c= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via \u0027template\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13641",
"datePublished": "2025-12-18T09:21:29.377Z",
"dateReserved": "2025-11-25T02:50:31.614Z",
"dateUpdated": "2026-04-08T16:34:34.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12484 (GCVE-0-2025-12484)
Vulnerability from cvelistv5 – Published: 2025-11-19 07:46 – Updated: 2026-04-08 17:02
VLAI
Title
Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers <= 1.12.19 - Unauthenticated Stored Cross-Site Scripting
Summary
The Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Giveaways and Contests by RafflePress – Get More Website Traffic, Email Subscribers, and Social Followers |
Affected:
0 , ≤ 1.12.19
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T18:10:15.857557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T18:15:43.641Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.12.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Naoya Takahashi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple social media username parameters in all versions up to, and including, 1.12.19 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:46.970Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7cda6aad-36e1-45c7-af46-a7b90bb2d339?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L539"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L543"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L547"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L551"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L555"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L559"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/rafflepress.php#L563"
},
{
"url": "https://plugins.trac.wordpress.org/browser/rafflepress/tags/1.12.19/app/entry.php#L110"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3398188%40rafflepress\u0026old=3346436%40rafflepress\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-29T19:28:09.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-18T19:41:33.000Z",
"value": "Disclosed"
}
],
"title": "Giveaways and Contests by RafflePress \u2013 Get More Website Traffic, Email Subscribers, and Social Followers \u003c= 1.12.19 - Unauthenticated Stored Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12484",
"datePublished": "2025-11-19T07:46:07.439Z",
"dateReserved": "2025-10-29T19:11:25.942Z",
"dateUpdated": "2026-04-08T17:02:46.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12847 (GCVE-0-2025-12847)
Vulnerability from cvelistv5 – Published: 2025-11-15 05:45 – Updated: 2026-04-08 16:33
VLAI
Title
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion
Summary
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic |
Affected:
0 , ≤ 4.8.9
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12847",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-17T18:42:37.154492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-17T18:42:46.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "4.8.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:33:27.132Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3393820%40all-in-one-seo-pack\u0026old=3384131%40all-in-one-seo-pack\u0026sfp_email=\u0026sfph_mail=#file1387"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T21:20:07.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-14T16:58:45.000Z",
"value": "Disclosed"
}
],
"title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic \u003c= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12847",
"datePublished": "2025-11-15T05:45:32.963Z",
"dateReserved": "2025-11-06T21:04:39.818Z",
"dateUpdated": "2026-04-08T16:33:27.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12377 (GCVE-0-2025-12377)
Vulnerability from cvelistv5 – Published: 2025-11-13 11:29 – Updated: 2026-04-08 16:58
VLAI
Title
Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions
Summary
The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More |
Affected:
0 , ≤ 1.12.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12377",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-19T19:20:45.423977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-19T19:21:15.000Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.12.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gallery Plugin for WordPress \u2013 Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on several functions in all versions up to, and including, 1.12.0. This makes it possible for authenticated attackers, with Author-level access and above, to perform multiple actions, such as removing images from arbitrary galleries. The vulnerability was partially patched in version 1.12.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:58:41.809Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/69a0d985-cc85-45ba-889d-1ed30d06f9ce?source=cve"
},
{
"url": "https://drive.google.com/file/d/1AgsJeff1x4pQAFVGmoSwwU75iiH4-H_p/view?usp=sharing"
},
{
"url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/admin/ajax.php"
},
{
"url": "https://research.cleantalk.org/cve-2025-12377/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/admin/ajax.php?old=3133202\u0026old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fadmin%2Fajax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394455%40envira-gallery-lite\u0026old=3387243%40envira-gallery-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-28T00:28:47.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-12T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Gallery Plugin for WordPress \u2013 Envira Photo Gallery \u003c= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12377",
"datePublished": "2025-11-13T11:29:03.241Z",
"dateReserved": "2025-10-28T00:08:29.199Z",
"dateUpdated": "2026-04-08T16:58:41.809Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11448 (GCVE-0-2025-11448)
Vulnerability from cvelistv5 – Published: 2025-11-08 09:28 – Updated: 2026-04-08 17:06
VLAI
Title
Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion
Summary
The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/envira-convert/v1/bulk-convert' REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More |
Affected:
0 , ≤ 1.11.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T14:07:09.934571Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T14:13:43.112Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.11.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucas Montes"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Gallery Plugin for WordPress \u2013 Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027/envira-convert/v1/bulk-convert\u0027 REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:41.375Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/900e6528-f350-4e1b-80a5-aa01248323a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3387243/envira-gallery-lite/trunk/includes/global/convert_gallery/Convert_Gallery_REST.php?old=3379688\u0026old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fglobal%2Fconvert_gallery%2FConvert_Gallery_REST.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-07T16:46:51.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-07T20:58:55.000Z",
"value": "Disclosed"
}
],
"title": "Gallery Plugin for WordPress \u2013 Envira Photo Gallery \u003c= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11448",
"datePublished": "2025-11-08T09:28:11.104Z",
"dateReserved": "2025-10-07T16:31:27.084Z",
"dateUpdated": "2026-04-08T17:06:41.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12837 (GCVE-0-2025-12837)
Vulnerability from cvelistv5 – Published: 2025-11-08 09:28 – Updated: 2026-04-08 17:01
VLAI
Title
aThemes Addons for Elementor <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget
Summary
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | aThemes Addons for Elementor |
Affected:
0 , ≤ 1.1.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12837",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T14:07:13.119123Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T14:13:48.536Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "aThemes Addons for Elementor",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abu Hurayra"
}
],
"descriptions": [
{
"lang": "en",
"value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Call To Action widget in versions up to, and including, 1.1.5 due to insufficient input sanitization and output escaping on user-supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:01:22.443Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a3a8ee-42c6-4963-bb48-6794b310b861?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.5/inc/modules/widgets/call-to-action/class-call-to-action.php#L938"
},
{
"url": "https://wordpress.org/plugins/athemes-addons-for-elementor-lite/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3391638%40athemes-addons-for-elementor-lite\u0026old=3382628%40athemes-addons-for-elementor-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T20:21:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-07T20:47:37.000Z",
"value": "Disclosed"
}
],
"title": "aThemes Addons for Elementor \u003c= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Call To Action Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12837",
"datePublished": "2025-11-08T09:28:10.706Z",
"dateReserved": "2025-11-06T20:06:06.183Z",
"dateUpdated": "2026-04-08T17:01:22.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11271 (GCVE-0-2025-11271)
Vulnerability from cvelistv5 – Published: 2025-11-06 04:36 – Updated: 2026-04-08 16:51
VLAI
Title
Easy Digital Download <= 3.5.2 - Insufficient Verification to Order Manipulation
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account.
Severity
5.3 (Medium)
CWE
- CWE-807 - Reliance on Untrusted Inputs in a Security Decision
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Affected:
0 , ≤ 3.5.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11271",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-06T15:50:26.199391Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-06T15:50:35.023Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.5.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jamie Davies"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. The verification is unconditionally skipped when the POST body includes verification_override=1. Because this value is attacker-supplied, an unauthenticated actor can submit a forged IPN and have it treated as verified, even on production sites and with verification otherwise enabled. A valid PayPal transaction id is needed, restricting order manipulation to orders placed by the attacker. This, in turn, requires them to have a customer account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:51:15.440Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c63154e-9413-47ea-a740-441618266adf?source=cve"
},
{
"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/includes/gateways/paypal/ipn.php"
},
{
"url": "https://github.com/awesomemotive/easy-digital-downloads/blob/main/src/Gateways/PayPal/IPN.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3382964%40easy-digital-downloads%2Ftrunk\u0026old=3364285%40easy-digital-downloads%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-03T22:10:42.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-05T16:27:52.000Z",
"value": "Disclosed"
}
],
"title": "Easy Digital Download \u003c= 3.5.2 - Insufficient Verification to Order Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11271",
"datePublished": "2025-11-06T04:36:22.463Z",
"dateReserved": "2025-10-03T21:53:31.464Z",
"dateUpdated": "2026-04-08T16:51:15.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-11893 (GCVE-0-2025-11893)
Vulnerability from cvelistv5 – Published: 2025-10-25 06:49 – Updated: 2026-04-08 16:49
VLAI
Title
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection
Summary
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires a paid donation.
Severity
6.5 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More |
Affected:
0 , ≤ 1.8.8.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-11893",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T20:29:26.285980Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T20:29:31.343Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.8.8.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafshanzani Suhada"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to SQL Injection via the donation_ids parameter in all versions up to, and including, 1.8.8.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation of the vulnerability requires a paid donation."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:49:52.670Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/46b7820c-f36d-4c7d-b326-07259786fc6a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/abstracts/abstract-class-charitable-query.php#L194"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3382719/charitable/trunk/includes/abstracts/abstract-class-charitable-query.php?contextall=1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-16T20:27:50.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-24T17:36:30.000Z",
"value": "Disclosed"
}
],
"title": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More \u003c= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-11893",
"datePublished": "2025-10-25T06:49:21.583Z",
"dateReserved": "2025-10-16T20:12:20.027Z",
"dateUpdated": "2026-04-08T16:49:52.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10694 (GCVE-0-2025-10694)
Vulnerability from cvelistv5 – Published: 2025-10-25 05:31 – Updated: 2026-04-08 17:06
VLAI
Title
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds <= 1.8.0 - Missing Authorization to Information Disclosure
Summary
The User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address.
Severity
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | UserFeedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds |
Affected:
0 , ≤ 1.8.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10694",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-27T15:57:28.708214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-27T15:57:39.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UserFeedback \u2013 Create Interactive Feedback Form, User Surveys, and Polls in Seconds",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.8.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ngoc Quang Bach"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Feedback \u2013 Create Interactive Feedback Form, User Surveys, and Polls in Seconds plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `maybe_load_onboarding_wizard` function in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to access the onboarding wizard page and view configuration information including the administrator email address."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:06:42.896Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9026b417-4b35-4bec-9dc6-6797661dc7a8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3378233/userfeedback-lite/trunk/includes/admin/class-userfeedback-onboarding-wizard.php?old=3354862\u0026old_path=userfeedback-lite%2Ftrunk%2Fincludes%2Fadmin%2Fclass-userfeedback-onboarding-wizard.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-11T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-09-18T15:57:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-24T17:09:00.000Z",
"value": "Disclosed"
}
],
"title": "User Feedback \u2013 Create Interactive Feedback Form, User Surveys, and Polls in Seconds \u003c= 1.8.0 - Missing Authorization to Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10694",
"datePublished": "2025-10-25T05:31:22.739Z",
"dateReserved": "2025-09-18T15:41:28.436Z",
"dateUpdated": "2026-04-08T17:06:42.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8149 (GCVE-0-2025-8149)
Vulnerability from cvelistv5 – Published: 2025-09-06 03:22 – Updated: 2026-04-08 17:24
VLAI
Title
aThemes Addons for Elementor Lite <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget
Summary
The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | aThemes Addons for Elementor |
Affected:
0 , ≤ 1.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8149",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-08T13:52:40.209495Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-08T14:05:08.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "aThemes Addons for Elementor",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "D.Sim"
}
],
"descriptions": [
{
"lang": "en",
"value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s Countdown widget in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:56.246Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d0ca1d32-d094-46a2-838a-000e8b531767?source=cve"
},
{
"url": "https://wordpress.org/plugins/athemes-addons-for-elementor-lite/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3350397%40athemes-addons-for-elementor-lite\u0026old=3336319%40athemes-addons-for-elementor-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-29T06:39:25.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-09-05T15:01:44.000Z",
"value": "Disclosed"
}
],
"title": "aThemes Addons for Elementor Lite \u003c= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8149",
"datePublished": "2025-09-06T03:22:37.670Z",
"dateReserved": "2025-07-24T21:46:15.546Z",
"dateUpdated": "2026-04-08T17:24:56.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8102 (GCVE-0-2025-8102)
Vulnerability from cvelistv5 – Published: 2025-08-20 11:26 – Updated: 2026-04-08 16:57
VLAI
Title
Easy Digital Downloads <= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions
Summary
The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
5.4 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Easy Digital Downloads – eCommerce Payments and Subscriptions made easy |
Affected:
0 , ≤ 3.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8102",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T13:18:00.586044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T13:18:10.325Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "3.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:20.755Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/636c9d92-ee62-499d-8d73-33cd63bb5af8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.5.0/includes/deprecated-functions.php#L1678"
},
{
"url": "https://wordpress.org/plugins/easy-digital-downloads/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3346633/easy-digital-downloads/trunk/includes/deprecated-functions.php?old=3328623\u0026old_path=easy-digital-downloads%2Ftrunk%2Fincludes%2Fdeprecated-functions.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-29T06:39:26.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-08-19T23:05:32.000Z",
"value": "Disclosed"
}
],
"title": "Easy Digital Downloads \u003c= 3.5.0 - Cross-Site Request Forgery to Plugin Deactivation via edd_sendwp_disconnect and edd_sendwp_remote_install Functions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8102",
"datePublished": "2025-08-20T11:26:09.579Z",
"dateReserved": "2025-07-23T20:45:30.551Z",
"dateUpdated": "2026-04-08T16:57:20.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}