Search criteria
8486 vulnerabilities
CVE-2025-15521 (GCVE-0-2025-15521)
Vulnerability from cvelistv5 – Published: 2026-01-21 01:23 – Updated: 2026-01-21 01:23
VLAI?
Title
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover
Summary
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
Severity ?
9.8 (Critical)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kodezen | Academy LMS – WordPress LMS Plugin for Complete eLearning Solution |
Affected:
* , ≤ 3.5.0
(semver)
|
Credits
vgo0
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution",
"vendor": "kodezen",
"versions": [
{
"lessThanOrEqual": "3.5.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vgo0"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s password, including administrators, and gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-21T01:23:31.967Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-31T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-14T15:47:53.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T11:36:57.000+00:00",
"value": "Disclosed"
}
],
"title": "Academy LMS \u2013 WordPress LMS Plugin for Complete eLearning Solution \u003c= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15521",
"datePublished": "2026-01-21T01:23:31.967Z",
"dateReserved": "2026-01-14T15:32:20.670Z",
"dateUpdated": "2026-01-21T01:23:31.967Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0554 (GCVE-0-2026-0554)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:47
VLAI?
Title
NotificationX <= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset
Summary
The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'regenerate' and 'reset' REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdevteam | NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar |
Affected:
* , ≤ 3.1.11
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0554",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:46:11.424620Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:47:07.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner \u0026 Floating Notification Bar",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "3.1.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027regenerate\u0027 and \u0027reset\u0027 REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:34.215Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve"
},
{
"url": "https://research.cleantalk.org/cve-2026-0554"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3433555%40notificationx\u0026old=3426659%40notificationx\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-24T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-01T20:48:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:50:24.000+00:00",
"value": "Disclosed"
}
],
"title": "NotificationX \u003c= 3.1.11 - Missing Authorization to Authenticated (Contributor+) Analytics Reset"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0554",
"datePublished": "2026-01-20T14:26:34.215Z",
"dateReserved": "2026-01-01T20:31:15.582Z",
"dateUpdated": "2026-01-20T14:47:07.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15380 (GCVE-0-2025-15380)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:48
VLAI?
Title
NotificationX <= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via 'nx-preview'
Summary
The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the 'nx-preview' POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site.
Severity ?
7.2 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdevteam | NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar |
Affected:
* , ≤ 3.2.0
(semver)
|
Credits
Dmitrii Ignatyev
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15380",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:48:09.377792Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:48:22.901Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner \u0026 Floating Notification Bar",
"vendor": "wpdevteam",
"versions": [
{
"lessThanOrEqual": "3.2.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The NotificationX \u2013 FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner \u0026 Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the \u0027nx-preview\u0027 POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:33.859Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve"
},
{
"url": "https://research.cleantalk.org/cve-2025-15380/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3433555%40notificationx\u0026old=3426659%40notificationx\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-23T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-30T22:14:52.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:49:23.000+00:00",
"value": "Disclosed"
}
],
"title": "NotificationX \u003c= 3.2.0 - Unauthenticated DOM-Based Cross-Site Scripting via \u0027nx-preview\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15380",
"datePublished": "2026-01-20T14:26:33.859Z",
"dateReserved": "2025-12-30T21:36:36.412Z",
"dateUpdated": "2026-01-20T14:48:22.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15347 (GCVE-0-2025-15347)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:50
VLAI?
Title
Creator LMS – The LMS for Creators, Coaches, and Trainers <= 1.1.12 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update
Summary
The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options.
Severity ?
8.8 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| getwpfunnels | Creator LMS – The LMS for Creators, Coaches, and Trainers |
Affected:
* , ≤ 1.1.12
(semver)
|
Credits
Sarawut Poolkhet
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15347",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:50:10.607501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:50:26.163Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Creator LMS \u2013 The LMS for Creators, Coaches, and Trainers",
"vendor": "getwpfunnels",
"versions": [
{
"lessThanOrEqual": "1.1.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sarawut Poolkhet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Creator LMS \u2013 The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:33.130Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-22T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-30T00:07:43.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:48:16.000+00:00",
"value": "Disclosed"
}
],
"title": "Creator LMS \u2013 The LMS for Creators, Coaches, and Trainers \u003c= 1.1.12 - Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15347",
"datePublished": "2026-01-20T14:26:33.130Z",
"dateReserved": "2025-12-29T23:50:31.027Z",
"dateUpdated": "2026-01-20T14:50:26.163Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0608 (GCVE-0-2026-0608)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:49
VLAI?
Title
Head Meta Data <= 20251118 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta
Summary
The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| specialk | Head Meta Data |
Affected:
* , ≤ 20251118
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0608",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:48:53.765165Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:49:46.704Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Head Meta Data",
"vendor": "specialk",
"versions": [
{
"lessThanOrEqual": "20251118",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027head-meta-data\u0027 post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:33.497Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9592bb6d-8e1d-4c89-addd-11c07272a628?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/head-meta-data/tags/20251118\u0026new_path=/head-meta-data/tags/20260105"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-26T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-05T21:22:14.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:55:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Head Meta Data \u003c= 20251118 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0608",
"datePublished": "2026-01-20T14:26:33.497Z",
"dateReserved": "2026-01-05T15:36:48.554Z",
"dateUpdated": "2026-01-20T14:49:46.704Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0690 (GCVE-0-2026-0690)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:52
VLAI?
Title
FlatPM – Ad Manager, AdSense and Custom Code <= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta
Summary
The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rank_math_description' custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| flatboy | FlatPM – Ad Manager, AdSense and Custom Code |
Affected:
* , ≤ 3.2.2
(semver)
|
Credits
Muhammad Yudha - DJ
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0690",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:51:58.667529Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:52:49.486Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FlatPM \u2013 Ad Manager, AdSense and Custom Code",
"vendor": "flatboy",
"versions": [
{
"lessThanOrEqual": "3.2.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Muhammad Yudha - DJ"
}
],
"descriptions": [
{
"lang": "en",
"value": "The FlatPM \u2013 Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027rank_math_description\u0027 custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:32.223Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3434760/flatpm-wp"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-30T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-20T01:56:29.000+00:00",
"value": "Disclosed"
}
],
"title": "FlatPM \u2013 Ad Manager, AdSense and Custom Code \u003c= 3.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0690",
"datePublished": "2026-01-20T14:26:32.223Z",
"dateReserved": "2026-01-07T20:19:13.158Z",
"dateUpdated": "2026-01-20T14:52:49.486Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15043 (GCVE-0-2025-15043)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:51
VLAI?
Title
The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control
Summary
The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'start_migration', 'cancel_migration', and 'revert_migration' functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| stellarwp | The Events Calendar |
Affected:
* , ≤ 6.15.13
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15043",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:50:51.973166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:51:12.202Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Events Calendar",
"vendor": "stellarwp",
"versions": [
{
"lessThanOrEqual": "6.15.13",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the \u0027start_migration\u0027, \u0027cancel_migration\u0027, and \u0027revert_migration\u0027 functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:32.694Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13\u0026new_path=/the-events-calendar/tags/6.15.13.1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-23T13:55:07.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:45:16.000+00:00",
"value": "Disclosed"
}
],
"title": "The Events Calendar \u003c= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15043",
"datePublished": "2026-01-20T14:26:32.694Z",
"dateReserved": "2025-12-23T13:25:41.567Z",
"dateUpdated": "2026-01-20T14:51:12.202Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0726 (GCVE-0-2026-0726)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:54
VLAI?
Title
Nexter Extension – Site Enhancements Toolkit <= 4.4.6 - Unauthenticated PHP Object Injection via 'nxt_unserialize_replace'
Summary
The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the 'nxt_unserialize_replace' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Severity ?
8.1 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| posimyththemes | Nexter Extension – Site Enhancements Toolkit |
Affected:
* , ≤ 4.4.6
(semver)
|
Credits
Craig Smith
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:54:17.150630Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:54:52.338Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Nexter Extension \u2013 Site Enhancements Toolkit",
"vendor": "posimyththemes",
"versions": [
{
"lessThanOrEqual": "4.4.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Craig Smith"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Nexter Extension \u2013 Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the \u0027nxt_unserialize_replace\u0027 function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:31.228Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/nexter-extension/tags/4.4.6/include/panel-settings/extensions/nexter-ext-replace-url.php\u0026new_path=/nexter-extension/tags/4.4.7/include/panel-settings/extensions/nexter-ext-replace-url.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-24T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-08T19:26:53.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:54:23.000+00:00",
"value": "Disclosed"
}
],
"title": "Nexter Extension \u2013 Site Enhancements Toolkit \u003c= 4.4.6 - Unauthenticated PHP Object Injection via \u0027nxt_unserialize_replace\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0726",
"datePublished": "2026-01-20T14:26:31.228Z",
"dateReserved": "2026-01-08T14:09:33.636Z",
"dateUpdated": "2026-01-20T14:54:52.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0548 (GCVE-0-2026-0548)
Vulnerability from cvelistv5 – Published: 2026-01-20 14:26 – Updated: 2026-01-20 14:53
VLAI?
Title
Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion
Summary
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themeum | Tutor LMS – eLearning and online course solution |
Affected:
* , ≤ 3.9.4
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T14:53:15.549458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:53:42.335Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Tutor LMS \u2013 eLearning and online course solution",
"vendor": "themeum",
"versions": [
{
"lessThanOrEqual": "3.9.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Tutor LMS \u2013 eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T14:26:31.808Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php\u0026new_path=/tutor/tags/3.9.5/classes/User.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-21T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-01T17:15:10.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-20T01:46:19.000+00:00",
"value": "Disclosed"
}
],
"title": "Tutor LMS \u2013 eLearning and online course solution \u003c= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0548",
"datePublished": "2026-01-20T14:26:31.808Z",
"dateReserved": "2026-01-01T16:58:14.820Z",
"dateUpdated": "2026-01-20T14:53:42.335Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14533 (GCVE-0-2025-14533)
Vulnerability from cvelistv5 – Published: 2026-01-20 09:25 – Updated: 2026-01-20 15:10
VLAI?
Title
Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
Summary
The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the 'insert_user' function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if 'role' is mapped to the custom field.
Severity ?
9.8 (Critical)
CWE
- CWE-269 - Improper Privilege Management
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| hwk-fr | Advanced Custom Fields: Extended |
Affected:
* , ≤ 0.9.2.1
(semver)
|
Credits
andrea bocchetti
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14533",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:09:44.703198Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:10:03.430Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Custom Fields: Extended",
"vendor": "hwk-fr",
"versions": [
{
"lessThanOrEqual": "0.9.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the \u0027insert_user\u0027 function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the \u0027administrator\u0027 role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if \u0027role\u0027 is mapped to the custom field."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269 Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T09:25:00.542Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437"
},
{
"url": "https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T10:28:11.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T21:07:19.000+00:00",
"value": "Disclosed"
}
],
"title": "Advanced Custom Fields: Extended \u003c= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14533",
"datePublished": "2026-01-20T09:25:00.542Z",
"dateReserved": "2025-12-11T10:11:32.336Z",
"dateUpdated": "2026-01-20T15:10:03.430Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1042 (GCVE-0-2026-1042)
Vulnerability from cvelistv5 – Published: 2026-01-20 05:30 – Updated: 2026-01-20 20:23
VLAI?
Title
WP Hello Bar <= 1.02 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'digit_one' and 'digit_two' Parameters
Summary
The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'digit_one' and 'digit_two' parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| norcross | WP Hello Bar |
Affected:
* , ≤ 1.02
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1042",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:22:58.842300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:23:34.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WP Hello Bar",
"vendor": "norcross",
"versions": [
{
"lessThanOrEqual": "1.02",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027digit_one\u0027 and \u0027digit_two\u0027 parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T05:30:18.112Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve"
},
{
"url": "https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip"
},
{
"url": "https://wordpress.org/plugins/wp-hello-bar/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T17:06:39.000+00:00",
"value": "Disclosed"
}
],
"title": "WP Hello Bar \u003c= 1.02 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027digit_one\u0027 and \u0027digit_two\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1042",
"datePublished": "2026-01-20T05:30:18.112Z",
"dateReserved": "2026-01-16T15:51:39.122Z",
"dateUpdated": "2026-01-20T20:23:34.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1045 (GCVE-0-2026-1045)
Vulnerability from cvelistv5 – Published: 2026-01-20 05:30 – Updated: 2026-01-20 20:24
VLAI?
Title
Viet contact <= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'll1', 'll2', 'll3', and 'll4' Parameters
Summary
The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nhomcaodem | Viet contact |
Affected:
* , ≤ 1.3.2
(semver)
|
Credits
Bhumividh Treloges
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1045",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:24:20.234609Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:24:53.824Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Viet contact",
"vendor": "nhomcaodem",
"versions": [
{
"lessThanOrEqual": "1.3.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bhumividh Treloges"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T05:30:17.306Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/131a6a35-e0d2-4613-8614-24bf11011098?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-admin.php#L34"
},
{
"url": "https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-content.php#L11"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T17:05:13.000+00:00",
"value": "Disclosed"
}
],
"title": "Viet contact \u003c= 1.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027ll1\u0027, \u0027ll2\u0027, \u0027ll3\u0027, and \u0027ll4\u0027 Parameters"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1045",
"datePublished": "2026-01-20T05:30:17.306Z",
"dateReserved": "2026-01-16T16:00:14.440Z",
"dateUpdated": "2026-01-20T20:24:53.824Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14348 (GCVE-0-2025-14348)
Vulnerability from cvelistv5 – Published: 2026-01-20 04:35 – Updated: 2026-01-20 15:10
VLAI?
Title
weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure
Summary
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
Severity ?
5.3 (Medium)
CWE
- CWE-285 - Improper Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wedevs | weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation |
Affected:
* , ≤ 2.0.7
(semver)
|
Credits
Angus Girvan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:10:38.615260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:10:45.592Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "weMail \u2013 Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation",
"vendor": "wedevs",
"versions": [
{
"lessThanOrEqual": "2.0.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin\u0027s REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285 Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T04:35:46.497Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79"
},
{
"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3442404%40wemail%2Ftrunk\u0026old=3423372%40wemail%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file1"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-24T15:30:57.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T15:57:34.000+00:00",
"value": "Disclosed"
}
],
"title": "weMail \u003c= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14348",
"datePublished": "2026-01-20T04:35:46.497Z",
"dateReserved": "2025-12-09T15:13:36.266Z",
"dateUpdated": "2026-01-20T15:10:45.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14977 (GCVE-0-2025-14977)
Vulnerability from cvelistv5 – Published: 2026-01-20 04:35 – Updated: 2026-01-20 15:11
VLAI?
Title
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure
Summary
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors' store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts.
Severity ?
8.1 (High)
CWE
- CWE-284 - Improper Access Control
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| dokaninc | Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy |
Affected:
* , ≤ 4.2.4
(semver)
|
Credits
Angus Girvan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14977",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:11:15.839516Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:11:26.613Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy",
"vendor": "dokaninc",
"versions": [
{
"lessThanOrEqual": "4.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angus Girvan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors\u0027 store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T04:35:45.902Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109"
},
{
"url": "https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3432750%40dokan-lite%2Ftrunk\u0026old=3427612%40dokan-lite%2Ftrunk\u0026sfp_email=\u0026sfph_mail=#file7"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-19T16:13:51.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T15:32:29.000+00:00",
"value": "Disclosed"
}
],
"title": "Dokan: AI Powered WooCommerce Multivendor Marketplace Solution \u2013 Build Your Own Amazon, eBay, Etsy \u003c= 4.2.4 - Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14977",
"datePublished": "2026-01-20T04:35:45.902Z",
"dateReserved": "2025-12-19T15:58:09.269Z",
"dateUpdated": "2026-01-20T15:11:26.613Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14798 (GCVE-0-2025-14798)
Vulnerability from cvelistv5 – Published: 2026-01-20 03:25 – Updated: 2026-01-20 20:28
VLAI?
Title
LearnPress – WordPress LMS Plugin <= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API
Summary
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses |
Affected:
* , ≤ 4.3.2.4
(semver)
|
Credits
andrea bocchetti
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:28:30.331731Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:28:45.838Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LearnPress \u2013 WordPress LMS Plugin for Create and Sell Online Courses",
"vendor": "thimpress",
"versions": [
{
"lessThanOrEqual": "4.3.2.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "andrea bocchetti"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LearnPress \u2013 WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T03:25:17.527Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134"
},
{
"url": "https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L35"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-16T19:39:51.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T14:52:42.000+00:00",
"value": "Disclosed"
}
],
"title": "LearnPress \u2013 WordPress LMS Plugin \u003c= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14798",
"datePublished": "2026-01-20T03:25:17.527Z",
"dateReserved": "2025-12-16T19:24:38.118Z",
"dateUpdated": "2026-01-20T20:28:45.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14351 (GCVE-0-2025-14351)
Vulnerability from cvelistv5 – Published: 2026-01-20 03:25 – Updated: 2026-01-20 20:33
VLAI?
Title
Custom Fonts – Host Your Fonts Locally <= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion
Summary
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| brainstormforce | Custom Fonts – Host Your Fonts Locally |
Affected:
* , ≤ 2.1.16
(semver)
|
Credits
M Indra Purnama
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14351",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:32:08.924576Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:33:09.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Custom Fonts \u2013 Host Your Fonts Locally",
"vendor": "brainstormforce",
"versions": [
{
"lessThanOrEqual": "2.1.16",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "M Indra Purnama"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Custom Fonts \u2013 Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the \u0027BCF_Google_Fonts_Compatibility\u0027 class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T03:25:16.827Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-19T15:16:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Custom Fonts \u2013 Host Your Fonts Locally \u003c= 2.1.16 - Missing Authorization to Unauthenticated Font Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14351",
"datePublished": "2026-01-20T03:25:16.827Z",
"dateReserved": "2025-12-09T16:10:20.040Z",
"dateUpdated": "2026-01-20T20:33:09.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14978 (GCVE-0-2025-14978)
Vulnerability from cvelistv5 – Published: 2026-01-20 01:22 – Updated: 2026-01-20 20:54
VLAI?
Title
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification
Summary
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| peachpay | PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) |
Affected:
* , ≤ 1.119.8
(semver)
|
Credits
Md. Moniruzzaman Prodhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14978",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:54:04.723575Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:54:26.888Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PeachPay \u2014 Payments \u0026 Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)",
"vendor": "peachpay",
"versions": [
{
"lessThanOrEqual": "1.119.8",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PeachPay \u2014 Payments \u0026 Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T01:22:45.405Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-13T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-19T16:22:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T13:14:59.000+00:00",
"value": "Disclosed"
}
],
"title": "PeachPay \u2014 Payments \u0026 Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) \u003c= 1.119.8 - Missing Authorization to Unauthenticated Order Status Modification"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14978",
"datePublished": "2026-01-20T01:22:45.405Z",
"dateReserved": "2025-12-19T16:06:55.163Z",
"dateUpdated": "2026-01-20T20:54:26.888Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1051 (GCVE-0-2026-1051)
Vulnerability from cvelistv5 – Published: 2026-01-20 01:22 – Updated: 2026-01-20 20:34
VLAI?
Title
Newsletter – Send awesome emails from WordPress <= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription
Summary
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| satollo | Newsletter – Send awesome emails from WordPress |
Affected:
* , ≤ 9.1.0
(semver)
|
Credits
Sergej Ljubojevic
Boris Bogosavac
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T20:33:50.543260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T20:34:46.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Newsletter \u2013 Send awesome emails from WordPress",
"vendor": "satollo",
"versions": [
{
"lessThanOrEqual": "9.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Sergej Ljubojevic"
},
{
"lang": "en",
"type": "finder",
"value": "Boris Bogosavac"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsletter \u2013 Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T01:22:45.980Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-05T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-17T11:23:47.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T11:44:32.000+00:00",
"value": "Disclosed"
}
],
"title": "Newsletter \u2013 Send awesome emails from WordPress \u003c= 9.1.0 - Cross-Site Request Forgery to Newsletter Unsubscription"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1051",
"datePublished": "2026-01-20T01:22:45.980Z",
"dateReserved": "2026-01-16T16:43:52.499Z",
"dateUpdated": "2026-01-20T20:34:46.858Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-15466 (GCVE-0-2025-15466)
Vulnerability from cvelistv5 – Published: 2026-01-19 23:21 – Updated: 2026-01-20 15:11
VLAI?
Title
Image Photo Gallery Final Tiles Grid <= 3.6.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery Management
Summary
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpchill | Image Photo Gallery Final Tiles Grid |
Affected:
* , ≤ 3.6.9
(semver)
|
Credits
Mohammad Amin Hajian
Pouria Shahba
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-15466",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T15:11:40.962831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T15:11:52.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Image Photo Gallery Final Tiles Grid",
"vendor": "wpchill",
"versions": [
{
"lessThanOrEqual": "3.6.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Mohammad Amin Hajian"
},
{
"lang": "en",
"type": "finder",
"value": "Pouria Shahba"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-19T23:21:52.729Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3435746/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-21T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2026-01-05T22:35:42.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-19T10:31:17.000+00:00",
"value": "Disclosed"
}
],
"title": "Image Photo Gallery Final Tiles Grid \u003c= 3.6.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery Management"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-15466",
"datePublished": "2026-01-19T23:21:52.729Z",
"dateReserved": "2026-01-05T22:20:17.348Z",
"dateUpdated": "2026-01-20T15:11:52.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8615 (GCVE-0-2025-8615)
Vulnerability from cvelistv5 – Published: 2026-01-17 08:24 – Updated: 2026-01-20 19:23
VLAI?
Title
CubeWP <= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode
Summary
The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cubewp1211 | CubeWP Framework |
Affected:
* , ≤ 1.1.26
(semver)
|
Credits
Djaidja Moundjid
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8615",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:18:33.135710Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:09.481Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CubeWP Framework",
"vendor": "cubewp1211",
"versions": [
{
"lessThanOrEqual": "1.1.26",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Djaidja Moundjid"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T08:24:32.192Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/efc2baf0-38d9-44be-b439-3585b2f1d4a5?source=cve"
},
{
"url": "https://wordpress.org/plugins/cubewp-framework/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3362001#file10"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-08-05T20:19:34.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T19:29:36.000+00:00",
"value": "Disclosed"
}
],
"title": "CubeWP \u003c= 1.1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via cubewp_shortcode_taxonomy Shortcode"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8615",
"datePublished": "2026-01-17T08:24:32.192Z",
"dateReserved": "2025-08-05T20:04:22.582Z",
"dateUpdated": "2026-01-20T19:23:09.481Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0725 (GCVE-0-2026-0725)
Vulnerability from cvelistv5 – Published: 2026-01-17 08:24 – Updated: 2026-01-20 19:23
VLAI?
Title
Integrate Dynamics 365 CRM <= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration
Summary
The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cyberlord92 | Integrate Dynamics 365 CRM |
Affected:
* , ≤ 1.1.1
(semver)
|
Credits
Teerachai Somprasong
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0725",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:17:58.626163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:19.234Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Integrate Dynamics 365 CRM",
"vendor": "cyberlord92",
"versions": [
{
"lessThanOrEqual": "1.1.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Teerachai Somprasong"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Integrate Dynamics 365 CRM plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T08:24:31.355Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6b16028a-0b69-422b-9471-32ea6edb93a0?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/trunk/Wrappers/class-templatewrapper.php#L491"
},
{
"url": "https://plugins.trac.wordpress.org/browser/integrate-dynamics-365-crm/tags/1.1.1/Wrappers/class-templatewrapper.php#L491"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3438502/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-08T14:01:50.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T19:47:08.000+00:00",
"value": "Disclosed"
}
],
"title": "Integrate Dynamics 365 CRM \u003c= 1.1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Field Mapping Configuration"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0725",
"datePublished": "2026-01-17T08:24:31.355Z",
"dateReserved": "2026-01-08T13:46:37.754Z",
"dateUpdated": "2026-01-20T19:23:19.234Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14078 (GCVE-0-2025-14078)
Vulnerability from cvelistv5 – Published: 2026-01-17 08:24 – Updated: 2026-01-20 19:23
VLAI?
Title
PAYGENT for WooCommerce <= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation
Summary
The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| shoheitanaka | PAYGENT for WooCommerce |
Affected:
* , ≤ 2.4.6
(semver)
|
Credits
Benachi
Terumi Benamou
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:18:17.367271Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:14.231Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PAYGENT for WooCommerce",
"vendor": "shoheitanaka",
"versions": [
{
"lessThanOrEqual": "2.4.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Benachi"
},
{
"lang": "en",
"type": "finder",
"value": "Terumi Benamou"
}
],
"descriptions": [
{
"lang": "en",
"value": "The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/check/` endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T08:24:31.760Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9de42bd9-a1d2-48f2-a594-4013a9490e25?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/trunk/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woocommerce-for-paygent-payment-main/tags/2.4.2/includes/gateways/paygent/class-wc-paygent-endpoint.php#L199"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3433179%40woocommerce-for-paygent-payment-main\u0026new=3433179%40woocommerce-for-paygent-payment-main\u0026sfp_email=\u0026sfph_mail="
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3432342%40woocommerce-for-paygent-payment-main\u0026new=3432342%40woocommerce-for-paygent-payment-main\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-18T17:14:50.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T19:57:52.000+00:00",
"value": "Disclosed"
}
],
"title": "PAYGENT for WooCommerce \u003c= 2.4.6 - Missing Authorization to Unauthenticated Payment Callback Manipulation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14078",
"datePublished": "2026-01-17T08:24:31.760Z",
"dateReserved": "2025-12-04T22:46:03.449Z",
"dateUpdated": "2026-01-20T19:23:14.231Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10484 (GCVE-0-2025-10484)
Vulnerability from cvelistv5 – Published: 2026-01-17 08:24 – Updated: 2026-01-20 19:23
VLAI?
Title
Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass
Summary
The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FmeAddons | Registration & Login with Mobile Phone Number for WooCommerce |
Affected:
* , ≤ 1.3.1
(semver)
|
Credits
Vahan Petrosyan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:17:47.172522Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:24.113Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Registration \u0026 Login with Mobile Phone Number for WooCommerce",
"vendor": "FmeAddons",
"versions": [
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Vahan Petrosyan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Registration \u0026 Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. This is due to the plugin not properly verifying a users identity prior to authenticating them via the fma_lwp_set_session_php_fun() function. This makes it possible for unauthenticated attackers to authenticate as any user on the site, including administrators, without a valid password."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T08:24:30.759Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6aef6fbb-be8c-49e1-ada5-7b4aa8b2ff72?source=cve"
},
{
"url": "https://woocommerce.com/products/registration-login-with-mobile-phone-number/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Registration \u0026 Login with Mobile Phone Number for WooCommerce \u003c= 1.3.1 - Authentication Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10484",
"datePublished": "2026-01-17T08:24:30.759Z",
"dateReserved": "2025-09-15T14:03:41.704Z",
"dateUpdated": "2026-01-20T19:23:24.113Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12129 (GCVE-0-2025-12129)
Vulnerability from cvelistv5 – Published: 2026-01-17 07:27 – Updated: 2026-01-20 19:23
VLAI?
Title
CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 - Unauthenticated Information Exposure
Summary
The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| cubewp1211 | CubeWP Framework |
Affected:
* , ≤ 1.1.27
(semver)
|
Credits
Jonas Benjamin Friedli
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:09:27.709016Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:34.063Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CubeWP Framework",
"vendor": "cubewp1211",
"versions": [
{
"lessThanOrEqual": "1.1.27",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jonas Benjamin Friedli"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CubeWP \u2013 All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the /cubewp-posts/v1/query-new and /cubewp-posts/v1/query REST API endpoints due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T07:27:37.085Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2006dc4c-ec1a-45ab-94a3-1f86d80e70ca?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/classes/class-cubewp-rest-api.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-10-23T19:00:59.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T19:16:27.000+00:00",
"value": "Disclosed"
}
],
"title": "CubeWP \u2013 All-in-One Dynamic Content Framework \u003c= 1.1.27 - Unauthenticated Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12129",
"datePublished": "2026-01-17T07:27:37.085Z",
"dateReserved": "2025-10-23T18:45:51.310Z",
"dateUpdated": "2026-01-20T19:23:34.063Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-14478 (GCVE-0-2025-14478)
Vulnerability from cvelistv5 – Published: 2026-01-17 07:27 – Updated: 2026-01-20 19:23
VLAI?
Title
Demo Importer Plus <= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload
Summary
The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0.
Severity ?
7.5 (High)
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| kraftplugins | Demo Importer Plus |
Affected:
* , ≤ 2.0.9
(semver)
|
Credits
Lorenzo Franchini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-14478",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T19:10:05.470176Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T19:23:29.088Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Demo Importer Plus",
"vendor": "kraftplugins",
"versions": [
{
"lessThanOrEqual": "2.0.9",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lorenzo Franchini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Demo Importer Plus plugin for WordPress is vulnerable to XML External Entity Injection (XXE) in all versions up to, and including, 2.0.9 via the SVG file upload functionality. This makes it possible for authenticated attackers, with Author-level access and above, to achieve code execution in vulnerable configurations. This only impacts sites on versions of PHP older than 8.0."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611 Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T07:27:37.627Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b2971aa0-8287-4142-bd04-7aec1ed92e7b?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/browser/demo-importer-plus/tags/2.0.6/inc/importers/class-demo-importer-plus-sites-helper.php#L88"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3439643/demo-importer-plus/trunk/inc/importers/class-demo-importer-plus-sites-helper.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-10T18:54:11.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Demo Importer Plus \u003c= 2.0.9 - Authenticated (Author+) Blind XML External Entity Injection via SVG File Upload"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-14478",
"datePublished": "2026-01-17T07:27:37.627Z",
"dateReserved": "2025-12-10T18:36:47.883Z",
"dateUpdated": "2026-01-20T19:23:29.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0808 (GCVE-0-2026-0808)
Vulnerability from cvelistv5 – Published: 2026-01-17 06:42 – Updated: 2026-01-20 18:27
VLAI?
Title
Spin Wheel <= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via 'prize_index' Parameter
Summary
The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the 'prize_index' parameter sent to the server, allowing them to always select the most valuable prizes.
Severity ?
5.3 (Medium)
CWE
- CWE-602 - Client-Side Enforcement of Server-Side Security
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bdthemes | Spin Wheel – Interactive spinning wheel that offers coupons |
Affected:
* , ≤ 2.1.0
(semver)
|
Credits
jason carle
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0808",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:27:06.693798Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:27:18.935Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Spin Wheel \u2013 Interactive spinning wheel that offers coupons",
"vendor": "bdthemes",
"versions": [
{
"lessThanOrEqual": "2.1.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "jason carle"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Spin Wheel plugin for WordPress is vulnerable to client-side prize manipulation in all versions up to, and including, 2.1.0. This is due to the plugin trusting client-supplied prize selection data without server-side validation or randomization. This makes it possible for unauthenticated attackers to manipulate which prize they win by modifying the \u0027prize_index\u0027 parameter sent to the server, allowing them to always select the most valuable prizes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-602",
"description": "CWE-602 Client-Side Enforcement of Server-Side Security",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T06:42:20.697Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c023b91e-f633-41a6-b2d7-bcb3f1d026b7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/spin-wheel/trunk/includes/class-swp-ajax.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/browser/spin-wheel/tags/2.0.2/includes/class-swp-ajax.php#L73"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3437726%40spin-wheel\u0026new=3437726%40spin-wheel\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-09T14:51:52.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T18:09:30.000+00:00",
"value": "Disclosed"
}
],
"title": "Spin Wheel \u003c= 2.1.0 - Unauthenticated Client-Side Prize Manipulation via \u0027prize_index\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0808",
"datePublished": "2026-01-17T06:42:20.697Z",
"dateReserved": "2026-01-09T14:36:32.229Z",
"dateUpdated": "2026-01-20T18:27:18.935Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0691 (GCVE-0-2026-0691)
Vulnerability from cvelistv5 – Published: 2026-01-17 06:42 – Updated: 2026-01-20 18:28
VLAI?
Title
CM E-Mail Blacklist <= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'black_email' Parameter
Summary
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity ?
4.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| creativemindssolutions | CM E-Mail Blacklist – Simple email filtering for safer registration |
Affected:
* , ≤ 1.6.2
(semver)
|
Credits
Phap Nguyen Anh
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-0691",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:28:29.618825Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:28:47.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CM E-Mail Blacklist \u2013 Simple email filtering for safer registration",
"vendor": "creativemindssolutions",
"versions": [
{
"lessThanOrEqual": "1.6.2",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Phap Nguyen Anh"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CM E-Mail Blacklist \u2013 Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027black_email\u0027 parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T06:42:20.210Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/821f4ea9-bc25-4d65-9058-5b77c4f1b230?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-email-blacklist/trunk/backend/views/settings/email_blacklist.phtml#L67"
},
{
"url": "https://plugins.trac.wordpress.org/browser/cm-email-blacklist/tags/1.6.2/backend/views/settings/email_blacklist.phtml#L67"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3440158%40cm-email-blacklist\u0026new=3440158%40cm-email-blacklist\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-07T21:09:24.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "CM E-Mail Blacklist \u003c= 1.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027black_email\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0691",
"datePublished": "2026-01-17T06:42:20.210Z",
"dateReserved": "2026-01-07T20:54:14.552Z",
"dateUpdated": "2026-01-20T18:28:47.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-0833 (GCVE-0-2026-0833)
Vulnerability from cvelistv5 – Published: 2026-01-17 06:42 – Updated: 2026-01-17 06:42
VLAI?
Title
Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link
Summary
The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity ?
6.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bplugins | Team Section Block – Showcase Team Members with Layout Options |
Affected:
* , ≤ 2.0.0
(semver)
|
Credits
Athiwat Tiprasaharn
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Team Section Block \u2013 Showcase Team Members with Layout Options",
"vendor": "bplugins",
"versions": [
{
"lessThanOrEqual": "2.0.0",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Athiwat Tiprasaharn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin\u0027s block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T06:42:19.058Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6348b119-a0dc-40ef-ae62-1de86dcefac7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/team-section/trunk/build/render.php#L3"
},
{
"url": "https://plugins.trac.wordpress.org/browser/team-section/tags/1.1.0/build/render.php#L3"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3436953%40team-section\u0026new=3436953%40team-section\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-09T21:46:38.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-01-16T17:54:29.000+00:00",
"value": "Disclosed"
}
],
"title": "Team Section Block \u003c= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-0833",
"datePublished": "2026-01-17T06:42:19.058Z",
"dateReserved": "2026-01-09T21:31:12.462Z",
"dateUpdated": "2026-01-17T06:42:19.058Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12984 (GCVE-0-2025-12984)
Vulnerability from cvelistv5 – Published: 2026-01-17 06:42 – Updated: 2026-01-17 06:42
VLAI?
Title
Advanced Ads – Ad Manager & AdSense <= 2.0.15 - Authenticated (Admin+) SQL Injection
Summary
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity ?
4.9 (Medium)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| monetizemore | Advanced Ads – Ad Manager & AdSense |
Affected:
* , ≤ 2.0.15
(semver)
|
Credits
Supakiad S.
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Advanced Ads \u2013\u00a0Ad Manager \u0026 AdSense",
"vendor": "monetizemore",
"versions": [
{
"lessThanOrEqual": "2.0.15",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Supakiad S."
}
],
"descriptions": [
{
"lang": "en",
"value": "The Advanced Ads \u2013\u00a0Ad Manager \u0026 AdSense plugin for WordPress is vulnerable to SQL Injection via the \u0027order\u0027 parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T06:42:19.675Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/729e8a06-abaa-4468-8a80-1e5c6cbace92?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.13/includes/admin/class-placement-list-table.php#L254"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3429511%40advanced-ads\u0026new=3429511%40advanced-ads\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Advanced Ads \u2013 Ad Manager \u0026 AdSense \u003c= 2.0.15 - Authenticated (Admin+) SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12984",
"datePublished": "2026-01-17T06:42:19.675Z",
"dateReserved": "2025-11-10T21:16:00.943Z",
"dateUpdated": "2026-01-17T06:42:19.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12825 (GCVE-0-2025-12825)
Vulnerability from cvelistv5 – Published: 2026-01-17 04:34 – Updated: 2026-01-20 18:34
VLAI?
Title
User Registration Using Contact Form 7 <= 2.5 - Authenticated (Subscriber+) Information Exposure
Summary
The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| zealopensource | User Registration Using Contact Form 7 |
Affected:
* , ≤ 2.5
(semver)
|
Credits
Md. Moniruzzaman Prodhan
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12825",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-20T18:34:21.355448Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-20T18:34:56.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "User Registration Using Contact Form 7",
"vendor": "zealopensource",
"versions": [
{
"lessThanOrEqual": "2.5",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Md. Moniruzzaman Prodhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_cf7_form_data\u0027 function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-17T04:34:02.212Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3433276%40user-registration-using-contact-form-7\u0026new=3433276%40user-registration-using-contact-form-7\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2026-01-16T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "User Registration Using Contact Form 7 \u003c= 2.5 - Authenticated (Subscriber+) Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12825",
"datePublished": "2026-01-17T04:34:02.212Z",
"dateReserved": "2025-11-06T19:06:39.317Z",
"dateUpdated": "2026-01-20T18:34:56.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}