Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    186 vulnerabilities by smub

    CVE-2026-12002 (GCVE-0-2026-12002)

    Vulnerability from nvd – Published: 2026-07-08 12:33 – Updated: 2026-07-08 13:03
    VLAI
    Title
    Smash Balloon Social Photo Feed – Easy Social Feeds Plugin <= 6.11.1 - Cross-Site Request Forgery to oEmbed Access Token Overwrite via 'sbi_access_token' Parameter
    Summary
    The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthenticated attackers to overwrite the site's Instagram and Facebook oEmbed access tokens via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    normaandersonfrank
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:02:53.626151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:03:04.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "6.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "normaandersonfrank"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthenticated attackers to overwrite the site\u0027s Instagram and Facebook oEmbed access tokens via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T12:33:16.785Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/abe6366a-3729-474f-8920-b5ed2eeab906?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3575933/instagram-feed/trunk/admin/SBI_oEmbeds.php?old=3289310\u0026old_path=instagram-feed%2Ftrunk%2Fadmin%2FSBI_oEmbeds.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-06T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-06-11T17:14:54.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-08T00:00:58.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin \u003c= 6.11.1 - Cross-Site Request Forgery to oEmbed Access Token Overwrite via \u0027sbi_access_token\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12002",
        "datePublished": "2026-07-08T12:33:16.785Z",
        "dateReserved": "2026-06-11T16:59:38.484Z",
        "dateUpdated": "2026-07-08T13:03:04.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12127 (GCVE-0-2026-12127)

    Vulnerability from nvd – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42
    VLAI
    Title
    WPForms <= 1.10.2 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via Reply-To Display Name
    Summary
    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `'notification'` instead of `'notification-reply-to'`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers — such as `Bcc:` — into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
    Assigner
    Credits
    Jack Pas (Dark.)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:31:09.519094Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:42:10.985Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPForms \u2013 AI Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Survey Form, Quiz \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.10.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jack Pas (Dark.)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `\u0027notification\u0027` instead of `\u0027notification-reply-to\u0027`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers \u2014 such as `Bcc:` \u2014 into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-93",
                  "description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T04:32:27.607Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a51c22-c4ca-4897-ad7e-c5df00b07fe0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Mailer.php#L368"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1098"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1138"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/includes/fields/class-textarea.php#L326"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Mailer.php#L368"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1098"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1138"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/includes/fields/class-textarea.php#L326"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3586095/wpforms-lite/trunk/src/Emails/Mailer.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforms-lite/tags/1.10.2\u0026new_path=%2Fwpforms-lite/tags/1.10.2.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-12T15:48:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T16:02:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPForms \u003c= 1.10.2 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via Reply-To Display Name"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12127",
        "datePublished": "2026-07-01T04:32:27.607Z",
        "dateReserved": "2026-06-12T15:16:37.220Z",
        "dateUpdated": "2026-07-01T10:42:10.985Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8613 (GCVE-0-2026-8613)

    Vulnerability from nvd – Published: 2026-06-10 07:50 – Updated: 2026-06-10 14:42
    VLAI
    Title
    aThemes Addons for Elementor <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting
    Summary
    The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    smub aThemes Addons for Elementor Affected: 0 , ≤ 1.1.8 (semver)
    Create a notification for this product.
    Credits
    Romain Deperne
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8613",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T14:41:47.013406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T14:42:03.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "aThemes Addons for Elementor",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Romain Deperne"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027title_tag\u0027 Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T07:50:56.223Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7aed9e-1b56-4ce6-b338-1d9ab80594c3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-timeline/class-posts-timeline.php#L1351"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/class-posts-carousel.php#L1413"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-banner.php#L226"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-modern.php#L208"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/functions.php#L1375"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/athemes-addons-for-elementor-lite/tags/1.1.8\u0026new_path=/athemes-addons-for-elementor-lite/tags/1.1.9"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.9/inc/functions.php#L1374"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-14T16:50:23.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-09T18:49:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "aThemes Addons for Elementor \u003c= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027title_tag\u0027 Widget Setting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8613",
        "datePublished": "2026-06-10T07:50:56.223Z",
        "dateReserved": "2026-05-14T16:31:49.699Z",
        "dateUpdated": "2026-06-10T14:42:03.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7792 (GCVE-0-2026-7792)

    Vulnerability from nvd – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
    VLAI
    Title
    WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint
    Summary
    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Credits
    Vijay
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7792",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-06T11:34:51.202546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-06T11:43:17.479Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.10.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vijay"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345 Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-06T02:28:37.577Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5cf5fd2-58c7-42d0-948f-95764647630b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3532389/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php?old=3486451\u0026old_path=wpforms-lite%2Ftrunk%2Fsrc%2FIntegrations%2FPayPalCommerce%2FApi%2FWebhookRoute.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-04T19:14:46.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-05T14:01:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPForms \u003c= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7792",
        "datePublished": "2026-06-06T02:28:37.577Z",
        "dateReserved": "2026-05-04T18:59:37.133Z",
        "dateUpdated": "2026-06-06T11:43:17.479Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10038 (GCVE-0-2026-10038)

    Vulnerability from nvd – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
    VLAI
    Title
    Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter
    Summary
    The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Credits
    Khanh Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-06T11:39:04.354728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-06T11:49:30.936Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Khanh Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user\u0027s \u0027avatar\u0027 meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the \u0027avatar\u0027 user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T23:28:26.335Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/657bea00-9709-48b8-807a-c9a18b0aee1d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/abstracts/abstract-class-charitable-form.php#L429"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/utilities/class-charitable-data-processor.php#L270"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/users/class-charitable-user.php#L986"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L728"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L724"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/utilities/class-charitable-data-processor.php#L270"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/users/class-charitable-user.php#L986"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/abstracts/abstract-class-charitable-form.php#L429"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L728"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L724"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3557047/charitable/trunk/includes/forms/class-charitable-profile-form.php?old=3435951\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fforms%2Fclass-charitable-profile-form.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T19:47:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-05T10:28:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Charitable \u003c= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via \u0027avatar\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-10038",
        "datePublished": "2026-06-05T23:28:26.335Z",
        "dateReserved": "2026-05-28T19:32:46.255Z",
        "dateUpdated": "2026-06-06T11:49:30.936Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7526 (GCVE-0-2026-7526)

    Vulnerability from nvd – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
    VLAI
    Title
    PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page
    Summary
    The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    smub PDF Embedder Affected: 0 , ≤ 4.9.3 (semver)
    Create a notification for this product.
    Credits
    Dmitrii Ignatyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7526",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T10:25:00.865799Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T10:32:52.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PDF Embedder",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "4.9.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dmitrii Ignatyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T07:43:41.869Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e0f2516-0fa7-415e-868e-6bd259bc6546?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L224"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L224"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L204"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L204"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.php?old=3429550\u0026old_path=pdf-embedder%2Ftrunk%2Fsrc%2FPlugin.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T17:41:16.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-27T18:49:03.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "PDF Embedder \u003c= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7526",
        "datePublished": "2026-05-28T07:43:41.869Z",
        "dateReserved": "2026-04-30T17:26:08.252Z",
        "dateUpdated": "2026-05-28T10:32:52.986Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7533 (GCVE-0-2026-7533)

    Vulnerability from nvd – Published: 2026-05-28 05:30 – Updated: 2026-05-28 10:36
    VLAI
    Title
    Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter
    Summary
    The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7533",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T10:28:04.823181Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T10:36:05.265Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "3.6.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store\u0027s Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T05:30:41.186Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.php#L114"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.php#L114"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L47"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L47"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3536197%40easy-digital-downloads\u0026old=3511193%40easy-digital-downloads\u0026sfp_email=\u0026sfph_mail=#file6607"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T18:16:35.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-27T17:18:24.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Easy Digital Downloads \u003c= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via \u0027square_tokens\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7533",
        "datePublished": "2026-05-28T05:30:41.186Z",
        "dateReserved": "2026-04-30T18:01:14.679Z",
        "dateUpdated": "2026-05-28T10:36:05.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8832 (GCVE-0-2026-8832)

    Vulnerability from nvd – Published: 2026-05-27 06:46 – Updated: 2026-05-27 10:30
    VLAI
    Title
    WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost
    Summary
    The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Credits
    Yongtae Jeon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8832",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T10:20:22.252896Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T10:30:23.131Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPCode \u2013 Insert Headers and Footers + Custom Code Snippets \u2013 WordPress Code Manager",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yongtae Jeon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the \u0027wpcode\u0027 custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T06:46:16.247Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a2e8b1-d5e0-4f7b-a70a-f0aadf58c778?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/post-type.php#L24"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/shortcode.php#L26"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L374"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/execute/class-wpcode-snippet-execute-php.php#L25"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3549060/insert-headers-and-footers/trunk/includes/post-type.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Finsert-headers-and-footers/tags/2.3.5\u0026new_path=%2Finsert-headers-and-footers/tags/2.3.6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-18T14:09:28.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-26T17:48:25.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPCode \u003c= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8832",
        "datePublished": "2026-05-27T06:46:16.247Z",
        "dateReserved": "2026-05-18T13:53:59.461Z",
        "dateUpdated": "2026-05-27T10:30:23.131Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7636 (GCVE-0-2026-7636)

    Vulnerability from nvd – Published: 2026-05-22 07:50 – Updated: 2026-05-22 13:46
    VLAI
    Title
    Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint
    Summary
    The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Kitch Global
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:45:57.318117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T13:46:24.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Slider by Soliloquy \u2013 Responsive Image Slider for WordPress",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "2.8.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kitch Global"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Slider by Soliloquy \u2013 Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T07:50:25.970Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54115a9a-dadd-4f18-a139-02ec89f0a571?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L90"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L177"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L177"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L125"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L125"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L90"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3538404/soliloquy-lite/trunk/includes/global/posttype.php?old=3395148\u0026old_path=soliloquy-lite%2Ftrunk%2Fincludes%2Fglobal%2Fposttype.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-01T15:43:24.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-21T19:23:24.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Slider by Soliloquy \u003c= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7636",
        "datePublished": "2026-05-22T07:50:25.970Z",
        "dateReserved": "2026-05-01T15:28:15.500Z",
        "dateUpdated": "2026-05-22T13:46:24.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6566 (GCVE-0-2026-6566)

    Vulnerability from nvd – Published: 2026-05-20 05:31 – Updated: 2026-05-20 15:54
    VLAI
    Title
    Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API
    Summary
    The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Bao Luu Gia Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6566",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-20T15:43:36.099126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-20T15:54:05.752Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "4.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bao Luu Gia Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks \u0027NextGEN Manage gallery\u0027 permissions and does not enforce gallery ownership or \u0027NextGEN Manage others gallery\u0027 permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and \u0027NextGEN Manage gallery\u0027 capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T05:31:10.536Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-18T20:42:58.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-19T17:01:55.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Photo Gallery, Sliders, Proofing and Themes \u003c= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6566",
        "datePublished": "2026-05-20T05:31:10.536Z",
        "dateReserved": "2026-04-18T17:51:56.808Z",
        "dateUpdated": "2026-05-20T15:54:05.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5075 (GCVE-0-2026-5075)

    Vulnerability from nvd – Published: 2026-05-20 03:28 – Updated: 2026-05-20 14:17
    VLAI
    Title
    All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data
    Summary
    The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Riadh Bouchahoua
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-20T14:16:48.492510Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-20T14:17:02.195Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "4.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Riadh Bouchahoua"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via \u0027internalOptions\u0027 localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T03:28:14.037Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8bc203-c17a-4b31-8f9e-695f9e638cda?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3532318/all-in-one-seo-pack"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-28T13:24:43.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-19T14:51:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "All in One SEO \u003c= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via \u0027internalOptions\u0027 Localized Script Data"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5075",
        "datePublished": "2026-05-20T03:28:14.037Z",
        "dateReserved": "2026-03-28T13:09:05.383Z",
        "dateUpdated": "2026-05-20T14:17:02.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5361 (GCVE-0-2026-5361)

    Vulnerability from nvd – Published: 2026-05-14 03:27 – Updated: 2026-05-14 10:47
    VLAI
    Title
    Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
    Summary
    The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Athiwat Tiprasaharn Itthidej Aramsri
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T10:39:14.280741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T10:47:27.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Athiwat Tiprasaharn"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Itthidej Aramsri"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T03:27:15.137Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2b1e973-f22d-4e69-b3b8-d6ea5df3f047?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L1067"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.4/includes/global/shortcode.php#L1067"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/rest.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.4/includes/global/rest.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3514026/envira-gallery-lite/trunk/includes/global/shortcode.php?old=3465371\u0026old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fglobal%2Fshortcode.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-01T17:36:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-13T14:42:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Envira Gallery \u003c= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027arrows\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5361",
        "datePublished": "2026-05-14T03:27:15.137Z",
        "dateReserved": "2026-04-01T17:20:59.284Z",
        "dateUpdated": "2026-05-14T10:47:27.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6177 (GCVE-0-2026-6177)

    Vulnerability from nvd – Published: 2026-05-13 12:29 – Updated: 2026-05-13 19:31
    VLAI
    Title
    Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
    Summary
    The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    gidget smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6177",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T19:23:25.801007Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T19:31:57.701Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Custom Twitter Feeds \u2013 A Tweets Widget or X Feed Widget",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "gidget smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin\u0027s ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site\u0027s feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T12:29:53.119Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4b2178f-e4da-4bfb-9c27-8c1884499769?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/custom-twitter-feed.php#L447"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/inc/CTF_Display_Elements.php#L505"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/inc/CTF_Display_Elements.php#L505"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/custom-twitter-feed.php#L447"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/inc/CTF_Display_Elements.php#L521"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/inc/CTF_Display_Elements.php#L521"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/templates/item.php#L36"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/templates/item.php#L36"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3519584%40custom-twitter-feeds\u0026old=3481416%40custom-twitter-feeds"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-13T02:22:37.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Custom Twitter Feeds \u003c= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6177",
        "datePublished": "2026-05-13T12:29:53.119Z",
        "dateReserved": "2026-04-13T02:07:02.800Z",
        "dateUpdated": "2026-05-13T19:31:57.701Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7619 (GCVE-0-2026-7619)

    Vulnerability from nvd – Published: 2026-05-13 04:26 – Updated: 2026-05-13 10:22
    VLAI
    Title
    Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
    Summary
    The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Credits
    Abi Wiranata
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T10:08:28.056009Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T10:22:39.226Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.10.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abi Wiranata"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to generic SQL Injection via the \u0027s\u0027 parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T04:26:39.907Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950bed9d-8698-4aa0-86a4-fac9e07bb42b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/donations/class-charitable-donations.php#L89"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/donations/class-charitable-donations.php#L89"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php#L837"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/admin/donations/class-charitable-donation-list-table.php#L837"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/donations/class-charitable-donations.php#L89"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/admin/donations/class-charitable-donation-list-table.php#L837"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3529172/charitable/trunk/includes/donations/class-charitable-donations.php?old=3209943\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fdonations%2Fclass-charitable-donations.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-01T13:34:24.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-12T15:46:10.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Charitable \u003c= 1.8.10.4 - Authenticated (Custom+) SQL Injection via \u0027s\u0027 Search Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7619",
        "datePublished": "2026-05-13T04:26:39.907Z",
        "dateReserved": "2026-05-01T13:19:14.129Z",
        "dateUpdated": "2026-05-13T10:22:39.226Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5488 (GCVE-0-2026-5488)

    Vulnerability from nvd – Published: 2026-04-24 03:27 – Updated: 2026-04-24 18:17
    VLAI
    Title
    ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'
    Summary
    The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Dmitrii Ignatyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5488",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T16:50:54.527245Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T18:17:35.257Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "9.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dmitrii Ignatyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T03:27:06.309Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a4359e4-5843-4d2c-b288-5c35f819241a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/admin-assets.php#L196"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/admin/admin-assets.php#L196"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3513041%40google-analytics-dashboard-for-wp\u0026new=3513041%40google-analytics-dashboard-for-wp\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-03T14:47:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-23T14:48:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "ExactMetrics \u003c= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action \u0027exactmetrics_ads_get_token\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5488",
        "datePublished": "2026-04-24T03:27:06.309Z",
        "dateReserved": "2026-04-03T14:31:57.183Z",
        "dateUpdated": "2026-04-24T18:17:35.257Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12002 (GCVE-0-2026-12002)

    Vulnerability from cvelistv5 – Published: 2026-07-08 12:33 – Updated: 2026-07-08 13:03
    VLAI
    Title
    Smash Balloon Social Photo Feed – Easy Social Feeds Plugin <= 6.11.1 - Cross-Site Request Forgery to oEmbed Access Token Overwrite via 'sbi_access_token' Parameter
    Summary
    The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthenticated attackers to overwrite the site's Instagram and Facebook oEmbed access tokens via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    normaandersonfrank
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12002",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-08T13:02:53.626151Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-08T13:03:04.692Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "6.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "normaandersonfrank"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybe_connection_data function. This makes it possible for unauthenticated attackers to overwrite the site\u0027s Instagram and Facebook oEmbed access tokens via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-08T12:33:16.785Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/abe6366a-3729-474f-8920-b5ed2eeab906?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3575933/instagram-feed/trunk/admin/SBI_oEmbeds.php?old=3289310\u0026old_path=instagram-feed%2Ftrunk%2Fadmin%2FSBI_oEmbeds.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-06T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-06-11T17:14:54.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-08T00:00:58.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Smash Balloon Social Photo Feed \u2013 Easy Social Feeds Plugin \u003c= 6.11.1 - Cross-Site Request Forgery to oEmbed Access Token Overwrite via \u0027sbi_access_token\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12002",
        "datePublished": "2026-07-08T12:33:16.785Z",
        "dateReserved": "2026-06-11T16:59:38.484Z",
        "dateUpdated": "2026-07-08T13:03:04.692Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12127 (GCVE-0-2026-12127)

    Vulnerability from cvelistv5 – Published: 2026-07-01 04:32 – Updated: 2026-07-01 10:42
    VLAI
    Title
    WPForms <= 1.10.2 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via Reply-To Display Name
    Summary
    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `'notification'` instead of `'notification-reply-to'`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers — such as `Bcc:` — into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
    Assigner
    Credits
    Jack Pas (Dark.)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12127",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T10:31:09.519094Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T10:42:10.985Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPForms \u2013 AI Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Survey Form, Quiz \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.10.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jack Pas (Dark.)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027) in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processing the Reply-To display name through smart-tag expansion with context `\u0027notification\u0027` instead of `\u0027notification-reply-to\u0027`, which bypasses email-address validation while `wpforms_sanitize_textarea_field()` intentionally preserves CR/LF characters that are never stripped before the display name is concatenated into the raw `Reply-To:` mail header string. This makes it possible for unauthenticated attackers to inject arbitrary additional email headers \u2014 such as `Bcc:` \u2014 into outgoing notification emails, silently blind-copying all notification email copies to an attacker-controlled address. Exploitation requires that a form notification is configured to use a Paragraph Text (textarea) field as the Reply-To display name via a Smart Tag."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-93",
                  "description": "CWE-93 Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T04:32:27.607Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5a51c22-c4ca-4897-ad7e-c5df00b07fe0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Mailer.php#L368"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1098"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/src/Emails/Notifications.php#L1138"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.1.1/includes/fields/class-textarea.php#L326"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Mailer.php#L368"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1098"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/src/Emails/Notifications.php#L1138"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.2/includes/fields/class-textarea.php#L326"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3586095/wpforms-lite/trunk/src/Emails/Mailer.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwpforms-lite/tags/1.10.2\u0026new_path=%2Fwpforms-lite/tags/1.10.2.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-12T15:48:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T16:02:50.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPForms \u003c= 1.10.2 - Improper Neutralization of CRLF Sequences to Unauthenticated Email Header Injection via Reply-To Display Name"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12127",
        "datePublished": "2026-07-01T04:32:27.607Z",
        "dateReserved": "2026-06-12T15:16:37.220Z",
        "dateUpdated": "2026-07-01T10:42:10.985Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8613 (GCVE-0-2026-8613)

    Vulnerability from cvelistv5 – Published: 2026-06-10 07:50 – Updated: 2026-06-10 14:42
    VLAI
    Title
    aThemes Addons for Elementor <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting
    Summary
    The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'title_tag' Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Vendor Product Version
    smub aThemes Addons for Elementor Affected: 0 , ≤ 1.1.8 (semver)
    Create a notification for this product.
    Credits
    Romain Deperne
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8613",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-10T14:41:47.013406Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-10T14:42:03.318Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "aThemes Addons for Elementor",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.1.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Romain Deperne"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The aThemes Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027title_tag\u0027 Widget Setting in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This affects the Posts Timeline widget as well as the Posts Carousel widget across its default, Banner, and Modern skins, all of which omit the whitelist validation that is correctly applied in the Posts List widget."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-10T07:50:56.223Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2e7aed9e-1b56-4ce6-b338-1d9ab80594c3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-timeline/class-posts-timeline.php#L1351"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/class-posts-carousel.php#L1413"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-banner.php#L226"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/modules/widgets/posts-carousel/skins/class-posts-carousel-modern.php#L208"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.8/inc/functions.php#L1375"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=/athemes-addons-for-elementor-lite/tags/1.1.8\u0026new_path=/athemes-addons-for-elementor-lite/tags/1.1.9"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/athemes-addons-for-elementor-lite/tags/1.1.9/inc/functions.php#L1374"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-14T16:50:23.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-09T18:49:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "aThemes Addons for Elementor \u003c= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027title_tag\u0027 Widget Setting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8613",
        "datePublished": "2026-06-10T07:50:56.223Z",
        "dateReserved": "2026-05-14T16:31:49.699Z",
        "dateUpdated": "2026-06-10T14:42:03.318Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7792 (GCVE-0-2026-7792)

    Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
    VLAI
    Title
    WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint
    Summary
    The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    Credits
    Vijay
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7792",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-06T11:34:51.202546Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-06T11:43:17.479Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.10.0.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vijay"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345 Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-06T02:28:37.577Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5cf5fd2-58c7-42d0-948f-95764647630b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3532389/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php?old=3486451\u0026old_path=wpforms-lite%2Ftrunk%2Fsrc%2FIntegrations%2FPayPalCommerce%2FApi%2FWebhookRoute.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-04T19:14:46.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-05T14:01:26.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPForms \u003c= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7792",
        "datePublished": "2026-06-06T02:28:37.577Z",
        "dateReserved": "2026-05-04T18:59:37.133Z",
        "dateUpdated": "2026-06-06T11:43:17.479Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10038 (GCVE-0-2026-10038)

    Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
    VLAI
    Title
    Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter
    Summary
    The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Credits
    Khanh Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10038",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-06T11:39:04.354728Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-06T11:49:30.936Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.11.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Khanh Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user\u0027s \u0027avatar\u0027 meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the \u0027avatar\u0027 user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T23:28:26.335Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/657bea00-9709-48b8-807a-c9a18b0aee1d?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/abstracts/abstract-class-charitable-form.php#L429"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/utilities/class-charitable-data-processor.php#L270"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/users/class-charitable-user.php#L986"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L728"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L724"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/utilities/class-charitable-data-processor.php#L270"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/users/class-charitable-user.php#L986"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/abstracts/abstract-class-charitable-form.php#L429"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L728"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L724"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3557047/charitable/trunk/includes/forms/class-charitable-profile-form.php?old=3435951\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fforms%2Fclass-charitable-profile-form.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-28T19:47:56.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-05T10:28:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Charitable \u003c= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via \u0027avatar\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-10038",
        "datePublished": "2026-06-05T23:28:26.335Z",
        "dateReserved": "2026-05-28T19:32:46.255Z",
        "dateUpdated": "2026-06-06T11:49:30.936Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7526 (GCVE-0-2026-7526)

    Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
    VLAI
    Title
    PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page
    Summary
    The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    smub PDF Embedder Affected: 0 , ≤ 4.9.3 (semver)
    Create a notification for this product.
    Credits
    Dmitrii Ignatyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7526",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T10:25:00.865799Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T10:32:52.986Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "PDF Embedder",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "4.9.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dmitrii Ignatyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The PDF Embedder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.9.3 via the enqueue_block_assets. This makes it possible for authenticated attackers, with contributor-level access and above, to extract configuration data. License key exposure occurs when the premium add-on is also installed and has saved a key; on Lite-only installations, the exposed data is limited to non-sensitive viewer configuration values such as width, height, toolbar settings, usage tracking, and plan."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T07:43:41.869Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e0f2516-0fa7-415e-868e-6bd259bc6546?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L224"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L224"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/trunk/src/Plugin.php#L204"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/pdf-embedder/tags/4.9.3/src/Plugin.php#L204"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3531901/pdf-embedder/trunk/src/Plugin.php?old=3429550\u0026old_path=pdf-embedder%2Ftrunk%2Fsrc%2FPlugin.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T17:41:16.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-27T18:49:03.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "PDF Embedder \u003c= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7526",
        "datePublished": "2026-05-28T07:43:41.869Z",
        "dateReserved": "2026-04-30T17:26:08.252Z",
        "dateUpdated": "2026-05-28T10:32:52.986Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7533 (GCVE-0-2026-7533)

    Vulnerability from cvelistv5 – Published: 2026-05-28 05:30 – Updated: 2026-05-28 10:36
    VLAI
    Title
    Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter
    Summary
    The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store's Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    M Indra Purnama
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7533",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T10:28:04.823181Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T10:36:05.265Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Easy Digital Downloads \u2013 eCommerce Payments and Subscriptions made easy",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "3.6.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "M Indra Purnama"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the `handle_oauth_redirect()` function, which is registered on the `admin_init` hook and processes Square OAuth tokens from a user-supplied GET parameter without any CSRF token validation. This makes it possible for unauthenticated attackers to overwrite the store\u0027s Square payment gateway credentials by tricking a logged-in administrator into clicking a crafted link, potentially resulting in payment account hijacking."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T05:30:41.186Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e375f761-459c-4cad-823b-2a94ac901410?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L58"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Gateway.php#L114"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Gateway.php#L114"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/trunk/src/Gateways/Square/Connection.php#L47"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/easy-digital-downloads/tags/3.6.5/src/Gateways/Square/Connection.php#L47"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3536197%40easy-digital-downloads\u0026old=3511193%40easy-digital-downloads\u0026sfp_email=\u0026sfph_mail=#file6607"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-30T18:16:35.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-27T17:18:24.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Easy Digital Downloads \u003c= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via \u0027square_tokens\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7533",
        "datePublished": "2026-05-28T05:30:41.186Z",
        "dateReserved": "2026-04-30T18:01:14.679Z",
        "dateUpdated": "2026-05-28T10:36:05.265Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8832 (GCVE-0-2026-8832)

    Vulnerability from cvelistv5 – Published: 2026-05-27 06:46 – Updated: 2026-05-27 10:30
    VLAI
    Title
    WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost
    Summary
    The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Credits
    Yongtae Jeon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8832",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-27T10:20:22.252896Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-27T10:30:23.131Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WPCode \u2013 Insert Headers and Footers + Custom Code Snippets \u2013 WordPress Code Manager",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "2.3.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Yongtae Jeon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the \u0027wpcode\u0027 custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-27T06:46:16.247Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/75a2e8b1-d5e0-4f7b-a70a-f0aadf58c778?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/post-type.php#L24"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/shortcode.php#L26"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/class-wpcode-snippet-execute.php#L374"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/insert-headers-and-footers/tags/2.3.5/includes/execute/class-wpcode-snippet-execute-php.php#L25"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3549060/insert-headers-and-footers/trunk/includes/post-type.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Finsert-headers-and-footers/tags/2.3.5\u0026new_path=%2Finsert-headers-and-footers/tags/2.3.6"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-18T14:09:28.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-26T17:48:25.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "WPCode \u003c= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8832",
        "datePublished": "2026-05-27T06:46:16.247Z",
        "dateReserved": "2026-05-18T13:53:59.461Z",
        "dateUpdated": "2026-05-27T10:30:23.131Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7636 (GCVE-0-2026-7636)

    Vulnerability from cvelistv5 – Published: 2026-05-22 07:50 – Updated: 2026-05-22 13:46
    VLAI
    Title
    Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint
    Summary
    The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Kitch Global
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7636",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-22T13:45:57.318117Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-22T13:46:24.435Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Slider by Soliloquy \u2013 Responsive Image Slider for WordPress",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "2.8.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kitch Global"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Slider by Soliloquy \u2013 Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the map_meta_cap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract draft slider metadata including unpublished media URLs, captions, and slider configuration authored by administrators or editors."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-22T07:50:25.970Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/54115a9a-dadd-4f18-a139-02ec89f0a571?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L90"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L177"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L177"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/trunk/includes/global/posttype.php#L125"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L125"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/soliloquy-lite/tags/2.8.1/includes/global/posttype.php#L90"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3538404/soliloquy-lite/trunk/includes/global/posttype.php?old=3395148\u0026old_path=soliloquy-lite%2Ftrunk%2Fincludes%2Fglobal%2Fposttype.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-01T15:43:24.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-21T19:23:24.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Slider by Soliloquy \u003c= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7636",
        "datePublished": "2026-05-22T07:50:25.970Z",
        "dateReserved": "2026-05-01T15:28:15.500Z",
        "dateUpdated": "2026-05-22T13:46:24.435Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6566 (GCVE-0-2026-6566)

    Vulnerability from cvelistv5 – Published: 2026-05-20 05:31 – Updated: 2026-05-20 15:54
    VLAI
    Title
    Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API
    Summary
    The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks 'NextGEN Manage gallery' permissions and does not enforce gallery ownership or 'NextGEN Manage others gallery' permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and 'NextGEN Manage gallery' capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Bao Luu Gia Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6566",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-20T15:43:36.099126Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-20T15:54:05.752Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "4.2.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Bao Luu Gia Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Photo Gallery, Sliders, Proofing and Themes \u2013 NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for DELETE /imagely/v1/images/{id} only checks \u0027NextGEN Manage gallery\u0027 permissions and does not enforce gallery ownership or \u0027NextGEN Manage others gallery\u0027 permissions. This makes it possible for authenticated attackers, with Subscriber-level privileges and \u0027NextGEN Manage gallery\u0027 capability, to delete gallery images belonging to other users as well as their associated image files from disk when deleteImg is enabled (default)."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T05:31:10.536Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/439809ad-21ea-4a0b-b1fd-5de9f8f5ee7a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3533432/nextgen-gallery"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-18T20:42:58.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-19T17:01:55.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Photo Gallery, Sliders, Proofing and Themes \u003c= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6566",
        "datePublished": "2026-05-20T05:31:10.536Z",
        "dateReserved": "2026-04-18T17:51:56.808Z",
        "dateUpdated": "2026-05-20T15:54:05.752Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5075 (GCVE-0-2026-5075)

    Vulnerability from cvelistv5 – Published: 2026-05-20 03:28 – Updated: 2026-05-20 14:17
    VLAI
    Title
    All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data
    Summary
    The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Credits
    Riadh Bouchahoua
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5075",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-20T14:16:48.492510Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-20T14:17:02.195Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings \u0026 Increase Traffic",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "4.9.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Riadh Bouchahoua"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via \u0027internalOptions\u0027 localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-20T03:28:14.037Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0d8bc203-c17a-4b31-8f9e-695f9e638cda?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3532318/all-in-one-seo-pack"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-28T13:24:43.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-19T14:51:29.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "All in One SEO \u003c= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via \u0027internalOptions\u0027 Localized Script Data"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5075",
        "datePublished": "2026-05-20T03:28:14.037Z",
        "dateReserved": "2026-03-28T13:09:05.383Z",
        "dateUpdated": "2026-05-20T14:17:02.195Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5361 (GCVE-0-2026-5361)

    Vulnerability from cvelistv5 – Published: 2026-05-14 03:27 – Updated: 2026-05-14 10:47
    VLAI
    Title
    Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter
    Summary
    The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Athiwat Tiprasaharn Itthidej Aramsri
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5361",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T10:39:14.280741Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T10:47:27.431Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Envira Gallery \u2013 Image Photo Gallery, Albums, Video Gallery, Slideshows \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.12.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Athiwat Tiprasaharn"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Itthidej Aramsri"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Envira Gallery Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in versions up to and including 1.12.4. This is due to insufficient input sanitization in the update_gallery_data() function and improper output escaping in the gallery_init() function. The sanitize_config_values() function only sanitizes the justified_gallery_theme and justified_row_height parameters, but does not sanitize the arrows parameter. When the arrows value is output in the inline JavaScript configuration, it uses esc_attr() which is designed for HTML attribute contexts, not JavaScript contexts, allowing JavaScript expression injection. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T03:27:15.137Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2b1e973-f22d-4e69-b3b8-d6ea5df3f047?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/shortcode.php#L1067"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.4/includes/global/shortcode.php#L1067"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/trunk/includes/global/rest.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/envira-gallery-lite/tags/1.12.4/includes/global/rest.php#L163"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3514026/envira-gallery-lite/trunk/includes/global/shortcode.php?old=3465371\u0026old_path=envira-gallery-lite%2Ftrunk%2Fincludes%2Fglobal%2Fshortcode.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-01T17:36:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-13T14:42:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Envira Gallery \u003c= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027arrows\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5361",
        "datePublished": "2026-05-14T03:27:15.137Z",
        "dateReserved": "2026-04-01T17:20:59.284Z",
        "dateUpdated": "2026-05-14T10:47:27.431Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6177 (GCVE-0-2026-6177)

    Vulnerability from cvelistv5 – Published: 2026-05-13 12:29 – Updated: 2026-05-13 19:31
    VLAI
    Title
    Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text
    Summary
    The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin's ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site's feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    gidget smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6177",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T19:23:25.801007Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T19:31:57.701Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Custom Twitter Feeds \u2013 A Tweets Widget or X Feed Widget",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "2.5.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "gidget smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elements::get_post_text() function when rendering cached tweet text. The plugin\u0027s ctf_get_more_posts AJAX action is available to unauthenticated users and directly outputs cached tweet data through nl2br() without HTML escaping. When an attacker can get malicious content into cached tweet data (either by tweeting content that gets cached by the site\u0027s feed configuration, or through other vulnerabilities), the malicious HTML/JavaScript is executed when the unauthenticated endpoint is accessed. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the affected endpoint."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T12:29:53.119Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e4b2178f-e4da-4bfb-9c27-8c1884499769?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/custom-twitter-feed.php#L447"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/inc/CTF_Display_Elements.php#L505"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/inc/CTF_Display_Elements.php#L505"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/custom-twitter-feed.php#L447"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/inc/CTF_Display_Elements.php#L521"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/inc/CTF_Display_Elements.php#L521"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/trunk/templates/item.php#L36"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/custom-twitter-feeds/tags/2.5.4/templates/item.php#L36"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3519584%40custom-twitter-feeds\u0026old=3481416%40custom-twitter-feeds"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-13T02:22:37.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-12T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Custom Twitter Feeds \u003c= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6177",
        "datePublished": "2026-05-13T12:29:53.119Z",
        "dateReserved": "2026-04-13T02:07:02.800Z",
        "dateUpdated": "2026-05-13T19:31:57.701Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7619 (GCVE-0-2026-7619)

    Vulnerability from cvelistv5 – Published: 2026-05-13 04:26 – Updated: 2026-05-13 10:22
    VLAI
    Title
    Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter
    Summary
    The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Credits
    Abi Wiranata
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7619",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-13T10:08:28.056009Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-13T10:22:39.226Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "1.8.10.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Abi Wiranata"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to generic SQL Injection via the \u0027s\u0027 parameter in all versions up to, and including, 1.8.10.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with access to the donation management admin area (requiring the edit_others_donations capability) and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-13T04:26:39.907Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/950bed9d-8698-4aa0-86a4-fac9e07bb42b?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/donations/class-charitable-donations.php#L89"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/donations/class-charitable-donations.php#L89"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/trunk/includes/admin/donations/class-charitable-donation-list-table.php#L837"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.4/includes/admin/donations/class-charitable-donation-list-table.php#L837"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/donations/class-charitable-donations.php#L89"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.9.7/includes/admin/donations/class-charitable-donation-list-table.php#L837"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3529172/charitable/trunk/includes/donations/class-charitable-donations.php?old=3209943\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fdonations%2Fclass-charitable-donations.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-01T13:34:24.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-12T15:46:10.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "Charitable \u003c= 1.8.10.4 - Authenticated (Custom+) SQL Injection via \u0027s\u0027 Search Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7619",
        "datePublished": "2026-05-13T04:26:39.907Z",
        "dateReserved": "2026-05-01T13:19:14.129Z",
        "dateUpdated": "2026-05-13T10:22:39.226Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5488 (GCVE-0-2026-5488)

    Vulnerability from cvelistv5 – Published: 2026-04-24 03:27 – Updated: 2026-04-24 18:17
    VLAI
    Title
    ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'
    Summary
    The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Dmitrii Ignatyev
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5488",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-24T16:50:54.527245Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-24T18:17:35.257Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ExactMetrics \u2013 Google Analytics Dashboard for WordPress (Website Stats Plugin)",
              "vendor": "smub",
              "versions": [
                {
                  "lessThanOrEqual": "9.1.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Dmitrii Ignatyev"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The ExactMetrics \u2013 Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the get_ads_access_token() and reset_experience() AJAX handlers. While the mi-admin-nonce is localized on all admin pages (including profile.php which subscribers can access), and while other similar AJAX endpoints in the same class properly check for the exactmetrics_save_settings capability, these two endpoints only verify the nonce. This makes it possible for authenticated attackers, with subscriber-level access and above, to retrieve valid Google Ads access tokens and reset Google Ads integration settings."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-24T03:27:06.309Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a4359e4-5843-4d2c-b288-5c35f819241a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L243"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/ppc/google/class-exactmetrics-google-ads.php#L167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/ppc/google/class-exactmetrics-google-ads.php#L167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/trunk/includes/admin/admin-assets.php#L196"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/google-analytics-dashboard-for-wp/tags/9.0.3/includes/admin/admin-assets.php#L196"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3513041%40google-analytics-dashboard-for-wp\u0026new=3513041%40google-analytics-dashboard-for-wp\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-03T14:47:10.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-23T14:48:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "ExactMetrics \u003c= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action \u0027exactmetrics_ads_get_token\u0027"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5488",
        "datePublished": "2026-04-24T03:27:06.309Z",
        "dateReserved": "2026-04-03T14:31:57.183Z",
        "dateUpdated": "2026-04-24T18:17:35.257Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }