Search criteria
9996 vulnerabilities
CVE-2026-9829 (GCVE-0-2026-9829)
Vulnerability from cvelistv5 – Published: 2026-06-06 04:28 – Updated: 2026-06-06 11:41
VLAI
Title
Photo Gallery by 10Web <= 1.8.41 - Authenticated (Contributor+) SQL Injection via 'compact_album_order_by' Shortcode Parameter
Summary
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compact_album_order_by' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the 'shortcode_bwg' AJAX handler — accessible to Contributor-level users and exploitable without a valid nonce by omitting the 'page' parameter — and is subsequently triggered by the unauthenticated 'bwg_frontend_data' AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| 10web | Photo Gallery by 10Web – Mobile-Friendly Image Gallery |
Affected:
0 , ≤ 1.8.41
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9829",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:33:25.351553Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:41:25.517Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery",
"vendor": "10web",
"versions": [
{
"lessThanOrEqual": "1.8.41",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonah Burgess"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Photo Gallery by 10Web \u2013 Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via \u0027compact_album_order_by\u0027 Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The malicious payload is stored via the \u0027shortcode_bwg\u0027 AJAX handler \u2014 accessible to Contributor-level users and exploitable without a valid nonce by omitting the \u0027page\u0027 parameter \u2014 and is subsequently triggered by the unauthenticated \u0027bwg_frontend_data\u0027 AJAX handler, meaning successful exploitation requires only that an attacker has Contributor-level access to save the shortcode."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T04:28:20.367Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cae7dabd-ce43-43e3-9f67-b2de55bd720b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/frontend/models/model.php#L113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/frontend/models/model.php#L113"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/frontend/models/model.php#L162"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/admin/controllers/Shortcode.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/framework/WDWLibrary.php#L2281"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.41/photo-gallery.php#L717"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/frontend/models/model.php#L162"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/admin/controllers/Shortcode.php#L59"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/framework/WDWLibrary.php#L2281"
},
{
"url": "https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.40/photo-gallery.php#L717"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3553847"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T15:13:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T15:34:43.000Z",
"value": "Disclosed"
}
],
"title": "Photo Gallery by 10Web \u003c= 1.8.41 - Authenticated (Contributor+) SQL Injection via \u0027compact_album_order_by\u0027 Shortcode Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9829",
"datePublished": "2026-06-06T04:28:20.367Z",
"dateReserved": "2026-05-28T12:02:27.528Z",
"dateUpdated": "2026-06-06T11:41:25.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9851 (GCVE-0-2026-9851)
Vulnerability from cvelistv5 – Published: 2026-06-06 04:28 – Updated: 2026-06-06 11:41
VLAI
Title
Booking Package <= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action
Summary
The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the 'updateUser' branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| masaakitanaka | Booking Package |
Affected:
0 , ≤ 1.7.16
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9851",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:33:35.308170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:41:39.564Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Booking Package",
"vendor": "masaakitanaka",
"versions": [
{
"lessThanOrEqual": "1.7.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Booking Package plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in versions up to, and including, 1.7.16. This is due to a missing capability check on the \u0027updateUser\u0027 branch of the package_app_action AJAX endpoint, where the handler only validates a nonce and the dispatcher invokes Schedule::updateUser() with the $administrator argument hard-coded to 1, bypassing the only owner-restriction check inside that function and allowing the target user to be determined solely by attacker-supplied input passed directly to wp_update_user(). This makes it possible for authenticated attackers, with Editor-level access and above, to change the email address and password of any account, including Administrator accounts, resulting in a full site takeover."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T04:28:19.979Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/795c1fd6-137b-4414-8d6b-30053bfb5924?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/lib/Schedule.php#L868"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.php#L4477"
},
{
"url": "https://plugins.trac.wordpress.org/browser/booking-package/tags/1.7.13/index.php#L4416"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3558752%40booking-package\u0026new=3558752%40booking-package\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T17:30:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T15:42:19.000Z",
"value": "Disclosed"
}
],
"title": "Booking Package \u003c= 1.7.16 - Authenticated (Editor+) Privilege Escalation via Account Takeover to updateUser AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9851",
"datePublished": "2026-06-06T04:28:19.979Z",
"dateReserved": "2026-05-28T14:49:39.596Z",
"dateUpdated": "2026-06-06T11:41:39.564Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9016 (GCVE-0-2026-9016)
Vulnerability from cvelistv5 – Published: 2026-06-06 04:28 – Updated: 2026-06-06 11:41
VLAI
Title
Debug Log Manager <= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action
Summary
The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page's HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site's WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields — enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin's JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-117 - Improper Output Neutralization for Logs
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| qriouslad | Debug Log Manager – Conveniently Monitor and Inspect Errors |
Affected:
0 , ≤ 2.5.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9016",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:33:44.814740Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:41:53.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Debug Log Manager \u2013 Conveniently Monitor and Inspect Errors",
"vendor": "qriouslad",
"versions": [
{
"lessThanOrEqual": "2.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Endang Alfarisi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Debug Log Manager \u2013 Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the `log_js_errors()` AJAX handler being registered for unauthenticated users via `wp_ajax_nopriv_log_js_errors` and gated only by a nonce that is publicly disclosed in every front-end page\u0027s HTML through `wp_localize_script()` whenever JavaScript error logging is enabled, providing no real authorization barrier. This makes it possible for unauthenticated attackers to inject arbitrary forged entries into the site\u0027s WordPress debug log by supplying attacker-controlled values for the `message`, `script`, `lineNo`, `columnNo`, and `pageUrl` fields \u2014 enabling spoofing of error and incident records, obscuring malicious activity within fabricated log noise, and misleading administrators who rely on the log for triage. This vulnerability is only exploitable when the plugin\u0027s JavaScript error logging feature is enabled, as the requisite nonce is only published into the page HTML under that condition."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-117",
"description": "CWE-117 Improper Output Neutralization for Logs",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T04:28:19.220Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/25abca87-1be2-427e-ab01-377d52917052?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/classes/class-debug-log.php#L1961"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/classes/class-debug-log.php#L1947"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/bootstrap.php#L123"
},
{
"url": "https://plugins.trac.wordpress.org/browser/debug-log-manager/tags/2.4.3/bootstrap.php#L556"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3543321%40debug-log-manager\u0026new=3543321%40debug-log-manager\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Debug Log Manager \u003c= 2.5.0 - Unauthenticated Improper Output Neutralization for Logs via log_js_errors AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9016",
"datePublished": "2026-06-06T04:28:19.220Z",
"dateReserved": "2026-05-19T14:30:12.804Z",
"dateUpdated": "2026-06-06T11:41:53.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9594 (GCVE-0-2026-9594)
Vulnerability from cvelistv5 – Published: 2026-06-06 03:28 – Updated: 2026-06-06 11:42
VLAI
Title
WP Maps <= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via 'location_messages' Parameter
Summary
The WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'location_messages' parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin's Permissions screen.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
6 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| flippercode | WP Maps – Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory & Filters |
Affected:
0 , ≤ 4.9.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9594",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:33:53.074446Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:42:08.069Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Maps \u2013 Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory \u0026 Filters",
"vendor": "flippercode",
"versions": [
{
"lessThanOrEqual": "4.9.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yousef Alraddadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Maps \u2013 Google Maps,OpenStreetMap,Mapbox,Store Locator,Listing,Directory \u0026 Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027location_messages\u0027 parameter in all versions up to, and including, 4.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the attacker to hold the custom wpgmp_manage_location capability, which is granted to administrators by default but can be assigned to lower-privileged roles via the plugin\u0027s Permissions screen."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T03:28:25.853Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d082c6e6-a18a-44e2-9478-7189f9777198?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/modules/shortcode/views/put-wpgmp.php#L632"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/trunk/modules/location/model.location.php#L299"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.2/modules/shortcode/views/put-wpgmp.php#L632"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-google-map-plugin/tags/4.9.2/modules/location/model.location.php#L299"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3550683%40wp-google-map-plugin\u0026new=3550683%40wp-google-map-plugin\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T14:48:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T15:28:12.000Z",
"value": "Disclosed"
}
],
"title": "WP Maps \u003c= 4.9.4 - Authenticated (Admin+) Stored Cross-Site Scripting via \u0027location_messages\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9594",
"datePublished": "2026-06-06T03:28:25.853Z",
"dateReserved": "2026-05-26T14:33:03.586Z",
"dateUpdated": "2026-06-06T11:42:08.069Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8611 (GCVE-0-2026-8611)
Vulnerability from cvelistv5 – Published: 2026-06-06 03:28 – Updated: 2026-06-06 11:42
VLAI
Title
Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter
Summary
The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| klamra22 | Klamra Paycal for Aspaclaria |
Affected:
0 , ≤ 1.1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8611",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:33:58.894533Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:42:22.209Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Klamra Paycal for Aspaclaria",
"vendor": "klamra22",
"versions": [
{
"lessThanOrEqual": "1.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "KEVIN LEE"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the \u0027invoice_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to download arbitrary customer invoices by enumerating sequential post IDs, exposing sensitive billing PII including full name, email address, phone number, order total, line items, and customer notes belonging to other customers."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T03:28:25.476Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b07dc6ff-f88d-4c5a-8cd5-7c20f1755ece?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4"
},
{
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.1.1/includes/Modules/Invoices/Legacy/includes/render.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L4"
},
{
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/pdf/download.php#L7"
},
{
"url": "https://plugins.trac.wordpress.org/browser/klamra-paycal-for-aspaclaria/tags/1.0.2/includes/Modules/Invoices/Legacy/includes/render.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3555026%40klamra-paycal-for-aspaclaria\u0026new=3555026%40klamra-paycal-for-aspaclaria\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-30T18:14:50.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:28:53.000Z",
"value": "Disclosed"
}
],
"title": "Klamra Paycal for Aspaclaria \u003c= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via \u0027invoice_id\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8611",
"datePublished": "2026-06-06T03:28:25.476Z",
"dateReserved": "2026-05-14T16:04:08.456Z",
"dateUpdated": "2026-06-06T11:42:22.209Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8839 (GCVE-0-2026-8839)
Vulnerability from cvelistv5 – Published: 2026-06-06 03:28 – Updated: 2026-06-06 11:42
VLAI
Title
MapPress Maps for WordPress <= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints
Summary
The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `'permission_callback' => '__return_true'` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map — a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data — including POI titles, addresses, coordinates, and body content — for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
24 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| chrisvrichardson | MapPress Maps for WordPress |
Affected:
0 , ≤ 2.96.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8839",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:34:08.719037Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:42:35.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MapPress Maps for WordPress",
"vendor": "chrisvrichardson",
"versions": [
{
"lessThanOrEqual": "2.96.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kitch Global"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MapPress Maps for WordPress plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 2.96.6. This is due to missing ownership verification in the REST API routes registered via `Mappress_Api::rest_api_init()`, where the GET `/wp-json/mapp/v1/maps/{mapid}` endpoint uses `\u0027permission_callback\u0027 =\u003e \u0027__return_true\u0027` and the write endpoints (POST update, DELETE, PATCH mutate, POST clone, POST empty_trash) only check the generic `edit_posts` capability without confirming that the requester owns the targeted map \u2014 a gap that is not compensated at the model layer, as `Mappress_Map::get()`, `save()`, `delete()`, `mutate()`, and `empty_trash()` all operate on any caller-supplied map ID without an ownership check. This makes it possible for unauthenticated attackers to read sensitive map data \u2014 including POI titles, addresses, coordinates, and body content \u2014 for any map on the site by enumerating map IDs, and for authenticated attackers with Contributor-level access and above to modify, delete, trash/restore, or clone any map regardless of its author."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T03:28:25.116Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9f402aa7-24d6-448b-a1d3-5ee7c90b39bc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L328"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L328"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L90"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L268"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L253"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_api.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L239"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L493"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L379"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.96.6/mappress_map.php#L550"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L90"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L268"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L39"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L253"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_api.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L239"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L493"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L379"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mappress-google-maps-for-wordpress/tags/2.95.10/mappress_map.php#L550"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/mappress-google-maps-for-wordpress/tags/2.96.6\u0026new_path=/mappress-google-maps-for-wordpress/tags/2.97.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T04:58:32.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:37:12.000Z",
"value": "Disclosed"
}
],
"title": "MapPress Maps for WordPress \u003c= 2.96.6 - Unauthenticated Insecure Direct Object Reference via REST API Endpoints"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8839",
"datePublished": "2026-06-06T03:28:25.116Z",
"dateReserved": "2026-05-18T15:18:31.311Z",
"dateUpdated": "2026-06-06T11:42:35.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7624 (GCVE-0-2026-7624)
Vulnerability from cvelistv5 – Published: 2026-06-06 03:28 – Updated: 2026-06-06 11:42
VLAI
Title
SEO Plugin by Squirrly SEO <= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations
Summary
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site's Google Search Console and Google Analytics integrations via `api/gsc/revoke` and `api/ga/revoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| cifi | SEO Plugin by Squirrly SEO |
Affected:
0 , ≤ 12.4.16
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7624",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:34:30.959710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:42:49.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SEO Plugin by Squirrly SEO",
"vendor": "cifi",
"versions": [
{
"lessThanOrEqual": "12.4.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abi Wiranata"
}
],
"descriptions": [
{
"lang": "en",
"value": "The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 12.4.16. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to invoke privileged state-changing Squirrly cloud API operations, such as revoking the site\u0027s Google Search Console and Google Analytics integrations via `api/gsc/revoke` and `api/ga/revoke`, that are otherwise restricted to administrator-level users holding the `sq_manage_settings` capability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T03:28:24.543Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/32701ae6-004c-41e2-bdf0-d78c6c2b3e97?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/trunk/controllers/Post.php#L683"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.16/controllers/Post.php#L683"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/trunk/controllers/Post.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.16/controllers/Post.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/trunk/classes/RemoteController.php#L573"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.16/classes/RemoteController.php#L573"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/trunk/classes/RemoteController.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.16/classes/RemoteController.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.15/controllers/Post.php#L683"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.15/controllers/Post.php#L680"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.15/classes/RemoteController.php#L573"
},
{
"url": "https://plugins.trac.wordpress.org/browser/squirrly-seo/tags/12.4.15/classes/RemoteController.php#L51"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3558846%40squirrly-seo\u0026new=3558846%40squirrly-seo\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T14:07:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:31:03.000Z",
"value": "Disclosed"
}
],
"title": "SEO Plugin by Squirrly SEO \u003c= 12.4.16 - Missing Authorization to Authenticated (Contributor+) Privileged Cloud API Operations"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7624",
"datePublished": "2026-06-06T03:28:24.543Z",
"dateReserved": "2026-05-01T13:52:21.178Z",
"dateUpdated": "2026-06-06T11:42:49.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8978 (GCVE-0-2026-8978)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
VLAI
Title
OptinCraft <= 1.2.0 - Authenticated (Administrator+) SQL Injection via 'order_by' Parameter
Summary
The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| crafium | OptinCraft – Drag & Drop Optins & Popup Builder for WordPress |
Affected:
0 , ≤ 1.2.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:34:36.818547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:43:03.296Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "OptinCraft \u2013 Drag \u0026 Drop Optins \u0026 Popup Builder for WordPress",
"vendor": "crafium",
"versions": [
{
"lessThanOrEqual": "1.2.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yousef Alraddadi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The OptinCraft \u2013 Drag \u0026 Drop Optins \u0026 Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the \u0027order_by\u0027 parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:37.988Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f28a95b0-0f7d-43c4-acf9-13c561245f4b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/optincraft/tags/1.0.2/vendor/vendor-src/wpmvc/database/src/Query/Compilers/Compiler.php#L286"
},
{
"url": "https://plugins.trac.wordpress.org/browser/optincraft/tags/1.0.2/app/Repositories/CampaignRepository.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/optincraft/tags/1.0.2/app/Http/Controllers/Admin/CampaignController.php#L37"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3554161%40optincraft\u0026new=3554161%40optincraft\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T20:38:10.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T13:57:33.000Z",
"value": "Disclosed"
}
],
"title": "OptinCraft \u003c= 1.2.0 - Authenticated (Administrator+) SQL Injection via \u0027order_by\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8978",
"datePublished": "2026-06-06T02:28:37.988Z",
"dateReserved": "2026-05-19T13:07:33.729Z",
"dateUpdated": "2026-06-06T11:43:03.296Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7792 (GCVE-0-2026-7792)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
VLAI
Title
WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint
Summary
The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More |
Affected:
0 , ≤ 1.10.0.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:34:51.202546Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:43:17.479Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.10.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vijay"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WPForms \u2013 Easy Form Builder for WordPress \u2013 Contact Forms, Payment Forms, Surveys, \u0026 More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticated JSON webhook payloads without verifying that the request originated from PayPal using the required HMAC-SHA256 webhook signature, and only checking whether the supplied event_type is whitelisted before dispatching the attacker-controlled resource data to handlers that update payment records. This makes it possible for unauthenticated attackers who know a valid PayPal subscription_id to forge PayPal webhook events and modify subscription payment records, such as reactivating a cancelled or suspended subscription by setting its subscription_status to active."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:37.577Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d5cf5fd2-58c7-42d0-948f-95764647630b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.4/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L170"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/WebhookRoute.php#L122"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionActivated.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.10.0.1/src/Integrations/PayPalCommerce/Api/Webhooks/BillingSubscriptionCancelled.php#L32"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3532389/wpforms-lite/trunk/src/Integrations/PayPalCommerce/Api/WebhookRoute.php?old=3486451\u0026old_path=wpforms-lite%2Ftrunk%2Fsrc%2FIntegrations%2FPayPalCommerce%2FApi%2FWebhookRoute.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T19:14:46.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:01:26.000Z",
"value": "Disclosed"
}
],
"title": "WPForms \u003c= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7792",
"datePublished": "2026-06-06T02:28:37.577Z",
"dateReserved": "2026-05-04T18:59:37.133Z",
"dateUpdated": "2026-06-06T11:43:17.479Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2500 (GCVE-0-2026-2500)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
VLAI
Title
Quick Playground <= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via 'filename' Parameter
Summary
The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| davidfcarr | Quick Playground |
Affected:
0 , ≤ 1.3.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-2500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:34:43.075799Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:43:31.617Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quick Playground",
"vendor": "davidfcarr",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Pablo Santiago"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the `qckply_data()` function passing the user-supplied `filename` POST parameter directly to `file_get_contents()` without any validation, sanitization, or path restriction. This makes it possible for authenticated attackers, with Administrator-level access and above, to read arbitrary files on the server, such as `wp-config.php` or `/etc/passwd`, which can contain sensitive information. Note: This vulnerability is only exploitable when the site has been synced with WordPress Playground (the `is_qckply_clone` option is set) or when running on `playground.wordpress.net`."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:37.200Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a920d8c0-fb6b-40dc-ae61-ac004b0dfccd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quick-playground/trunk/client-qckply_data.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quick-playground/tags/1.2/client-qckply_data.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3558027%40quick-playground\u0026new=3558027%40quick-playground\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T22:03:05.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:22:06.000Z",
"value": "Disclosed"
}
],
"title": "Quick Playground \u003c= 1.3.4 - Authenticated (Administrator+) Arbitrary File Read via \u0027filename\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2500",
"datePublished": "2026-06-06T02:28:37.200Z",
"dateReserved": "2026-02-13T21:47:55.634Z",
"dateUpdated": "2026-06-06T11:43:31.617Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8502 (GCVE-0-2026-8502)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:47
VLAI
Title
LearnPress <= 4.3.6 - Unauthenticated Sensitive Information Exposure via 'c_status' and 'return_type' Parameters
Summary
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the 'return_type' parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses |
Affected:
0 , ≤ 4.3.6
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8502",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:08.814834Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:47:26.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.3.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jamshed Yergashvoyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.6 via the \u0027return_type\u0027 parameter. This makes it possible for unauthenticated attackers to extract sensitive data including the plaintext post_password of password-protected courses and the full post_content, post_author, and post_name of unpublished draft, private, and pending courses via the unrestricted SELECT * fallback query. Exploitation requires supplying both c_status=all (to bypass the publish-only post_status WHERE clause) and return_type=json (to prevent the safe DISTINCT(ID) AS ID field override) in a single unauthenticated request to the /wp-json/lp/v1/courses/archive-course endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:36.811Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a32a6ea3-4473-4075-b660-9bba083ae0bf?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Models/Courses.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Models/Courses.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L196"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L68"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Databases/class-lp-course-db.php#L472"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.6/inc/Databases/class-lp-db.php#L610"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Models/Courses.php#L200"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Models/Courses.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L196"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/rest-api/v1/frontend/class-lp-rest-courses-controller.php#L68"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Databases/class-lp-course-db.php#L472"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.8/inc/Databases/class-lp-db.php#L610"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3545523%40learnpress\u0026new=3545523%40learnpress\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-13T21:14:44.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:23:22.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u003c= 4.3.6 - Unauthenticated Sensitive Information Exposure via \u0027c_status\u0027 and \u0027return_type\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8502",
"datePublished": "2026-06-06T02:28:36.811Z",
"dateReserved": "2026-05-13T20:58:03.070Z",
"dateUpdated": "2026-06-06T11:47:26.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7796 (GCVE-0-2026-7796)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:47
VLAI
Title
EmbedPress <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block 'url' Attribute
Summary
The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpdevteam | EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more |
Affected:
0 , ≤ 4.5.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:26.227503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:47:40.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "EmbedPress \u2013 PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds \u0026 more",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "4.5.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jangwoo Choi"
}
],
"descriptions": [
{
"lang": "en",
"value": "The EmbedPress \u2013 PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds \u0026 more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block \u0027url\u0027 attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:36.449Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a0b5b6bc-5f4f-4cf8-987e-b20e8354d863?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/trunk/EmbedPress/Includes/Classes/Helper.php#L1659"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/tags/4.5.1/EmbedPress/Includes/Classes/Helper.php#L1659"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L1181"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Gutenberg/EmbedPressBlockRenderer.php#L133"
},
{
"url": "https://plugins.trac.wordpress.org/browser/embedpress/tags/4.4.11/EmbedPress/Includes/Classes/Helper.php#L1659"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3546981%40embedpress\u0026new=3546981%40embedpress\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-04T19:23:19.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:17:32.000Z",
"value": "Disclosed"
}
],
"title": "EmbedPress \u003c= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block \u0027url\u0027 Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7796",
"datePublished": "2026-06-06T02:28:36.449Z",
"dateReserved": "2026-05-04T19:08:09.496Z",
"dateUpdated": "2026-06-06T11:47:40.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7665 (GCVE-0-2026-7665)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:47
VLAI
Title
Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler
Summary
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
14 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpdevteam | Essential Addons for Elementor – Popular Elementor Templates & Widgets |
Affected:
0 , ≤ 6.6.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:20.678625Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:47:54.832Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "6.6.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Anirudh Makkar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajax_load_more function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:36.091Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/861ece65-bee7-4124-b1a8-de9fb0c1cbc7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L292"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.3/includes/Traits/Ajax_Handler.php#L292"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L1601"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.3/includes/Traits/Ajax_Handler.php#L1601"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.3/includes/Traits/Ajax_Handler.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/includes/Traits/Ajax_Handler.php#L197"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.6.3/includes/Traits/Ajax_Handler.php#L197"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.13/includes/Traits/Ajax_Handler.php#L292"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.13/includes/Traits/Ajax_Handler.php#L1601"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.13/includes/Traits/Ajax_Handler.php#L106"
},
{
"url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/tags/6.5.13/includes/Traits/Ajax_Handler.php#L197"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3541534%40essential-addons-for-elementor-lite\u0026new=3541534%40essential-addons-for-elementor-lite\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-01T20:05:03.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:25:47.000Z",
"value": "Disclosed"
}
],
"title": "Essential Addons for Elementor \u003c= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via \u0027load_more\u0027 AJAX Handler"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7665",
"datePublished": "2026-06-06T02:28:36.091Z",
"dateReserved": "2026-05-01T19:49:55.131Z",
"dateUpdated": "2026-06-06T11:47:54.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7795 (GCVE-0-2026-7795)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:48
VLAI
Title
Click to Chat <= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'num' Shortcode Parameter
Summary
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the ' entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
11 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| holithemes | Click to Chat – HoliThemes |
Affected:
0 , ≤ 4.39
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7795",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:34.115122Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:48:08.795Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Click to Chat \u2013 HoliThemes",
"vendor": "holithemes",
"versions": [
{
"lessThanOrEqual": "4.39",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vijay"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Click to Chat \u2013 WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode \u0027num\u0027 parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the \u0027num\u0027 parameter (line 157), which converts single quotes to the HTML entity \u0026#039;. This entity-encoded value is then interpolated directly into a JavaScript window.open() call string delimited by single quotes (line 194/221), and that complete string is placed verbatim into an HTML onclick attribute in the style template files (e.g., sc-style-1.php line 6). Because browsers HTML-decode event attribute values before executing the embedded JavaScript, the \u0026#039; entities are decoded back to literal single quotes at runtime, allowing the injected payload to break out of the JavaScript string context and execute arbitrary code. This makes it possible for authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages that will execute whenever a user clicks the WhatsApp chat button rendered by the [chat] shortcode."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:35.712Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60440b26-1c0b-4fd0-a74a-ff5900d0e9b8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/trunk/prev/inc/class-ccw-shortcode.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/trunk/prev/inc/commons/styles-list-sc/sc-style-1.php#L6"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.39/prev/inc/commons/styles-list-sc/sc-style-1.php#L6"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.39/prev/inc/class-ccw-shortcode.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/trunk/prev/inc/class-ccw-shortcode.php#L221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.39/prev/inc/class-ccw-shortcode.php#L221"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.38/prev/inc/commons/styles-list-sc/sc-style-1.php#L6"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.38/prev/inc/class-ccw-shortcode.php#L157"
},
{
"url": "https://plugins.trac.wordpress.org/browser/click-to-chat-for-whatsapp/tags/4.38/prev/inc/class-ccw-shortcode.php#L221"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3557482%40click-to-chat-for-whatsapp\u0026new=3557482%40click-to-chat-for-whatsapp\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T05:43:30.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T13:37:20.000Z",
"value": "Disclosed"
}
],
"title": "Click to Chat \u003c= 4.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027num\u0027 Shortcode Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7795",
"datePublished": "2026-06-06T02:28:35.712Z",
"dateReserved": "2026-05-04T19:03:00.750Z",
"dateUpdated": "2026-06-06T11:48:08.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7537 (GCVE-0-2026-7537)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:48
VLAI
Title
MDJM Event Management <= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via 'mdjm_email_upload_file' Parameter
Summary
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mdjm | MDJM Event Management |
Affected:
0 , ≤ 1.7.8.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7537",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:48.506554Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:48:22.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MDJM Event Management",
"vendor": "mdjm",
"versions": [
{
"lessThanOrEqual": "1.7.8.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ryan Kozak"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:35.320Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/42f37a41-deff-4b17-94d8-4e0fd1ce22c2?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L248"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.3/includes/admin/communications/comms-functions.php#L248"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/communications/comms-functions.php#L241"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.3/includes/admin/communications/comms-functions.php#L241"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.2/includes/admin/communications/comms-functions.php#L248"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.8.2/includes/admin/communications/comms-functions.php#L241"
},
{
"url": "https://github.com/d0n601/CVE-2026-7537"
},
{
"url": "https://ryankozak.com/posts/cve-2026-7537/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3528037%40mobile-dj-manager\u0026new=3528037%40mobile-dj-manager\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T18:35:45.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:20:11.000Z",
"value": "Disclosed"
}
],
"title": "MDJM Event Management \u003c= 1.7.8.3 - Authenticated (Administrator+) Arbitrary File Upload via \u0027mdjm_email_upload_file\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7537",
"datePublished": "2026-06-06T02:28:35.320Z",
"dateReserved": "2026-04-30T18:20:36.475Z",
"dateUpdated": "2026-06-06T11:48:22.401Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7566 (GCVE-0-2026-7566)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:48
VLAI
Title
LearnPress – Backup & Migration Tool <= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload
Summary
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Severity
6.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – Backup & Migration Tool |
Affected:
0 , ≤ 4.1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:38:41.491325Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:48:35.895Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 Backup \u0026 Migration Tool",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wannes Verwimp"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 Backup \u0026 Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:34.958Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2f796373-7116-4fd3-9d53-5f520e6e1a0c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L581"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L581"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/parsers.php#L871"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/parsers.php#L871"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/admin/providers/learnpress/class-lp-import-learnpress.php#L581"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/parsers.php#L871"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.5/inc/functions.php#L384"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T20:44:36.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T13:35:10.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u2013 Backup \u0026 Migration Tool \u003c= 4.1.4 - Authenticated (Administrator+) PHP Object Injection via WXR XML File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7566",
"datePublished": "2026-06-06T02:28:34.958Z",
"dateReserved": "2026-04-30T20:29:27.858Z",
"dateUpdated": "2026-06-06T11:48:35.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7565 (GCVE-0-2026-7565)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
VLAI
Title
LearnPress <= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'import-user-file' Parameter
Summary
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the 'import-user-file' parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| thimpress | LearnPress – Backup & Migration Tool |
Affected:
0 , ≤ 4.1.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:00.387175Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:43:45.670Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 Backup \u0026 Migration Tool",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.1.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Wannes Verwimp"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 Backup \u0026 Migration Tool plugin for WordPress is vulnerable to Arbitrary File Read via Directory Traversal in all versions up to, and including, 4.1.4 via the \u0027import-user-file\u0027 parameter parameter. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:34.591Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f6d0ba7-f9e8-493b-9e6d-62f1c662e21e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-user-data.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/admin/providers/learnpress/class-lp-import-user-data.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/trunk/inc/admin/providers/learnpress/class-lp-import-user-data.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.4/inc/admin/providers/learnpress/class-lp-import-user-data.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/admin/providers/learnpress/class-lp-import-user-data.php#L150"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.1/inc/admin/providers/learnpress/class-lp-import-user-data.php#L190"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3546889%40learnpress-import-export\u0026new=3546889%40learnpress-import-export\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T20:40:20.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:19:01.000Z",
"value": "Disclosed"
}
],
"title": "LearnPress \u003c= 4.1.4 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via \u0027import-user-file\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-7565",
"datePublished": "2026-06-06T02:28:34.591Z",
"dateReserved": "2026-04-30T20:25:12.316Z",
"dateUpdated": "2026-06-06T11:43:45.670Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9280 (GCVE-0-2026-9280)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:43
VLAI
Title
Ad Inserter <= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode
Summary
The Ad Inserter – Ad Manager & AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads.
Severity
6.1 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| spacetime | Ad Inserter – Ad Manager & AdSense Ads |
Affected:
0 , ≤ 2.8.15
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9280",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:14.751217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:43:59.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads",
"vendor": "spacetime",
"versions": [
{
"lessThanOrEqual": "2.8.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "darkestmode"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Ad Inserter \u2013 Ad Manager \u0026 AdSense Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via URL Parameters in iframe Mode in all versions up to, and including, 2.8.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Exploitation requires that iframe mode (AI_OPTION_IFRAME) is enabled on at least one ad block displayed on the targeted page, which is a non-default but supported configuration commonly used for AdSense and JavaScript-based ads."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:34.218Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0d40c05d-dc30-47b1-aea5-cd2b72d4c4c0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3470"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3462"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.15/class.php#L3460"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3470"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3462"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ad-inserter/tags/2.8.11/class.php#L3460"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3552607%40ad-inserter\u0026new=3552607%40ad-inserter\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-22T16:17:29.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:15:21.000Z",
"value": "Disclosed"
}
],
"title": "Ad Inserter \u003c= 2.8.15 - Reflected Cross-Site Scripting via URL Parameters in iframe Mode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9280",
"datePublished": "2026-06-06T02:28:34.218Z",
"dateReserved": "2026-05-22T13:58:30.376Z",
"dateUpdated": "2026-06-06T11:43:59.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9197 (GCVE-0-2026-9197)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:44
VLAI
Title
Smart Slider 3 <= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via 'src'/'srcset' Attribute in HTML Export
Summary
The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nextendweb | Smart Slider 3 |
Affected:
0 , ≤ 3.5.1.36
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:08.578603Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:44:12.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Smart Slider 3",
"vendor": "nextendweb",
"versions": [
{
"lessThanOrEqual": "3.5.1.36",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Khanh Hao"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Smart Slider 3 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.5.1.36 via the replaceHTMLImage function. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:33.849Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/059c2d6d-1296-4463-96ae-a95ba7dad70a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/trunk/Nextend/SmartSlider3/BackupSlider/ExportSlider.php#L404"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/trunk/Nextend/SmartSlider3/BackupSlider/ExportSlider.php#L312"
},
{
"url": "https://plugins.trac.wordpress.org/browser/smart-slider-3/trunk/Nextend/SmartSlider3/Application/Admin/Slider/ControllerSlider.php#L261"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3552076%40smart-slider-3\u0026new=3552076%40smart-slider-3\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-21T15:53:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:27:21.000Z",
"value": "Disclosed"
}
],
"title": "Smart Slider 3 \u003c= 3.5.1.36 - Authenticated (Administrator+) Path Traversal to Arbitrary File Read via \u0027src\u0027/\u0027srcset\u0027 Attribute in HTML Export"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9197",
"datePublished": "2026-06-06T02:28:33.849Z",
"dateReserved": "2026-05-21T15:38:05.824Z",
"dateUpdated": "2026-06-06T11:44:12.835Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8991 (GCVE-0-2026-8991)
Vulnerability from cvelistv5 – Published: 2026-06-06 02:28 – Updated: 2026-06-06 11:44
VLAI
Title
Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings
Summary
The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'drag_n_drop_text' and 'drag_n_drop_browse_text' Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity
4.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| glenwpcoder | Drag and Drop Multiple File Upload for Contact Form 7 |
Affected:
0 , ≤ 1.3.9.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:25.176454Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:44:26.256Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Drag and Drop Multiple File Upload for Contact Form 7",
"vendor": "glenwpcoder",
"versions": [
{
"lessThanOrEqual": "1.3.9.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao Luu Gia Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027drag_n_drop_text\u0027 and \u0027drag_n_drop_browse_text\u0027 Settings in all versions up to, and including, 1.3.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T02:28:33.270Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/01d9b7c1-8f34-4c87-af68-a5e6c698b2d8?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.7/assets/js/codedropz-uploader-min.js#L15"
},
{
"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.7/inc/dnd-upload-cf7.php#L1445"
},
{
"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.7/inc/dnd-upload-cf7.php#L587"
},
{
"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/assets/js/codedropz-uploader-min.js#L15"
},
{
"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L1445"
},
{
"url": "https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/tags/1.3.9.6/inc/dnd-upload-cf7.php#L587"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3508522%40drag-and-drop-multiple-file-upload-contact-form-7\u0026new=3508522%40drag-and-drop-multiple-file-upload-contact-form-7\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T13:38:30.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T14:16:21.000Z",
"value": "Disclosed"
}
],
"title": "Drag and Drop Multiple File Upload for Contact Form 7 \u003c= 1.3.9.7 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027drag_n_drop_text\u0027 and \u0027drag_n_drop_browse_text\u0027 Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8991",
"datePublished": "2026-06-06T02:28:33.270Z",
"dateReserved": "2026-05-19T13:22:08.086Z",
"dateUpdated": "2026-06-06T11:44:26.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8438 (GCVE-0-2026-8438)
Vulnerability from cvelistv5 – Published: 2026-06-06 01:26 – Updated: 2026-06-06 11:44
VLAI
Title
All-In-One Security (AIOS) <= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path
Summary
The All-In-One Security (AIOS) – Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the 'Disable REST API for non-logged in users' feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER['REQUEST_URI']), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator's browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| davidanderson | All-In-One Security (AIOS) – Security and Firewall |
Affected:
0 , ≤ 5.4.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8438",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:33.670566Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:44:40.204Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "All-In-One Security (AIOS) \u2013 Security and Firewall",
"vendor": "davidanderson",
"versions": [
{
"lessThanOrEqual": "5.4.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The All-In-One Security (AIOS) \u2013 Security and Firewall plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.4.7. This is due to insufficient input sanitization in the get_rest_route() function and missing output escaping in the column_default() method of the debug log list table. When the \u0027Disable REST API for non-logged in users\u0027 feature (aiowps_disallow_unauthorized_rest_requests) is enabled alongside debug logging (aiowps_enable_debug), an unauthenticated attacker can embed arbitrary HTML or JavaScript in the REST request path. The path is retrieved via urldecode($_SERVER[\u0027REQUEST_URI\u0027]), which decodes URL-encoded payloads into literal HTML characters. This decoded, unsanitized value is concatenated directly into a debug log message and stored in the database. When an administrator navigates to the AIOS Dashboard Debug Logs page, the column_default() method returns the raw database value without escaping, and the parent list table echoes it directly, causing JavaScript execution in the administrator\u0027s browser session. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page, enabling nonce theft, privileged AJAX/REST actions, and potential full site compromise."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T01:26:10.529Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2b7ed73-a654-40ef-8d80-6171393da8e7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/admin/wp-security-list-debug.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/tags/5.4.6/admin/wp-security-list-debug.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/classes/wp-security-utility.php#L1547"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/tags/5.4.6/classes/wp-security-utility.php#L1547"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/classes/wp-security-general-init-tasks.php#L887"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/tags/5.4.6/classes/wp-security-general-init-tasks.php#L887"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/trunk/classes/wp-security-debug-logger.php#L81"
},
{
"url": "https://plugins.trac.wordpress.org/browser/all-in-one-wp-security-and-firewall/tags/5.4.6/classes/wp-security-debug-logger.php#L81"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3558989/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-12T19:06:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T11:51:22.000Z",
"value": "Disclosed"
}
],
"title": "All-In-One Security (AIOS) \u003c= 5.4.7 - Unauthenticated Stored Cross-Site Scripting via REST API Request Path"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8438",
"datePublished": "2026-06-06T01:26:10.529Z",
"dateReserved": "2026-05-12T18:50:59.037Z",
"dateUpdated": "2026-06-06T11:44:40.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8901 (GCVE-0-2026-8901)
Vulnerability from cvelistv5 – Published: 2026-06-06 01:26 – Updated: 2026-06-06 11:44
VLAI
Title
Integration for Freshsales <= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data
Summary
The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
10 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| plugcrux | Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More |
Affected:
0 , ≤ 1.0.15
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8901",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:39.311226Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:44:54.182Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Integration for Freshsales \u2013 Contact Form 7, WPForms, Elementor, Gravity Forms and More",
"vendor": "plugcrux",
"versions": [
{
"lessThanOrEqual": "1.0.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phattharaphon Saenboonsiri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Integration for Freshsales \u2013 Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload only executes when a CRM API call fails for the submitted form and an administrator subsequently views the error log details modal in the WordPress admin panel."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T01:26:10.181Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4c8cf71-e9b0-4241-b975-f52aeb823318?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/assets/js/error-log.js#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/forms/submit-action.php#L555"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/db/fw-error-log.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.15/src/product/fw-errorlog-action.php#L178"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/assets/js/error-log.js#L84"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/forms/submit-action.php#L555"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/db/fw-error-log.php#L75"
},
{
"url": "https://plugins.trac.wordpress.org/browser/crm-integration-freshworks-any-form/tags/1.0.14/src/product/fw-errorlog-action.php#L178"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3552999%40crm-integration-freshworks-any-form\u0026new=3552999%40crm-integration-freshworks-any-form\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T12:22:17.000Z",
"value": "Disclosed"
}
],
"title": "Integration for Freshsales \u003c= 1.0.15 - Unauthenticated Stored Cross-Site Scripting via Form Submission Data"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8901",
"datePublished": "2026-06-06T01:26:10.181Z",
"dateReserved": "2026-05-18T21:14:42.318Z",
"dateUpdated": "2026-06-06T11:44:54.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9281 (GCVE-0-2026-9281)
Vulnerability from cvelistv5 – Published: 2026-06-06 01:26 – Updated: 2026-06-06 11:45
VLAI
Title
Master Addons For Elementor <= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension)
Summary
The Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'jtlma_custom_js' Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely.
Severity
6.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| litonice13 | Master Addons For Elementor – Widgets, Extensions, Theme Builder, Popup Builder & Template Kits |
Affected:
0 , ≤ 3.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:43.472795Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:45:08.166Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder \u0026 Template Kits",
"vendor": "litonice13",
"versions": [
{
"lessThanOrEqual": "3.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chairat Toraya"
},
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Master Addons For Elementor \u2013 Widgets, Extensions, Theme Builder, Popup Builder \u0026 Template Kits plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027jtlma_custom_js\u0027 Page Setting (Custom JS Extension) in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unfiltered_html capability check is only enforced during Elementor control registration (UI rendering) and not during the save process, enabling Author-level users to inject the jtlma_custom_js setting directly via a crafted POST request to admin-ajax.php?action=elementor_ajax, bypassing the UI-level restriction entirely."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T01:26:09.654Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5b8e052a-6e60-4455-96c9-b2a3e86773da?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utilities/custom-js/custom-js.php#L214"
},
{
"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utilities/custom-js/custom-js.php#L206"
},
{
"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/3.1.0/inc/modules/utilities/custom-js/custom-js.php#L80"
},
{
"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utilities/custom-js/custom-js.php#L214"
},
{
"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utilities/custom-js/custom-js.php#L206"
},
{
"url": "https://plugins.trac.wordpress.org/browser/master-addons/tags/3.0.2/inc/modules/utilities/custom-js/custom-js.php#L80"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3556818%40master-addons\u0026new=3556818%40master-addons\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T15:13:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T12:04:46.000Z",
"value": "Disclosed"
}
],
"title": "Master Addons For Elementor \u003c= 3.1.0 - Authenticated (Author+) Stored Cross-Site Scripting via \u0027jtlma_custom_js\u0027 Page Setting (Custom JS Extension)"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9281",
"datePublished": "2026-06-06T01:26:09.654Z",
"dateReserved": "2026-05-22T13:59:58.353Z",
"dateUpdated": "2026-06-06T11:45:08.166Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9008 (GCVE-0-2026-9008)
Vulnerability from cvelistv5 – Published: 2026-06-06 01:26 – Updated: 2026-06-06 11:45
VLAI
Title
Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes
Summary
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of => 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
6 references
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9008",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:50.446577Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:45:22.259Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Page-list",
"vendor": "webvitaly",
"versions": [
{
"lessThanOrEqual": "6.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "darkestmode"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages, the shortcode re-issues the query with child_of =\u003e 0, broadening it to every page on the site matching the supplied status/type. This makes it possible for authenticated attackers, with contributor-level access and above, to disclose the titles, body content/excerpts, and arbitrary post meta of unrelated private and draft pages by inserting the shortcode into a contributor-authored draft and previewing it."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T01:26:08.984Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22defe19-28ac-43b3-814d-5a2038380adb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L301"
},
{
"url": "https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L303"
},
{
"url": "https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L383"
},
{
"url": "https://plugins.trac.wordpress.org/browser/page-list/tags/5.9/page-list.php#L188"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3552931%40page-list\u0026new=3552931%40page-list\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-26T04:04:13.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T12:41:56.000Z",
"value": "Disclosed"
}
],
"title": "Page-list \u003c= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9008",
"datePublished": "2026-06-06T01:26:08.984Z",
"dateReserved": "2026-05-19T14:06:40.464Z",
"dateUpdated": "2026-06-06T11:45:22.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8976 (GCVE-0-2026-8976)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:45
VLAI
Title
RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions
Summary
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-862 - Missing Authorization
Assigner
References
22 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| themeisle | RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator |
Affected:
0 , ≤ 5.1.7
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:35:57.294756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:45:36.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
"vendor": "themeisle",
"versions": [
{
"lessThanOrEqual": "5.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jack Pas"
}
],
"descriptions": [
{
"lang": "en",
"value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:28:28.396Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e495c215-2e01-4a37-aca3-99a067c46791?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1256"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L3718"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1400"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L4090"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L4184"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1365"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L3891"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1436"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/feedzy-rss-feeds.php#L241"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1256"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L3718"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1400"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L4090"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L4184"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1365"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L3891"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1436"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L78"
},
{
"url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/feedzy-rss-feeds.php#L241"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3552062%40feedzy-rss-feeds\u0026new=3552062%40feedzy-rss-feeds\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-19T13:15:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T10:46:18.000Z",
"value": "Disclosed"
}
],
"title": "RSS Aggregator by Feedzy \u003c= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8976",
"datePublished": "2026-06-05T23:28:28.396Z",
"dateReserved": "2026-05-19T13:00:07.936Z",
"dateUpdated": "2026-06-06T11:45:36.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8608 (GCVE-0-2026-8608)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:45
VLAI
Title
Event Monster <= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action
Summary
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| awordpresslife | Event Monster – Event Manager, Ticket Booking & Registration |
Affected:
0 , ≤ 2.1.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-8608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:36:06.273998Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:45:50.031Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Event Monster \u2013 Event Manager, Ticket Booking \u0026 Registration",
"vendor": "awordpresslife",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "NAKLEH ZEIDAN"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Event Monster \u2013 Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data \u2014 including transaction ID, amount, and payment status \u2014 without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capability checks. This makes it possible for unauthenticated attackers to forge payment records, mark bookings as Completed, and obtain confirmation emails containing valid QR code tickets without making any actual payment."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345 Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:28:27.949Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/daddfbd2-cff4-4caa-bbdc-9945a635a1d6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/2.0.1/includes/class-event-monster-ajax.php#L890"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/2.0.1/includes/class-event-monster-ajax.php#L844"
},
{
"url": "https://plugins.trac.wordpress.org/browser/event-monster/tags/2.0.1/includes/class-event-monster-ajax.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3554570%40event-monster\u0026new=3554570%40event-monster\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Event Monster \u003c= 2.1.0 - Unauthenticated Insufficient Verification of Data Authenticity to Payment Bypass via em_capture_payment AJAX Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-8608",
"datePublished": "2026-06-05T23:28:27.949Z",
"dateReserved": "2026-05-14T15:59:18.646Z",
"dateUpdated": "2026-06-06T11:45:50.031Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6448 (GCVE-0-2026-6448)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:48
VLAI
Title
Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters
Summary
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. If the secret key is exposed, this can be exploited by lower-privileged users.
Severity
4.9 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| expresstech | Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker |
Affected:
0 , ≤ 11.1.2
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6448",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:39:23.195717Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:48:49.465Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker",
"vendor": "expresstech",
"versions": [
{
"lessThanOrEqual": "11.1.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Drew Webber"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Quiz and Survey Master (QSM) \u2013 Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the \u0027order\u0027 parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. If the secret key is exposed, this can be exploited by lower-privileged users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:28:27.562Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d230b781-e208-4e66-b8ed-aba72db8d8dc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-quiz-api.php#L164"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-quiz-api.php#L164"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-quiz-api.php#L131"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-quiz-api.php#L131"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-quiz-api.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-quiz-api.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-quiz-api.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-quiz-api.php#L243"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/trunk/php/classes/class-qsm-quiz-api.php#L374"
},
{
"url": "https://plugins.trac.wordpress.org/browser/quiz-master-next/tags/10.3.5/php/classes/class-qsm-quiz-api.php#L374"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3547016%40quiz-master-next\u0026new=3547016%40quiz-master-next\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T10:44:40.000Z",
"value": "Disclosed"
}
],
"title": "Quiz and Survey Master (QSM) \u003c= 11.1.2 - Authenticated (Admin+) SQL Injection via \u0027order\u0027 and \u0027limit\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-6448",
"datePublished": "2026-06-05T23:28:27.562Z",
"dateReserved": "2026-04-16T18:50:05.153Z",
"dateUpdated": "2026-06-06T11:48:49.465Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9719 (GCVE-0-2026-9719)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
VLAI
Title
LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action
Summary
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices — including marking unpaid invoices as paid — without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
8 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| latepoint | LatePoint – Calendar Booking Plugin for Appointments and Events |
Affected:
0 , ≤ 5.6.0
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:39:16.874639Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:49:03.864Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
"vendor": "latepoint",
"versions": [
{
"lessThanOrEqual": "5.6.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kirasec"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices \u2014 including marking unpaid invoices as paid \u2014 without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:28:27.182Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c720fffe-c089-450a-ac5f-1138c1c223d9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/helpers/params_helper.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L246"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L234"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/helpers/params_helper.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L246"
},
{
"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L234"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3553094/latepoint"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-27T16:21:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T11:05:15.000Z",
"value": "Disclosed"
}
],
"title": "LatePoint \u003c= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9719",
"datePublished": "2026-06-05T23:28:27.182Z",
"dateReserved": "2026-05-27T16:06:09.857Z",
"dateUpdated": "2026-06-06T11:49:03.864Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9290 (GCVE-0-2026-9290)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
VLAI
Title
WP User Manager <= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via 'tab' Query Parameter
Summary
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
13 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| wpusermanager | WP User Manager – User Profile Builder & Membership |
Affected:
0 , ≤ 2.9.17
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9290",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:39:10.694464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:49:17.970Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP User Manager \u2013 User Profile Builder \u0026 Membership",
"vendor": "wpusermanager",
"versions": [
{
"lessThanOrEqual": "2.9.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yat Wu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP User Manager \u2013 User Profile Builder \u0026 Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:28:26.787Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7a5e08d8-c6ef-42a3-9599-28c3bfb35017?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/templates/profile.php#L52"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php#L226"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/functions.php#L955"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/vendor-dist/brain/cortex/src/Cortex/Router/Router.php#L183"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.17/includes/permalinks.php#L133"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/templates/profile.php#L52"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/gamajo/template-loader/class-gamajo-template-loader.php#L226"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/functions.php#L955"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/vendor-dist/brain/cortex/src/Cortex/Router/Router.php#L183"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.15/includes/permalinks.php#L133"
},
{
"url": "https://github.com/WPUserManager/wp-user-manager/pull/445"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3554574%40wp-user-manager\u0026new=3554574%40wp-user-manager\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-30T08:54:29.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WP User Manager \u003c= 2.9.17 - Unauthenticated Path Traversal to Local File Inclusion via \u0027tab\u0027 Query Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-9290",
"datePublished": "2026-06-05T23:28:26.787Z",
"dateReserved": "2026-05-22T16:52:45.960Z",
"dateUpdated": "2026-06-06T11:49:17.970Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-10038 (GCVE-0-2026-10038)
Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
VLAI
Title
Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter
Summary
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user's 'avatar' meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the 'avatar' user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload).
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
12 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More |
Affected:
0 , ≤ 1.8.11.1
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-10038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-06T11:39:04.354728Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-06T11:49:30.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More",
"vendor": "smub",
"versions": [
{
"lessThanOrEqual": "1.8.11.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khanh Nguyen"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Charitable \u2013 Donation Plugin for WordPress \u2013 Fundraising with Recurring Donations \u0026 More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar update flow. This is due to the save_avatar() function in Charitable_Profile_Form calling wp_delete_attachment() on an attachment ID read from the user\u0027s \u0027avatar\u0027 meta without validating that the attachment is owned by the user, combined with Charitable_Data_Processor::process_picture() returning the raw posted value when no file is uploaded, allowing the \u0027avatar\u0027 user meta to be poisoned with any attacker-chosen attachment ID. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary attachments from the Media Library by performing a two-request chain (first poisoning the stored avatar meta value with a target attachment ID, then triggering deletion via a normal avatar upload)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T23:28:26.335Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/657bea00-9709-48b8-807a-c9a18b0aee1d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/abstracts/abstract-class-charitable-form.php#L429"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/utilities/class-charitable-data-processor.php#L270"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/users/class-charitable-user.php#L986"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L728"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/forms/class-charitable-profile-form.php#L724"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/utilities/class-charitable-data-processor.php#L270"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/users/class-charitable-user.php#L986"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10.5/includes/abstracts/abstract-class-charitable-form.php#L429"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L728"
},
{
"url": "https://plugins.trac.wordpress.org/browser/charitable/tags/1.8.10/includes/forms/class-charitable-profile-form.php#L724"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3557047/charitable/trunk/includes/forms/class-charitable-profile-form.php?old=3435951\u0026old_path=charitable%2Ftrunk%2Fincludes%2Fforms%2Fclass-charitable-profile-form.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-28T19:47:56.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-06-05T10:28:15.000Z",
"value": "Disclosed"
}
],
"title": "Charitable \u003c= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via \u0027avatar\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-10038",
"datePublished": "2026-06-05T23:28:26.335Z",
"dateReserved": "2026-05-28T19:32:46.255Z",
"dateUpdated": "2026-06-06T11:49:30.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}