Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Wordfence

#b15e7b5b-3da4-40ae-a43c-f7aa60e62599
PolicyEmail

Short Name

Wordfence

Program Role

CNA

Top Level Root

MITRE Corporation

Security Advisories

View Advisories

Domain

wordfence.com

Country

USA

Scope

WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team.
Reported CVEsVendorsProductsReports
10734Vulnerabilities found

CVE-2026-9734
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.22%
||
7 Day CHG~0.00%
Published-18 Jul, 2026 | 04:31
Updated-18 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
W3SC Elementor to Zoho CRM <= 2.2.0 - Cross-Site Request Forgery to Settings Update

The W3SC Elementor to Zoho CRM plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.0. This is due to missing or incorrect nonce validation on the storeInfo function. This makes it possible for unauthenticated attackers to modify the plugin's Zoho CRM integration settings, replacing the configured data center, client ID, client secret, and user email credentials with attacker-controlled values via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-w3scloud
Product-W3SC Elementor to Zoho CRM
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-9656
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.16% / 5.38%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 06:53
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wp_localize_script() / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with contributor-level access and above, to extract the site's plaintext HubSpot OAuth refresh token exposed via the window.leadinConfig JavaScript object, which can then be used to access or modify data in the connected HubSpot tenant. Although the refresh token is stored at rest with AES-256-CTR encryption, decryption occurs server-side before the plaintext value is passed to wp_localize_script(), rendering the at-rest encryption ineffective against this exposure path.

Action-Not Available
Vendor-hubspotdev
Product-HubSpot All-In-One Marketing – Forms, Popups, Live Chat
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-15094
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 11.90%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 05:35
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Hotel Booking <= 2.3.2 - Reflected Cross-Site Scripting via 'check_in_date' Parameter

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'check_in_date' parameter in all versions up to, and including, 2.3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-WP Hotel Booking
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15982
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.29% / 21.30%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 05:35
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function'

The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomatic_call_google_ai_function' function. This makes it possible for unauthenticated attackers to leverage the 'aimogen_wp_god_mode' tool to clear function blacklists and execute arbitrary PHP functions, such as creating administrator accounts.

Action-Not Available
Vendor-CodeRevolution
Product-Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-13765
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.39% / 31.10%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LearnPress <= 4.4.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via /lp/v1/users/check-answer and /start-quiz REST Endpoints

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.1 via the check_answer. This makes it possible for unauthenticated attackers to extract the correct-answer markers, full option lists, explanations, and question content for any quiz question on the site — including questions belonging to paid courses the attacker is not enrolled in.

Action-Not Available
Vendor-ThimPress (PhysCode)
Product-LearnPress – WordPress LMS Plugin for Create and Sell Online Courses
CWE ID-CWE-862
Missing Authorization
CVE-2026-15161
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.16% / 5.18%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms - Excel Export <= 3.3.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'filter' Parameter

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.3.6. This is due to the save_filter() AJAX handler storing the raw $_POST['filter'] array into a WordPress option via update_option() without any capability check, nonce verification, or input sanitization, combined with the get_filter_row() method on the admin Excel Export screen concatenating the stored filter values (field_key, condition, value) directly into HTML attributes without esc_attr(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Saturday Drive, INC
Product-Ninja Forms - Excel Export
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15759
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 10.10%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ChatHelp <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes

The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-themeatelier
Product-ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-13352
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.57% / 43.63%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content <= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowed_mime_types function. This is due to the unconditional registration of an upload_mimes filter that adds executable file extensions (.exe, .apk, .msi) to the global WordPress MIME allowlist, without scoping the expansion to digital-product upload contexts. This makes it possible for authenticated attackers, with author-level access and above, to upload files that may be executable, which makes remote code execution possible. This filter is registered globally on every request regardless of whether the digital products feature is configured or in use, meaning the expanded MIME allowlist affects all WordPress upload contexts site-wide.

Action-Not Available
Vendor-properfraction
Product-Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-15349
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.27% / 19.15%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce <= 1.17.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Company Location Creation via wp_ajax_erp-company-location AJAX Handler

The ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.17.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary company locations in the ERP database.

Action-Not Available
Vendor-weDevs Pte. Ltd.
Product-ERP: Complete HR, Accounting & CRM Suite Built for WooCommerce
CWE ID-CWE-862
Missing Authorization
CVE-2026-14503
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.29% / 20.68%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
pCloud WP Backup <= 2.0.3 - Missing Authorization on the 'start_backup' AJAX Method to Authenticated (Subscriber+) Arbitrary File Read

The pCloud WP Backup plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.0.3 via the wp2pcl_ajax_process_request_inner. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract force generation of a full-site backup archive written to a publicly accessible directory, exposing wp-config.php database credentials, WordPress secret salts, and the complete PHP source tree. The resulting archive is deposited in the plugin's unprotected tmp/ directory at a predictable URL, making the extracted data accessible to unauthenticated visitors once the backup is triggered.

Action-Not Available
Vendor-ploudapp
Product-pCloud WP Backup
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CVE-2026-15457
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.77% / 51.39%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 03:43
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kirki <= 6.0.13 - Authenticated (Editor+) Path Traversal to Arbitrary Directory Deletion via 'family' Parameter

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.

Action-Not Available
Vendor-Themeum
Product-Kirki – Freeform Page Builder, Website Builder & Customizer
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-15395
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.25% / 15.92%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 02:31
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Kali Forms <= 2.4.18 - Unauthenticated Stored Cross-Site Scripting via 'digitalSignature' Field Value

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The required form-submission nonce is publicly available on any page containing the form shortcode, making this exploitable by fully unauthenticated attackers without any precondition beyond the form being published.

Action-Not Available
Vendor-wpchill
Product-Kali Forms — Contact Form & Drag-and-Drop Builder
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-11324
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 20.00%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 02:31
Updated-17 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WooCommerce Placetopay Gateway <= 3.2.2 - Reflected Cross-Site Scripting via 'redirect-url'

The WooCommerce Placetopay Gateway and PlacetoPay/AvalPay gateway plugins for WordPress are vulnerable to Reflected Cross-Site Scripting via the 'redirect-url' parameter in versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-evertec
Product-WooCommerce Placetopay Gateway HondurasWooCommerce Placetopay Gateway ColombiaWooCommerce Placetopay Gateway BeliceWooCommerce Placetopay Gateway UruguayWooCommerce Placetopay GatewayWooCommerce Placetopay Gateway Ecuador
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15159
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.18% / 7.45%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 02:31
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms - Excel Export <= 3.3.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Data Disclosure via 'spreadsheet_export_form_id' Parameter

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_form_id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate any Ninja Forms form ID and download all stored submission data — including names, email addresses, phone numbers, physical addresses, and any other PII collected by site forms — as a downloadable XLSX file.

Action-Not Available
Vendor-Saturday Drive, INC
Product-Ninja Forms - Excel Export
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-15160
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.46% / 36.99%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 02:31
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Ninja Forms - Excel Export <= 3.3.6 - Missing Authorization to Authenticated (Subscriber+) XLS Write via Path Traversal

The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.6 via the 'spreadsheet_export_tmp_name' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to write .xls/.xlsx files to arbitrary locations on the server, which can be used to stage further attacks.

Action-Not Available
Vendor-Saturday Drive, INC
Product-Ninja Forms - Excel Export
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-8616
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.23% / 13.54%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 02:31
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Fense Proxy & VPN Blocker <= 3.0.1 - Missing Authorization to Unauthenticated Plugin Option/Transient Deletion via fense_bpvt_save_settings AJAX Action

The Fense Proxy & VPN Blocker plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce validation on the fense_bpvt_save_settings() function in versions up to, and including, 3.0.1. The callback is registered to both wp_ajax_* and wp_ajax_nopriv_* hooks and unconditionally calls delete_option() on four plugin options and delete_transient() on three transients tied to the plugin's API key cache and settings. This makes it possible for unauthenticated attackers to delete plugin options and transients, effectively resetting the plugin's API key/data cache and forcing the plugin to refetch state.

Action-Not Available
Vendor-devozon
Product-Fense Proxy & VPN Blocker
CWE ID-CWE-862
Missing Authorization
CVE-2026-14956
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.35% / 27.42%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 01:30
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Parameter

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field whitelist. This makes it possible for unauthenticated attackers to register a new administrator account by submitting a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires that the site has a public Bricksforge Pro Forms element configured with the User Registration action.

Action-Not Available
Vendor-Bricksforge
Product-Bricksforge
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-2594
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.24% / 15.06%
||
7 Day CHG~0.00%
Published-17 Jul, 2026 | 01:30
Updated-17 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Smart Custom Fields <= 5.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via Attachment Title

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in 5.0.7.

Action-Not Available
Vendor-inc2734
Product-Smart Custom Fields
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-14782
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.24% / 15.02%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 21:30
Updated-17 Jul, 2026 | 14:59
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Booking for Appointments and Events Calendar – Amelia <= 2.4.3 - Authenticated (Custom+) SQL Injection via Customer Import

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to SQL Injection via the Customer Import in all versions up to, and including, 2.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with wpamelia-manager role, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-melograno
Product-Booking for Appointments and Events Calendar – Amelia
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-15324
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.21% / 10.92%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:26
Updated-17 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SysBasics Customize My Account for WooCommerce <= 4.4.14 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'row_type' Parameter

The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'row_type' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-phppoet
Product-SysBasics Customize My Account for WooCommerce – Live My Account Customizer
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15103
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.32% / 24.01%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:26
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPFunnels <= 3.12.8 - Authenticated (Funnel Manager+) Privilege Escalation via 'group_id' Path Parameter

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Privilege Escalation via arbitrary option update in all versions up to, and including, 3.12.8. This is due to the `update_settings()` REST callback failing to validate the `group_id` path parameter against an allowlist of permitted option names before passing it directly to `get_option()` and `update_option()`, allowing the built-in `wp_user_roles` option — which satisfies the route's loose `[\w-]+` regex — to be targeted. This makes it possible for authenticated attackers with the `wpf_manage_funnels` capability and above to elevate their privileges to administrator by writing a crafted role definition containing arbitrary capabilities into the `wp_user_roles` option, thereby granting any WordPress role full site administrator access. The `wpf_manage_funnels` capability is typically assigned to the Funnel Manager custom role created by the plugin, meaning this role is the minimum required to exploit the vulnerability.

Action-Not Available
Vendor-getwpfunnels
Product-WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-15727
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.36% / 27.83%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:26
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter

The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'delete_user_roles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. wp_unslash() is applied to the raw POST body before parse_str() decomposes it, stripping WordPress magic-quotes protection and leaving attacker-controlled values fully unescaped prior to reaching the SQL sink.

Action-Not Available
Vendor-xylus
Product-WP Bulk Delete
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-15021
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 10.67%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:26
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The sanitize_text_field() function applied at input does not encode double quotes, allowing attribute breakout via a payload that escapes the href attribute context and injects event handler attributes.

Action-Not Available
Vendor-tomdever
Product-wpForo Forum
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15005
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.21% / 11.41%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:26
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Loco Translate <= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via 'template' Parameter

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on the server by supplying a php://filter stream wrapper URI as the 'template' parameter, which bypasses path validation and is passed directly to the include sink in execTemplate() via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-timwhitlock
Product-Loco Translate
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-13741
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8.8||HIGH
EPSS-0.25% / 15.79%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 08:26
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Digits: WordPress Mobile Number Signup and Login <= 9.1.0.5 - Authenticated (Subscriber+) Privilege Escalation via 'digits_reg_userrole' Parameter

The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and role validation in the `dig_update_wpwc_custom_fields()` function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator by submitting a forged `digits_reg_userrole` value during profile update, granted the site administrator has configured the built-in DIGITS User Role field.

Action-Not Available
Vendor-UnitedOver
Product-Digits: WordPress Mobile Number Signup and Login
CWE ID-CWE-269
Improper Privilege Management
CVE-2026-13755
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.22% / 13.07%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Successful execution of the injected script is limited to victims who have the referenced ticket ID present in their cart cookie, meaning the payload only fires for users who have previously added that ticket to their cart.

Action-Not Available
Vendor-tickera
Product-Tickera – Sell Tickets & Manage Events
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15610
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.23% / 14.05%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPBot <= 8.5.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary RAG Document Re-Sync via ajax_rag_manual_sync() Function

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to trigger arbitrary re-embedding of stored RAG documents, modifying the rag_documents table and consuming the site owner's paid third-party AI API credits (OpenAI, Gemini, OpenRouter, or xAI).

Action-Not Available
Vendor-quantumcloud
Product-WPBot – AI ChatBot for Live Support, Lead Generation, AI Services
CWE ID-CWE-862
Missing Authorization
CVE-2026-15106
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-0.27% / 19.22%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WPBot <= 8.5.6 - Missing Authorization to Unauthenticated Arbitrary Chat Session Deletion via 'userid' Parameter

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to delete arbitrary chat session records from the wpbot_user and wpbot_conversation tables, including chat history and conversation logs, by supplying a crafted userid value.

Action-Not Available
Vendor-quantumcloud
Product-WPBot – AI ChatBot for Live Support, Lead Generation, AI Services
CWE ID-CWE-862
Missing Authorization
CVE-2026-15407
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.29% / 20.73%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Themify Builder <= 7.7.7 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Stylesheet Write/Delete via tb_generate_on_fly AJAX Action

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite or delete the generated CSS stylesheet file of arbitrary posts, including private and draft posts owned by other users, and modify plugin-scoped font options. The required CSRF nonce (tf_nonce) is emitted on public front-end builder pages via wp_localize_script, making it trivially obtainable by any authenticated user visiting such a page.

Action-Not Available
Vendor-themifyme
Product-Themify Builder
CWE ID-CWE-862
Missing Authorization
CVE-2026-15651
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.29% / 20.74%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP TripAdvisor Review Slider <= 14.6 - Authenticated (Administrator+) SQL Injection via 'filtersource' Parameter

The WP TripAdvisor Review Slider plugin for WordPress is vulnerable to generic SQL Injection via the 'filtersource' parameter in all versions up to, and including, 14.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-jgwhite33
Product-WP TripAdvisor Review Slider
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-15008
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-8.1||HIGH
EPSS-0.58% / 43.93%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-17 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Uncanny Automator <= 7.3.1.4 - Unauthenticated PHP Object Injection to Arbitrary File Deletion via Forminator Submitted-Field Token

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the fr_token function in all versions up to, and including, 7.3.1.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Exploitation requires a Forminator form connected to an Uncanny Automator recipe configured for 'Everyone', allowing unauthenticated form submissions to supply the malicious serialized payload; a gadget chain is present within the plugin via the Action_Helpers_Email __destruct() method, meaning no external gadget library is required.

Action-Not Available
Vendor-Uncanny Owl Inc.
Product-Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2026-15022
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.34% / 26.31%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tutor LMS <= 4.0.0 - Authenticated (Subscriber+) SQL Injection via Stored Quiz Answer Array

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The payload is stored at quiz-attempt time via the wp_ajax_tutor_quiz_abandon handler, but the injected SQL executes only when a privileged user or Tutor REST API key holder requests the /wp-json/tutor/v1/quiz-attempt-details/{id} endpoint, making this a second-order (stored) injection chain.

Action-Not Available
Vendor-Themeum
Product-Tutor LMS – eLearning and online course solution
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-13754
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.16%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tickera <= 3.6.0.0 - Authenticated (Staff+) SQL Injection via 's' Parameter

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 3.6.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-tickera
Product-Tickera – Sell Tickets & Manage Events
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-7543
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.19% / 8.80%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-17 Jul, 2026 | 13:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Breakdance <= 2.7.1 - Unauthenticated Stored Cross-Site Scripting via Webhook Action Details

The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-Breakdance
Product-Breakdance
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-13767
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.16%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quiz and Survey Master (QSM) <= 11.2.0 - Authenticated (Custom+) SQL Injection via 'pages' Parameter

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsm_ajax_save_pages() AJAX handler (sanitize_text_field only) and lack of sufficient preparation on the existing SQL query built in qsm_options_questions_tab_content() at line 143, where the stored page IDs are interpolated into an IN() clause via implode() with no $wpdb->prepare() and no integer casting. This makes it possible for authenticated attackers, with Author-level access and above (who can own a quiz they are entitled to edit), to plant a SQL payload that is executed second-order whenever any user (including an administrator) views the quiz's Questions tab, allowing them to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-expresstech
Product-Quiz and Survey Master (QSM) – Quiz Maker & Survey Maker
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-15350
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.22% / 12.70%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The Cache Purger <= 2.3.20 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Log Deletion via 'the_log_purge' Parameter

The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to permanently truncate the plugin's cache-purge audit log (wp-content/purge.log), destroying the entire cache-purge audit history. The tcp_log_purge nonce is rendered in the admin bar on frontend pages accessible to all authenticated users including subscribers, meaning any authenticated user possesses the nonce required to trigger the deletion.

Action-Not Available
Vendor-kevp75
Product-The Cache Purger
CWE ID-CWE-862
Missing Authorization
CVE-2026-15099
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.19% / 9.18%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 07:51
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP Delicious <= 1.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'steps' Block Attribute

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrap_direction_text() function, which interpolates the user-supplied href value from nested link nodes ($node['props']['href']) directly into an anchor tag via sprintf() at line 1627 without esc_url() or any URL scheme validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts (including javascript: URIs) in pages that will execute whenever a user (such as an editor or administrator previewing the pending post) accesses an injected page and clicks the malicious link.

Action-Not Available
Vendor-wpdelicious
Product-WP Delicious – Recipe Plugin for Food Bloggers (formerly Delicious Recipes)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15458
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.27% / 19.14%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 03:44
Updated-17 Jul, 2026 | 15:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Booster <= 7.3.1 - Authenticated (Administrator+) SQL Injection via 'sort_field' Parameter

The SEO Booster plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_field' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-cleverplugins
Product-SEO Booster
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-15013
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 22.36%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 03:44
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SAML Single Sign On <= 5.4.3 - Unauthenticated Authentication Bypass via 'SAMLResponse' Parameter Signature Algorithm Confusion

The SAML Single Sign On – SSO Login plugin for WordPress is vulnerable to Authentication Bypass via SAML Signature Algorithm Confusion in all versions up to, and including, 5.4.3. The vulnerability exists because `Mo_SAML_Utilities::mo_saml_cast_key()` reads the `SignatureMethod` Algorithm attribute directly from the attacker-controlled `SAMLResponse` parameter rather than enforcing the locally configured algorithm, causing the plugin to recast the IdP's RSA public key as an HMAC-SHA1 shared secret and validate the forged signature against it. This makes it possible for unauthenticated attackers to forge a SAML assertion targeting any WordPress account — including administrators — obtain valid WordPress authentication cookies, and achieve full administrator-level account takeover.

Action-Not Available
Vendor-cyberlord92
Product-SAML Single Sign On – SSO Login
CWE ID-CWE-347
Improper Verification of Cryptographic Signature
CVE-2026-13042
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.2||HIGH
EPSS-0.25% / 15.92%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 03:44
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RPB Chessboard <= 8.1.2 - Unauthenticated Stored Cross-Site Scripting via Comment Content

The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress's save-time kses sanitization does not mitigate this issue because the crafted payload uses only kses-allowed tags and attributes (such as an &lt;a&gt; element with title and href), and the dangerous attribute-breaking HTML is synthesized entirely at render time by the plugin's own comment_text filter.

Action-Not Available
Vendor-yo35
Product-RPB Chessboard
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15445
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.9||MEDIUM
EPSS-0.27% / 19.14%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 03:44
Updated-16 Jul, 2026 | 13:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SEO Booster <= 7.3.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The SEO Booster plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Although esc_sql() and sanitize_text_field() are applied, neither neutralizes SQL keywords, commas, parentheses, or subquery syntax in an unquoted ORDER BY context, leaving the clause fully attacker-controlled.

Action-Not Available
Vendor-cleverplugins
Product-SEO Booster
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-15306
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.1||MEDIUM
EPSS-0.21% / 11.90%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 03:44
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Product Feed Manager For WooCommerce <= 7.6.1 - Reflected Cross-Site Scripting via 's' Search Parameter

The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Action-Not Available
Vendor-rextheme
Product-Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-15652
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.20% / 9.66%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Easy Accordion <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'align' Block Attribute

The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Action-Not Available
Vendor-shapedplugin
Product-Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-12941
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 16.78%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MultiVendorX <= 5.0.9 - Authenticated (Store Owner+) SQL Injection via 'order_by' Parameter

The MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This vulnerability is exploitable by any authenticated subscriber-level user when the plugin's store approval setting is configured to automatically approve store owners (described as the default), as this allows any logged-in user to self-register as a store_owner via the public Stores REST endpoint, thereby obtaining the edit_stores capability required to reach the vulnerable transactions endpoint.

Action-Not Available
Vendor-wcmp
Product-MultiVendorX – WooCommerce Multivendor Marketplace AI Powered Solutions
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-14987
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-6.4||MEDIUM
EPSS-0.21% / 10.67%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GiveWP <= 4.16.3 - Authenticated (Give Worker+) Stored Cross-Site Scripting via 'twitter_message' Sequoia Template Setting

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'twitter_message' Sequoia Template Setting in all versions up to, and including, 4.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with give worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected script executes specifically when a donor clicks the Share on Twitter button on the Sequoia donation confirmation view, as that is when the unescaped twitter_message value is evaluated inside the JavaScript template literal.

Action-Not Available
Vendor-The Events Calendar (StellarWP)
Product-GiveWP – Donation Plugin and Fundraising Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-12409
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.13% / 2.93%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-17 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Landing Page Builder <= 1.5.3.6 - Cross-Site Request Forgery to ulpb_admin_data AJAX Action

The Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.3.6. This is due to missing or incorrect nonce validation on the ulpb_admin_ajax function. This makes it possible for unauthenticated attackers to create, update, retitle, or change the post status, slug, and type of arbitrary posts and write ULPB_DATA post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. This attack requires the victim to hold an editor-level or administrator session, as the wp_ajax_ulpb_admin_data action enforces a capability check that the forged request must satisfy by inheriting the logged-in user's session cookies.

Action-Not Available
Vendor-umarbajwa
Product-Landing Page Builder – Coming Soon page, Maintenance Mode, Lead Page, WordPress Landing Pages
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2026-12753
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-7.5||HIGH
EPSS-0.30% / 22.40%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-18 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Advance Product Search- Voice & Ajax Search for WooCommerce <= 1.4.4 - Unauthenticated SQL Injection via 's' and 'match' Parameter

The Advance Product Search- Voice & Ajax Search for WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 's' and 'match' parameter in all versions up to, and including, 1.4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Action-Not Available
Vendor-themehunk
Product-Advance Product Search- Voice & Ajax Search for WooCommerce
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-12434
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.24% / 14.89%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-16 Jul, 2026 | 14:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
List category posts <= 0.95.0 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Exposure via 'post_status' Shortcode Attribute

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitize_status. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts, dates, authors, and custom-field metadata of other users' pending-review, scheduled, and trashed posts by embedding a crafted [catlist] shortcode in their own draft and previewing it. This vulnerability is a bypass of the incomplete fix introduced for CVE-2025-11377 in version 0.93.0.

Action-Not Available
Vendor-fernandobt
Product-List category posts
CWE ID-CWE-862
Missing Authorization
CVE-2026-15336
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.25% / 16.33%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-17 Jul, 2026 | 13:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Catch Themes Demo Import <= 3.3 - Missing Authorization to Authenticated (Subscriber+) Single Plugin Installation via 'activate_plugin' Parameter

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catch_themes_demo_import_activate_plugin() function, hooked on admin_init when the activate_plugin GET parameter is present, calling Plugin_Upgrader::install() to download and install a plugin from WordPress.org before performing the current_user_can('activate_plugins') capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to install the hardcoded 'essential-content-types' plugin from the WordPress.

Action-Not Available
Vendor-catchplugins
Product-Catch Themes Demo Import
CWE ID-CWE-862
Missing Authorization
CVE-2026-13005
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.4||MEDIUM
EPSS-0.21% / 10.87%
||
7 Day CHG~0.00%
Published-16 Jul, 2026 | 02:30
Updated-16 Jul, 2026 | 16:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MxChat <= 3.2.10 - Authenticated (Admin+) Stored Cross-Site Scripting via 'intro_message' Setting

The MxChat – AI Chatbot & Content Generation for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.2.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Action-Not Available
Vendor-mxchat
Product-MxChat – AI Chatbot & Content Generation for WordPress
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 214
  • 215
  • Next