Search criteria
9001 vulnerabilities
CVE-2026-1087 (GCVE-0-2026-1087)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
The Guardian News Feed <= 1.2 - Cross-Site Request Forgery to Settings Update
Summary
The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's settings, including the Guardian API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| openplatform | The Guardian News Feed |
Affected:
* , ≤ 1.2
(semver)
|
Credits
Muhammad Nur Ibnu Hubab
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Guardian News Feed",
"vendor": "openplatform",
"versions": [
{
"lessThanOrEqual": "1.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Nur Ibnu Hubab"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Guardian News Feed plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin\u0027s settings, including the Guardian API key, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:09.002Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9065f61-d899-44a3-a43a-3eeeeedaa6f1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-guardian-news-feed/trunk/gu-open-platform-settings.php#L72"
},
{
"url": "https://plugins.trac.wordpress.org/browser/the-guardian-news-feed/tags/1.2/gu-open-platform-settings.php#L72"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "The Guardian News Feed \u003c= 1.2 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1087",
"datePublished": "2026-03-07T07:22:09.002Z",
"dateReserved": "2026-01-16T20:48:38.649Z",
"dateUpdated": "2026-03-07T07:22:09.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1085 (GCVE-0-2026-1085)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
True Ranker <= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection
Summary
The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action. This makes it possible for unauthenticated attackers to disconnect the administrator's True Ranker account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| optimizza | True Ranker |
Affected:
* , ≤ 2.2.9
(semver)
|
Credits
Nabil Irawan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "True Ranker",
"vendor": "optimizza",
"versions": [
{
"lessThanOrEqual": "2.2.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nabil Irawan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The True Ranker plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.9. This is due to missing nonce validation on the seolocalrank-signout action. This makes it possible for unauthenticated attackers to disconnect the administrator\u0027s True Ranker account via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:08.056Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/db27ae52-1362-4acb-9410-49ad041770f6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-local-rank/trunk/admin/class-seolocalrank-admin.php#L768"
},
{
"url": "https://plugins.trac.wordpress.org/browser/seo-local-rank/tags/2.2.9/admin/class-seolocalrank-admin.php#L768"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:49:00.000Z",
"value": "Disclosed"
}
],
"title": "True Ranker \u003c= 2.2.9 - Cross-Site Request Forgery to Unauthorized True Ranker Disconnection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1085",
"datePublished": "2026-03-07T07:22:08.056Z",
"dateReserved": "2026-01-16T20:46:04.150Z",
"dateUpdated": "2026-03-07T07:22:08.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1086 (GCVE-0-2026-1086)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Font Pairing Preview For Landing Pages <= 1.3 - Cross-Site Request Forgery to Settings Update
Summary
The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's font pairing settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpsolutions | Font Pairing Preview For Landing Pages |
Affected:
* , ≤ 1.3
(semver)
|
Credits
Muhammad Afnaan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Font Pairing Preview For Landing Pages",
"vendor": "wpsolutions",
"versions": [
{
"lessThanOrEqual": "1.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin\u0027s font pairing settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:08.606Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e57f2f91-3f6f-4452-9525-4c150a037d2f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-font-pairing-preview/trunk/wp-font-pairing-settings.php#L12"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-font-pairing-preview/tags/1.3/wp-font-pairing-settings.php#L12"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:47:25.000Z",
"value": "Disclosed"
}
],
"title": "Font Pairing Preview For Landing Pages \u003c= 1.3 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1086",
"datePublished": "2026-03-07T07:22:08.606Z",
"dateReserved": "2026-01-16T20:47:27.857Z",
"dateUpdated": "2026-03-07T07:22:08.606Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1825 (GCVE-0-2026-1825)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Show YouTube video <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute
Summary
The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| minor | Show YouTube video |
Affected:
* , ≤ 1.1
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Show YouTube video",
"vendor": "minor",
"versions": [
{
"lessThanOrEqual": "1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027syv\u0027 shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:07.701Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d29a3a29-1fb5-41c8-9516-16bd9fc0018d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/show-youtube-video/tags/1.1/show-youtube-video.php#L79"
},
{
"url": "https://plugins.trac.wordpress.org/browser/show-youtube-video/tags/1.1/show-youtube-video.php#L29"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:47:10.000Z",
"value": "Disclosed"
}
],
"title": "Show YouTube video \u003c= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027id\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1825",
"datePublished": "2026-03-07T07:22:07.701Z",
"dateReserved": "2026-02-03T14:22:08.288Z",
"dateUpdated": "2026-03-07T07:22:07.701Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1824 (GCVE-0-2026-1824)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Infomaniak Connect for OpenID <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Summary
The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpoint_login' parameter of the infomaniak_connect_generic_auth_url shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| leopoldinfomaniak | Infomaniak Connect for OpenID |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Infomaniak Connect for OpenID",
"vendor": "leopoldinfomaniak",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027endpoint_login\u0027 parameter of the infomaniak_connect_generic_auth_url shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:07.325Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c8177f27-19e1-4272-91ee-55d980b7128e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/infomaniak-connect-openid/trunk/includes/openid-connect-infomaniak-client-wrapper.php#L236"
},
{
"url": "https://plugins.trac.wordpress.org/browser/infomaniak-connect-openid/tags/1.0.2/includes/openid-connect-infomaniak-client-wrapper.php#L236"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:46:52.000Z",
"value": "Disclosed"
}
],
"title": "Infomaniak Connect for OpenID \u003c= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1824",
"datePublished": "2026-03-07T07:22:07.325Z",
"dateReserved": "2026-02-03T14:20:47.327Z",
"dateUpdated": "2026-03-07T07:22:07.325Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1073 (GCVE-0-2026-1073)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Purchase Button For Affiliate Link <= 1.0.2 - Cross-Site Request Forgery to Settings Update
Summary
The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in `inc/purchase-btn-options-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themepul | Purchase Button For Affiliate Link |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Muhammad Afnaan
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Purchase Button For Affiliate Link",
"vendor": "themepul",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Afnaan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in `inc/purchase-btn-options-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:06.189Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8c9a223c-6c34-4c64-92b5-d986f9791ebb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/purchase-button/trunk/inc/purchase-btn-options-page.php#L3"
},
{
"url": "https://plugins.trac.wordpress.org/browser/purchase-button/tags/1.0.2/inc/purchase-btn-options-page.php#L3"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:46:36.000Z",
"value": "Disclosed"
}
],
"title": "Purchase Button For Affiliate Link \u003c= 1.0.2 - Cross-Site Request Forgery to Settings Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1073",
"datePublished": "2026-03-07T07:22:06.189Z",
"dateReserved": "2026-01-16T20:18:03.540Z",
"dateUpdated": "2026-03-07T07:22:06.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1074 (GCVE-0-2026-1074)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
WP App Bar <= 1.5 - Unauthenticated Stored Cross-Site Scripting via 'app-bar-features' Parameter
Summary
The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'app-bar-features' parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ryscript | WP App Bar |
Affected:
* , ≤ 1.5
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP App Bar",
"vendor": "ryscript",
"versions": [
{
"lessThanOrEqual": "1.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP App Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027app-bar-features\u0027 parameter in all versions up to, and including, 1.5. This is due to insufficient input sanitization and output escaping combined with a missing authorization check in the `App_Bar_Settings` class constructor. This makes it possible for unauthenticated attackers to inject arbitrary web scripts into multiple plugin settings that will execute whenever a user accesses the admin settings page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:06.543Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b448712-b989-453f-9acb-5556e01e41a4?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/trunk/includes/class-app-bar-settings.php#L89"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-app-bar/tags/1.5/includes/class-app-bar-settings.php#L89"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:49:21.000Z",
"value": "Disclosed"
}
],
"title": "WP App Bar \u003c= 1.5 - Unauthenticated Stored Cross-Site Scripting via \u0027app-bar-features\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1074",
"datePublished": "2026-03-07T07:22:06.543Z",
"dateReserved": "2026-01-16T20:22:03.551Z",
"dateUpdated": "2026-03-07T07:22:06.543Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1823 (GCVE-0-2026-1823)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Consensus Embed <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'src' Shortcode Attribute
Summary
The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| consensusintegrations | Consensus Embed |
Affected:
* , ≤ 1.6
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Consensus Embed",
"vendor": "consensusintegrations",
"versions": [
{
"lessThanOrEqual": "1.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Consensus Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s consensus shortcode in all versions up to, and including, 1.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:06.898Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a20ef41d-7f01-4ef2-aae0-0b254ea78bc5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/consensus-embed/tags/1.6/consensus.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/consensus-embed/tags/1.6/consensus.php#L40"
},
{
"url": "https://plugins.trac.wordpress.org/browser/consensus-embed/trunk/consensus.php#L43"
},
{
"url": "https://plugins.trac.wordpress.org/browser/consensus-embed/trunk/consensus.php#L40"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:45:53.000Z",
"value": "Disclosed"
}
],
"title": "Consensus Embed \u003c= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027src\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1823",
"datePublished": "2026-03-07T07:22:06.898Z",
"dateReserved": "2026-02-03T14:19:15.366Z",
"dateUpdated": "2026-03-07T07:22:06.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1574 (GCVE-0-2026-1574)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Summary
The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dgamoni | MyQtip – easy qTip2 |
Affected:
* , ≤ 2.0.5
(semver)
|
Credits
Djaidja Moundjid
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MyQtip \u2013 easy qTip2",
"vendor": "dgamoni",
"versions": [
{
"lessThanOrEqual": "2.0.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MyQtip \u2013 easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `myqtip` shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:05.472Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5035d412-861a-4a31-b5e5-378fc4962d90?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/myqtip-easy-qtip2/tags/2.0.5/includes/register_shortcode.php#L11"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-02T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-06T18:41:15.000Z",
"value": "Disclosed"
}
],
"title": "MyQtip \u2013 easy qTip2 \u003c= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1574",
"datePublished": "2026-03-07T07:22:05.472Z",
"dateReserved": "2026-01-28T21:31:00.797Z",
"dateUpdated": "2026-03-07T07:22:05.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1820 (GCVE-0-2026-1820)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Media Library Alt Text Editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'post_id' Shortcode Attribute
Summary
The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bvmalt_sc_div_update_alt_text' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| brainvireinfo | Media Library Alt Text Editor |
Affected:
* , ≤ 1.0.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Media Library Alt Text Editor",
"vendor": "brainvireinfo",
"versions": [
{
"lessThanOrEqual": "1.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Media Library Alt Text Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s \u0027bvmalt_sc_div_update_alt_text\u0027 shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:05.839Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7879aaad-37b2-410d-9b21-029bed47202c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/media-library-alt-text-editor/tags/1.0.0/common/functions.php#L34"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:44:35.000Z",
"value": "Disclosed"
}
],
"title": "Media Library Alt Text Editor \u003c= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027post_id\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1820",
"datePublished": "2026-03-07T07:22:05.839Z",
"dateReserved": "2026-02-03T14:16:03.830Z",
"dateUpdated": "2026-03-07T07:22:05.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1805 (GCVE-0-2026-1805)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute
Summary
The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| damedialimited | DA Media GigList |
Affected:
* , ≤ 1.9.0
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "DA Media GigList",
"vendor": "damedialimited",
"versions": [
{
"lessThanOrEqual": "1.9.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:05.105Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4beaa824-d3f1-499e-b4ef-3885f59e42c7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/damedia-giglist/tags/1.9.0/damedia-giglist.php#L902"
},
{
"url": "https://plugins.trac.wordpress.org/browser/damedia-giglist/tags/1.9.0/damedia-giglist.php#L908"
},
{
"url": "https://plugins.trac.wordpress.org/browser/damedia-giglist/trunk/damedia-giglist.php#L902"
},
{
"url": "https://plugins.trac.wordpress.org/browser/damedia-giglist/trunk/damedia-giglist.php#L908"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:46:11.000Z",
"value": "Disclosed"
}
],
"title": "DA Media GigList \u003c= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027list_title\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1805",
"datePublished": "2026-03-07T07:22:05.105Z",
"dateReserved": "2026-02-03T13:48:08.088Z",
"dateUpdated": "2026-03-07T07:22:05.105Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1569 (GCVE-0-2026-1569)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Wueen <= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode
Summary
The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wueen-blocket` shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Credits
Djaidja Moundjid
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Wueen",
"vendor": "nabeghe",
"versions": [
{
"lessThanOrEqual": "0.2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s `wueen-blocket` shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:04.716Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/38e5dd9e-c017-4b4c-9064-76a07e30fab5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wueen/tags/0.2.0/wueen.php#L150"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-02T00:00:00.000Z",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-03-06T18:40:56.000Z",
"value": "Disclosed"
}
],
"title": "Wueen \u003c= 0.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin\u0027s Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1569",
"datePublished": "2026-03-07T07:22:04.716Z",
"dateReserved": "2026-01-28T21:07:35.284Z",
"dateUpdated": "2026-03-07T07:22:04.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2433 (GCVE-0-2026-2433)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage
Summary
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| rebelcode | RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging |
Affected:
* , ≤ 5.0.11
(semver)
|
Credits
Osvaldo Noe Gonzalez Del Rio
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging",
"vendor": "rebelcode",
"versions": [
{
"lessThanOrEqual": "5.0.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Osvaldo Noe Gonzalez Del Rio"
}
],
"descriptions": [
{
"lang": "en",
"value": "The RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin\u0027s admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator\u0027s session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin\u0027s admin page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:04.098Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/311960e7-c4b4-4638-980f-1e08ffa621ba?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/js/admin-shell.js#L58"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/js/admin-shell.js#L58"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/js/admin-shell.js#L153"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/tags/5.0.10/core/js/admin-shell.js#L153"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3473511%40wp-rss-aggregator%2Ftrunk\u0026old=3439393%40wp-rss-aggregator%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-12T22:05:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T19:00:27.000Z",
"value": "Disclosed"
}
],
"title": "RSS Aggregator \u2013 RSS Import, News Feeds, Feed to Post, and Autoblogging \u003c= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2433",
"datePublished": "2026-03-07T07:22:04.098Z",
"dateReserved": "2026-02-12T21:50:01.000Z",
"dateUpdated": "2026-03-07T07:22:04.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1071 (GCVE-0-2026-1071)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Carta Online <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Summary
The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cartaonline | Carta Online |
Affected:
* , ≤ 2.13.0
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Carta Online",
"vendor": "cartaonline",
"versions": [
{
"lessThanOrEqual": "2.13.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:03.721Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1e82c950-54dd-4bdf-9c7c-e880c934ddc9?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/carta-online/trunk/carta-online.php#L417"
},
{
"url": "https://plugins.trac.wordpress.org/browser/carta-online/tags/2.13.0/carta-online.php#L417"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:48:13.000Z",
"value": "Disclosed"
}
],
"title": "Carta Online \u003c= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1071",
"datePublished": "2026-03-07T07:22:03.721Z",
"dateReserved": "2026-01-16T20:12:27.358Z",
"dateUpdated": "2026-03-07T07:22:03.721Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2420 (GCVE-0-2026-2420)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
Summary
The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the frontend of the site where the popup is displayed.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| lotekmedia | LotekMedia Popup Form |
Affected:
* , ≤ 1.0.6
(semver)
|
Credits
trung Hieu
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LotekMedia Popup Form",
"vendor": "lotekmedia",
"versions": [
{
"lessThanOrEqual": "1.0.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "trung Hieu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the frontend of the site where the popup is displayed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:03.351Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f45583e-1438-47af-871c-efd59345c727?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ltm-popup-form/trunk/ltm-popup-form.php#L80"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ltm-popup-form/tags/1.0.6/ltm-popup-form.php#L80"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T18:48:27.000Z",
"value": "Disclosed"
}
],
"title": "LotekMedia Popup Form \u003c= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2420",
"datePublished": "2026-03-07T07:22:03.351Z",
"dateReserved": "2026-02-12T20:04:14.840Z",
"dateUpdated": "2026-03-07T07:22:03.351Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14675 (GCVE-0-2025-14675)
Vulnerability from cvelistv5 – Published: 2026-03-07 07:22 – Updated: 2026-03-07 07:22
VLAI?
Title
Meta Box <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion
Summary
The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'ajax_delete_file' function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Severity ?
7.2 (High)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
Credits
JongHwan Shin
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Meta Box",
"vendor": "metabox",
"versions": [
{
"lessThanOrEqual": "5.11.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JongHwan Shin"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Meta Box plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the \u0027ajax_delete_file\u0027 function in all versions up to, and including, 5.11.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T07:22:02.665Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/036467de-95bb-4bfd-9522-df8dc17f3102?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3475210/meta-box#file3"
},
{
"url": "https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L30"
},
{
"url": "https://plugins.trac.wordpress.org/browser/meta-box/tags/5.11.0/inc/fields/file.php#L54"
},
{
"url": "https://github.com/wpmetabox/meta-box/pull/1654"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-17T16:22:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T19:09:12.000Z",
"value": "Disclosed"
}
],
"title": "Meta Box \u003c= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14675",
"datePublished": "2026-03-07T07:22:02.665Z",
"dateReserved": "2025-12-13T16:53:02.153Z",
"dateUpdated": "2026-03-07T07:22:02.665Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8899 (GCVE-0-2025-8899)
Vulnerability from cvelistv5 – Published: 2026-03-07 05:46 – Updated: 2026-03-07 06:11
VLAI?
Title
Paid Videochat Turnkey Site – HTML5 PPV Live Webcams <= 7.3.20 - Authenticated (Author+) Privilege Escalation
Summary
The Paid Videochat Turnkey Site – HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful.
Severity ?
8.8 (High)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| videowhisper | Paid Videochat Turnkey Site – HTML5 PPV Live Webcams |
Affected:
* , ≤ 7.3.20
(semver)
|
Credits
Peter Thaleikis
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Paid Videochat Turnkey Site \u2013 HTML5 PPV Live Webcams",
"vendor": "videowhisper",
"versions": [
{
"lessThanOrEqual": "7.3.20",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Thaleikis"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Paid Videochat Turnkey Site \u2013 HTML5 PPV Live Webcams plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.3.20. This is due to videowhisper_register_form() function not restricting user roles that can be set during registration. This makes it possible for authenticated attackers, with Author-level access and above, to create posts/pages with the registration form and administrator set as the role and subsequently use that form to register an administrator account. This can also be exploited by contributors, but is far less likely to be successful because an administrator would need to approve the form with the administrator role for the attack to be successful."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T06:11:58.184Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f71fc65f-cdc1-4f20-b37e-849ade49ee41?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ppv-live-webcams/trunk/inc/shortcodes.php#L2464"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3348788/ppv-live-webcams"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-12T18:26:11.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T16:42:12.000Z",
"value": "Disclosed"
}
],
"title": "Paid Videochat Turnkey Site \u2013 HTML5 PPV Live Webcams \u003c= 7.3.20 - Authenticated (Author+) Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8899",
"datePublished": "2026-03-07T05:46:45.508Z",
"dateReserved": "2025-08-12T18:10:56.467Z",
"dateUpdated": "2026-03-07T06:11:58.184Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2722 (GCVE-0-2026-2722)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
Stock Ticker <= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template
Summary
The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.26.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| urkekg | Stock Ticker |
Affected:
* , ≤ 3.26.1
(semver)
|
Credits
Yoschanin Pulsirivong
Ronnachai Sretawat Na Ayutaya
Ronnachai Chaipha
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Stock Ticker",
"vendor": "urkekg",
"versions": [
{
"lessThanOrEqual": "3.26.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yoschanin Pulsirivong"
},
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Sretawat Na Ayutaya"
},
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Chaipha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Stock Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.26.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:24.149Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e97ed28c-b4a2-47ee-8fbe-7c995fa102cb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stock-ticker/trunk/classes/class-wpau-stock-ticker-settings.php#L810"
},
{
"url": "https://plugins.trac.wordpress.org/browser/stock-ticker/tags/3.24.6/classes/class-wpau-stock-ticker-settings.php#L810"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3474252%40stock-ticker\u0026new=3474252%40stock-ticker\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-25T18:16:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:30:56.000Z",
"value": "Disclosed"
}
],
"title": "Stock Ticker \u003c= 3.26.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Template"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2722",
"datePublished": "2026-03-07T01:21:24.149Z",
"dateReserved": "2026-02-18T21:26:03.631Z",
"dateUpdated": "2026-03-07T01:21:24.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3352 (GCVE-0-2026-3352)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
Easy PHP Settings <= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via 'wp_memory_limit' Setting
Summary
The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request.
Severity ?
7.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shahadul878 | Easy PHP Settings |
Affected:
* , ≤ 1.0.4
(semver)
|
Credits
ZAST.AI
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Easy PHP Settings",
"vendor": "shahadul878",
"versions": [
{
"lessThanOrEqual": "1.0.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ZAST.AI"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Easy PHP Settings plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.0.4 via the `update_wp_memory_constants()` method. This is due to insufficient input validation on the `wp_memory_limit` and `wp_max_memory_limit` settings before writing them to `wp-config.php`. The `sanitize_text_field()` function used for sanitization does not filter single quotes, allowing an attacker to break out of the string context in a PHP `define()` statement. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject and execute arbitrary PHP code on the server by modifying `wp-config.php`, which is loaded on every page request."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:24.875Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9927487-99fb-46d9-a208-f19e0a371267?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.4/class-easy-php-settings.php#L1800"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/trunk/class-easy-php-settings.php#L1800"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-php-settings/tags/1.0.5/class-easy-php-settings.php#L1998"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-28T14:00:34.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:26:38.000Z",
"value": "Disclosed"
}
],
"title": "Easy PHP Settings \u003c= 1.0.4 - Authenticated (Administrator+) PHP Code Injection via \u0027wp_memory_limit\u0027 Setting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-3352",
"datePublished": "2026-03-07T01:21:24.875Z",
"dateReserved": "2026-02-27T16:44:39.061Z",
"dateUpdated": "2026-03-07T01:21:24.875Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2431 (GCVE-0-2026-2431)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
CM Custom Reports <= 1.2.7 - Reflected Cross-Site Scripting via 'date_from' and 'date_to' Parameters
Summary
The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'date_from' and 'date_to' parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM Custom Reports – Flexible reporting to track what matters most |
Affected:
* , ≤ 1.2.7
(semver)
|
Credits
san6051
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM Custom Reports \u2013 Flexible reporting to track what matters most",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.2.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "san6051"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM Custom Reports plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the \u0027date_from\u0027 and \u0027date_to\u0027 parameters in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:24.513Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e9b918e1-9bf7-4f90-9e77-829bc8012cbb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/trunk/backend/reports/RegisteredUsersReport.php#L19"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-custom-reports/tags/1.2.7/backend/reports/RegisteredUsersReport.php#L19"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-12T21:31:08.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:33:43.000Z",
"value": "Disclosed"
}
],
"title": "CM Custom Reports \u003c= 1.2.7 - Reflected Cross-Site Scripting via \u0027date_from\u0027 and \u0027date_to\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2431",
"datePublished": "2026-03-07T01:21:24.513Z",
"dateReserved": "2026-02-12T21:16:00.969Z",
"dateUpdated": "2026-03-07T01:21:24.513Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2429 (GCVE-0-2026-2429)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field
Summary
The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'ce_venue_name' CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a crafted CSV file upload.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jackdewey | Community Events |
Affected:
* , ≤ 1.5.8
(semver)
|
Credits
huy tran
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Community Events",
"vendor": "jackdewey",
"versions": [
{
"lessThanOrEqual": "1.5.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "huy tran"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Community Events plugin for WordPress is vulnerable to SQL Injection via the \u0027ce_venue_name\u0027 CSV field in the `on_save_changes_venues` function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a crafted CSV file upload."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:23.120Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd184c80-e785-4e9b-961d-9c3378688f91?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/community-events/trunk/community-events.php#L743"
},
{
"url": "https://plugins.trac.wordpress.org/browser/community-events/tags/1.5.7/community-events.php#L743"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3462021%40community-events\u0026new=3462021%40community-events\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-12T21:15:18.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:49:54.000Z",
"value": "Disclosed"
}
],
"title": "Community Events \u003c= 1.5.8 - Authenticated (Administrator+) SQL Injection via \u0027ce_venue_name\u0027 CSV Field"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2429",
"datePublished": "2026-03-07T01:21:23.120Z",
"dateReserved": "2026-02-12T21:00:05.955Z",
"dateUpdated": "2026-03-07T01:21:23.120Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2721 (GCVE-0-2026-2721)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
MailArchiver <= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings
Summary
The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.8 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| pierrelannoy | MailArchiver |
Affected:
* , ≤ 4.4.0
(semver)
|
Credits
Ronnachai Chaipha
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MailArchiver",
"vendor": "pierrelannoy",
"versions": [
{
"lessThanOrEqual": "4.4.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ronnachai Chaipha"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MailArchiver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:23.814Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/df2674c9-da77-412c-a812-f1749f54d04b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/trunk/includes/system/class-form.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L92"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L126"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mailarchiver/tags/4.4.0/includes/system/class-form.php#L156"
},
{
"url": "https://github.com/Pierre-Lannoy/wp-mailarchiver/commit/946c1a700bbecc6080a427fd428de800334af824"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3465101%40mailarchiver\u0026new=3465101%40mailarchiver\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T21:38:03.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:56:23.000Z",
"value": "Disclosed"
}
],
"title": "MailArchiver \u003c= 4.4.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2721",
"datePublished": "2026-03-07T01:21:23.814Z",
"dateReserved": "2026-02-18T21:22:55.103Z",
"dateUpdated": "2026-03-07T01:21:23.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1650 (GCVE-0-2026-1650)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion
Summary
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| mdjm | MDJM Event Management |
Affected:
* , ≤ 1.7.8.1
(semver)
|
Credits
Abhirup Konwar
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "MDJM Event Management",
"vendor": "mdjm",
"versions": [
{
"lessThanOrEqual": "1.7.8.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the \u0027custom_fields_controller\u0027 function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the \u0027delete_custom_field\u0027 and \u0027id\u0027 parameters."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:23.469Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cb309336-5b35-45cf-9c58-4bb75d8a5cba?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/trunk/includes/admin/pages/event-fields.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/browser/mobile-dj-manager/tags/1.7.7/includes/admin/pages/event-fields.php#L100"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3464190%40mobile-dj-manager\u0026new=3464190%40mobile-dj-manager\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-30T17:24:15.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:57:27.000Z",
"value": "Disclosed"
}
],
"title": "MDJM Event Management \u003c= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1650",
"datePublished": "2026-03-07T01:21:23.469Z",
"dateReserved": "2026-01-29T19:07:23.727Z",
"dateUpdated": "2026-03-07T01:21:23.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2020 (GCVE-0-2026-2020)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
JS Archive List <= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via 'included' Shortcode Attribute
Summary
The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the 'included' shortcode attribute. This is due to the deserialization of untrusted input supplied via the 'included' parameter of the plugin's shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Severity ?
7.5 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| skatox | JS Archive List |
Affected:
* , ≤ 6.1.7
(semver)
|
Credits
Athiwat Tiprasaharn
Itthidej Aramsri
Waris Damkham
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "JS Archive List",
"vendor": "skatox",
"versions": [
{
"lessThanOrEqual": "6.1.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
},
{
"lang": "en",
"type": "finder",
"value": "Itthidej Aramsri"
},
{
"lang": "en",
"type": "finder",
"value": "Waris Damkham"
}
],
"descriptions": [
{
"lang": "en",
"value": "The JS Archive List plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.1.7 via the \u0027included\u0027 shortcode attribute. This is due to the deserialization of untrusted input supplied via the \u0027included\u0027 parameter of the plugin\u0027s shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:22.744Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9b0f6653-471b-4cee-9c92-f24dbe2c2dbd?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-js-archive-list-settings.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-js-archive-list-settings.php#L10"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/trunk/classes/class-jq-archive-list-widget.php#L674"
},
{
"url": "https://plugins.trac.wordpress.org/browser/jquery-archive-list-widget/tags/6.1.7/classes/class-jq-archive-list-widget.php#L674"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3466978%40jquery-archive-list-widget\u0026new=3466978%40jquery-archive-list-widget\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-05T20:19:15.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:46:38.000Z",
"value": "Disclosed"
}
],
"title": "JS Archive List \u003c= 6.1.7 - Authenticated (Contributor+) PHP Object Injection via \u0027included\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2020",
"datePublished": "2026-03-07T01:21:22.744Z",
"dateReserved": "2026-02-05T20:04:06.842Z",
"dateUpdated": "2026-03-07T01:21:22.744Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2494 (GCVE-0-2026-2494)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
ProfileGrid <= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial
Summary
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| metagauss | ProfileGrid – User Profiles, Groups and Communities |
Affected:
* , ≤ 5.9.8.2
(semver)
|
Credits
Sergej Ljubojevic
Boris Bogosavac
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "5.9.8.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sergej Ljubojevic"
},
{
"lang": "en",
"type": "finder",
"value": "Boris Bogosavac"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.9.8.2. This is due to missing nonce validation on the membership request management page (approve and decline actions). This makes it possible for unauthenticated attackers to approve or deny group membership requests via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:22.065Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b8ffdb9-b8c6-428c-a047-8e5286b2c2fb?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/admin/partials/pm-membership-requests.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/admin/partials/pm-membership-requests.php#L14"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3472582%40profilegrid-user-profiles-groups-and-communities\u0026new=3472582%40profilegrid-user-profiles-groups-and-communities\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-18T21:12:14.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:37:07.000Z",
"value": "Disclosed"
}
],
"title": "ProfileGrid \u003c= 5.9.8.2 - Cross-Site Request Forgery to Group Membership Request Approval/Denial"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2494",
"datePublished": "2026-03-07T01:21:22.065Z",
"dateReserved": "2026-02-13T21:16:27.567Z",
"dateUpdated": "2026-03-07T01:21:22.065Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14353 (GCVE-0-2025-14353)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
ZIP Code Based Content Protection <= 1.0.2 - Unauthenticated SQL Injection via 'zipcode' Parameter
Summary
The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the 'zipcode' parameter. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
7.5 (High)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| presstigers | ZIP Code Based Content Protection |
Affected:
* , ≤ 1.0.2
(semver)
|
Credits
Athiwat Tiprasaharn
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ZIP Code Based Content Protection",
"vendor": "presstigers",
"versions": [
{
"lessThanOrEqual": "1.0.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ZIP Code Based Content Protection plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.2 via the \u0027zipcode\u0027 parameter. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:22.404Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8aeaba0e-0a23-48f6-aa42-7f2f3bd741f1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zip-code-based-content-protection/trunk/public/class-zipcode-bcp-public.php#L335"
},
{
"url": "https://plugins.trac.wordpress.org/browser/zip-code-based-content-protection/tags/1.0.1/public/class-zipcode-bcp-public.php#L335"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3464999%40zip-code-based-content-protection\u0026new=3464999%40zip-code-based-content-protection\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T11:52:34.000Z",
"value": "Disclosed"
}
],
"title": "ZIP Code Based Content Protection \u003c= 1.0.2 - Unauthenticated SQL Injection via \u0027zipcode\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14353",
"datePublished": "2026-03-07T01:21:22.404Z",
"dateReserved": "2025-12-09T16:27:04.114Z",
"dateUpdated": "2026-03-07T01:21:22.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-2488 (GCVE-0-2026-2488)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
ProfileGrid <= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion
Summary
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter).
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| metagauss | ProfileGrid – User Profiles, Groups and Communities |
Affected:
* , ≤ 5.9.8.1
(semver)
|
Credits
Sergej Ljubojevic
Boris Bogosavac
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ProfileGrid \u2013 User Profiles, Groups and Communities",
"vendor": "metagauss",
"versions": [
{
"lessThanOrEqual": "5.9.8.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sergej Ljubojevic"
},
{
"lang": "en",
"type": "finder",
"value": "Boris Bogosavac"
}
],
"descriptions": [
{
"lang": "en",
"value": "The ProfileGrid \u2013 User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized message deletion due to a missing capability check on the pg_delete_msg() function in all versions up to, and including, 5.9.8.1. This is due to the function not verifying that the requesting user has permission to delete the targeted message. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary messages belonging to any user by sending a direct request with a valid message ID (mid parameter)."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:21.720Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c611fa0-28ef-4425-8614-fb61e250e625?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L5913"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/public/class-profile-magic-public.php#L5913"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/includes/class-profile-magic.php#L372"
},
{
"url": "https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.7.1/includes/class-profile-magic.php#L372"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3464213%40profilegrid-user-profiles-groups-and-communities\u0026new=3464213%40profilegrid-user-profiles-groups-and-communities\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-13T21:19:21.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:44:27.000Z",
"value": "Disclosed"
}
],
"title": "ProfileGrid \u003c= 5.9.8.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Message Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-2488",
"datePublished": "2026-03-07T01:21:21.720Z",
"dateReserved": "2026-02-13T21:00:10.000Z",
"dateUpdated": "2026-03-07T01:21:21.720Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1902 (GCVE-0-2026-1902)
Vulnerability from cvelistv5 – Published: 2026-03-07 01:21 – Updated: 2026-03-07 01:21
VLAI?
Title
Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute
Summary
The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| innovaatik | Hammas Calendar |
Affected:
* , ≤ 1.5.11
(semver)
|
Credits
Djaidja Moundjid
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Hammas Calendar",
"vendor": "innovaatik",
"versions": [
{
"lessThanOrEqual": "1.5.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027apix\u0027 parameter in the \u0027hp-calendar-manage-redirect\u0027 shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T01:21:21.162Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/03956922-988a-4cb6-bf20-51878a5b1555?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hammas-calendar/tags/1.5.11/hp-calendar.php#L37"
},
{
"url": "https://plugins.trac.wordpress.org/browser/hammas-calendar/tags/1.5.11/src/HpPlugin.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3474583%40hammas-calendar\u0026new=3474583%40hammas-calendar\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-02T13:55:17.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:23:32.000Z",
"value": "Disclosed"
}
],
"title": "Hammas Calendar \u003c= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027apix\u0027 Shortcode Attribute"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1902",
"datePublished": "2026-03-07T01:21:21.162Z",
"dateReserved": "2026-02-04T15:08:30.694Z",
"dateUpdated": "2026-03-07T01:21:21.162Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1981 (GCVE-0-2026-1981)
Vulnerability from cvelistv5 – Published: 2026-03-06 23:22 – Updated: 2026-03-06 23:22
VLAI?
Title
Winston AI <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion
Summary
The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| winstonai | HUMN-1 AI Website Scanner & Human Certification by Winston AI |
Affected:
* , ≤ 0.0.3
(semver)
|
Credits
Abhirup Konwar
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HUMN-1 AI Website Scanner \u0026 Human Certification by Winston AI",
"vendor": "winstonai",
"versions": [
{
"lessThanOrEqual": "0.0.3",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abhirup Konwar"
}
],
"descriptions": [
{
"lang": "en",
"value": "The HUMN-1 AI Website Scanner \u0026 Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin\u0027s API connection settings via the \u0027winston_disconnect\u0027 AJAX action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T23:22:59.774Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b1a82073-ab63-42dd-9bc0-d21f53a5af25?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/winston-ai-wp/trunk/ajax/Ajax_Admin.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/winston-ai-wp/tags/0.0.3/ajax/Ajax_Admin.php#L38"
},
{
"url": "https://plugins.trac.wordpress.org/browser/winston-ai-wp/trunk/ajax/Ajax_Admin.php#L193"
},
{
"url": "https://plugins.trac.wordpress.org/browser/winston-ai-wp/tags/0.0.3/ajax/Ajax_Admin.php#L193"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3468726%40winston-ai-wp\u0026new=3468726%40winston-ai-wp"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-09T19:24:52.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-06T11:14:38.000Z",
"value": "Disclosed"
}
],
"title": "Winston AI \u003c= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1981",
"datePublished": "2026-03-06T23:22:59.774Z",
"dateReserved": "2026-02-05T14:23:11.148Z",
"dateUpdated": "2026-03-06T23:22:59.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1644 (GCVE-0-2026-1644)
Vulnerability from cvelistv5 – Published: 2026-03-06 23:22 – Updated: 2026-03-06 23:22
VLAI?
Title
WP Frontend Profile <= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection
Summary
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| glowlogix | WP Frontend Profile |
Affected:
* , ≤ 1.3.8
(semver)
|
Credits
JohSka
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Frontend Profile",
"vendor": "glowlogix",
"versions": [
{
"lessThanOrEqual": "1.3.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "JohSka"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the \u0027update_action\u0027 function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T23:22:59.416Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74b186fd-5825-4a20-829b-6b8a5ddbe853?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-front-end-profile/tags/1.3.8/functions/wpfep-functions.php#L987"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-front-end-profile/trunk/functions/wpfep-functions.php#L987"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3466608%40wp-front-end-profile\u0026new=3466608%40wp-front-end-profile\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-06T11:21:23.000Z",
"value": "Disclosed"
}
],
"title": "WP Frontend Profile \u003c= 1.3.8 - Cross-Site Request Forgery to Unauthorized User Account Approval or Rejection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1644",
"datePublished": "2026-03-06T23:22:59.416Z",
"dateReserved": "2026-01-29T18:33:42.845Z",
"dateUpdated": "2026-03-06T23:22:59.416Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}