Search criteria

102 vulnerabilities by Themeisle

CVE-2026-13252 (GCVE-0-2026-13252)

Vulnerability from cvelistv5 – Published: 2026-07-02 08:33 – Updated: 2026-07-02 19:42
VLAI?
Title
RSS Aggregator by Feedzy <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aspectRatio' Attribute
Summary
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Credits
PRISM
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13252",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-02T19:34:57.114503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-02T19:42:21.582Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "5.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "PRISM"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via \u0027aspectRatio\u0027 Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-02T08:33:07.655Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d402b7d1-3c12-4bdd-8ff3-e58d5501f0c0?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L1700"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L1453"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L624"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.2.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L423"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3586919%40feedzy-rss-feeds\u0026new=3586919%40feedzy-rss-feeds\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-24T20:03:42.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-07-01T20:08:52.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "RSS Aggregator by Feedzy \u003c= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via \u0027aspectRatio\u0027 Attribute"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-13252",
    "datePublished": "2026-07-02T08:33:07.655Z",
    "dateReserved": "2026-06-24T19:48:31.427Z",
    "dateUpdated": "2026-07-02T19:42:21.582Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-13468 (GCVE-0-2026-13468)

Vulnerability from cvelistv5 – Published: 2026-07-01 03:43 – Updated: 2026-07-01 10:32
VLAI?
Title
Visualizer <= 4.0.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via /visualizer/v1/action/{chart}/{type}/ REST Endpoint
Summary
The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.
CWE
Assigner
Credits
Niv Kochan
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-13468",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-01T10:27:58.697452Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-01T10:32:06.575Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Visualizer \u2013 Tables \u0026 Charts Manager with Built-in AI Generator",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "4.0.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Niv Kochan"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Visualizer \u2013 Tables \u0026 Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site \u2014 including charts in draft, private, pending, future, or trash status \u2014 as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public \u0027visualizer\u0027 custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-01T03:43:35.375Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/45dbcc5e-2746-4a55-a1d1-a7c67fa2950e?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.3/classes/Visualizer/Module/Frontend.php#L155"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.3/classes/Visualizer/Module.php#L182"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.3/classes/Visualizer/Module/Frontend.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Frontend.php#L155"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module.php#L182"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Frontend.php#L219"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3591310%40visualizer\u0026new=3591310%40visualizer\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-26T21:00:34.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-30T15:03:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Visualizer \u003c= 4.0.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via /visualizer/v1/action/{chart}/{type}/ REST Endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-13468",
    "datePublished": "2026-07-01T03:43:35.375Z",
    "dateReserved": "2026-06-26T20:45:25.868Z",
    "dateUpdated": "2026-07-01T10:32:06.575Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-12432 (GCVE-0-2026-12432)

Vulnerability from cvelistv5 – Published: 2026-06-27 06:50 – Updated: 2026-06-29 13:50
VLAI?
Title
Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter
Summary
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values.
CWE
Assigner
Credits
Netwurm
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12432",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-29T13:50:40.970266Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-29T13:50:52.725Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Stripe Payment Forms by WP Full Pay \u2013 Accept Credit Card Payments, Donations \u0026 Subscriptions",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "8.4.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Netwurm"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this-\u003edb-\u003eupdatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site\u0027s database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-27T06:50:59.039Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5811d13-0c5d-4a10-86a1-6318cc2e7663?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3865"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L706"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-customer.php#L3840"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.3/includes/wpfs-database.php#L2652"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3865"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L706"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-customer.php#L3840"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wp-full-stripe-free/tags/8.4.1/includes/wpfs-database.php#L2652"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584355%40wp-full-stripe-free\u0026new=3584355%40wp-full-stripe-free\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-16T18:27:19.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-26T18:04:03.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Stripe Payment Forms by WP Full Pay \u003c= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via \u0027paymentIntentId\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-12432",
    "datePublished": "2026-06-27T06:50:59.039Z",
    "dateReserved": "2026-06-16T18:12:09.808Z",
    "dateUpdated": "2026-06-29T13:50:52.725Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-57618 (GCVE-0-2026-57618)

Vulnerability from cvelistv5 – Published: 2026-06-26 14:53 – Updated: 2026-06-26 16:42
VLAI?
Title
WordPress Neve PRO theme <= 3.1.2 - Cross Site Scripting (XSS) vulnerability
Summary
Contributor Cross Site Scripting (XSS) in Neve PRO <= 3.1.2 versions.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Themeisle Neve PRO Affected: n/a , ≤ 3.1.2 (custom)
Create a notification for this product.
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-57618",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-26T16:42:13.392006Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-26T16:42:20.403Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/themes",
          "defaultStatus": "unaffected",
          "packageName": "neve-pro-addon",
          "product": "Neve PRO",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.1.3",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.1.2",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Contributor Cross Site Scripting (XSS) in Neve PRO \u003c= 3.1.2 versions."
            }
          ],
          "value": "Contributor Cross Site Scripting (XSS) in Neve PRO \u003c= 3.1.2 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-588",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-588 DOM-Based XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-26T14:53:05.913Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/theme/neve-pro-addon/vulnerability/wordpress-neve-pro-theme-3-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress Neve PRO Theme to the latest available version (at least 3.1.3)."
            }
          ],
          "value": "Update the WordPress Neve PRO Theme to the latest available version (at least 3.1.3)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Neve PRO theme \u003c= 3.1.2 - Cross Site Scripting (XSS) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-57618",
    "datePublished": "2026-06-26T14:53:05.913Z",
    "dateReserved": "2026-06-25T08:03:02.838Z",
    "dateUpdated": "2026-06-26T16:42:20.403Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-56050 (GCVE-0-2026-56050)

Vulnerability from cvelistv5 – Published: 2026-06-25 13:34 – Updated: 2026-06-25 14:03 X_Open Source
VLAI?
Title
WordPress PPOM for WooCommerce plugin <= 33.0.18 - Broken Access Control vulnerability
Summary
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PPOM for WooCommerce: from n/a through 33.0.18.
CWE
  • CWE-284 - Improper Access Control
Assigner
Impacted products
Vendor Product Version
Themeisle PPOM for WooCommerce Affected: n/a , ≤ 33.0.18 (custom)
Create a notification for this product.
Credits
HaiND | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56050",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-25T14:02:58.936299Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-25T14:03:06.564Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "woocommerce-product-addon",
          "product": "PPOM for WooCommerce",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "34.0.0",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "33.0.18",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "HaiND | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects PPOM for WooCommerce: from n/a through 33.0.18.\u003c/p\u003e"
            }
          ],
          "value": "Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects PPOM for WooCommerce: from n/a through 33.0.18."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-284",
              "description": "CWE-284 Improper Access Control",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-25T13:34:41.354Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/woocommerce-product-addon/vulnerability/wordpress-ppom-for-woocommerce-plugin-33-0-18-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress PPOM for WooCommerce Plugin to the latest available version (at least 34.0.0)."
            }
          ],
          "value": "Update the WordPress PPOM for WooCommerce Plugin to the latest available version (at least 34.0.0)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "WordPress PPOM for WooCommerce plugin \u003c= 33.0.18 - Broken Access Control vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-56050",
    "datePublished": "2026-06-25T13:34:41.354Z",
    "dateReserved": "2026-06-18T14:37:51.351Z",
    "dateUpdated": "2026-06-25T14:03:06.564Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-11358 (GCVE-0-2026-11358)

Vulnerability from cvelistv5 – Published: 2026-06-18 05:34 – Updated: 2026-06-18 13:53
VLAI?
Title
Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter
Summary
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Credits
Meher Sudhakar Abbireddi
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-11358",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-18T13:21:22.036842Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-18T13:53:33.659Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "3.0.6",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Meher Sudhakar Abbireddi"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T05:34:26.440Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/beb1268c-b680-4ebe-8fe2-65f656390038?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L118"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.6/obfx_modules/menu-icons/init.php#L296"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L118"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/tags/3.0.5/obfx_modules/menu-icons/init.php#L296"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3574306%40themeisle-companion\u0026new=3574306%40themeisle-companion\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-06-05T11:50:11.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-17T16:48:45.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More \u003c= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via \u0027menu-item-icon\u0027 Parameter"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-11358",
    "datePublished": "2026-06-18T05:34:26.440Z",
    "dateReserved": "2026-06-05T11:35:00.908Z",
    "dateUpdated": "2026-06-18T13:53:33.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42378 (GCVE-0-2026-42378)

Vulnerability from cvelistv5 – Published: 2026-06-15 20:18 – Updated: 2026-06-16 17:11
VLAI?
Title
WordPress WP Full Stripe Free plugin <= 8.4.1 - Broken Authentication vulnerability
Summary
Subscriber Broken Authentication in WP Full Stripe Free <= 8.4.1 versions.
CWE
  • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
Impacted products
Vendor Product Version
Themeisle WP Full Stripe Free Affected: n/a , ≤ 8.4.1 (custom)
Create a notification for this product.
Credits
hhhai | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42378",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T13:29:48.938212Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T17:11:08.675Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wp-full-stripe-free",
          "product": "WP Full Stripe Free",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "8.4.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "8.4.1",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "hhhai | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Subscriber Broken Authentication in WP Full Stripe Free \u003c= 8.4.1 versions."
            }
          ],
          "value": "Subscriber Broken Authentication in WP Full Stripe Free \u003c= 8.4.1 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-50",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-50 Password Recovery Exploitation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T20:18:32.060Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/wp-full-stripe-free/vulnerability/wordpress-wp-full-stripe-free-plugin-8-4-1-broken-authentication-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress WP Full Stripe Free Plugin to the latest available version (at least 8.4.2)."
            }
          ],
          "value": "Update the WordPress WP Full Stripe Free Plugin to the latest available version (at least 8.4.2)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress WP Full Stripe Free plugin \u003c= 8.4.1 - Broken Authentication vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-42378",
    "datePublished": "2026-06-15T20:18:32.060Z",
    "dateReserved": "2026-04-27T08:22:05.095Z",
    "dateUpdated": "2026-06-16T17:11:08.675Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-39507 (GCVE-0-2026-39507)

Vulnerability from cvelistv5 – Published: 2026-06-15 20:17 – Updated: 2026-06-16 17:11
VLAI?
Title
WordPress Social Slider Feed plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability
Summary
Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Themeisle Social Slider Feed Affected: n/a , ≤ 2.3.2 (custom)
Create a notification for this product.
Credits
Nguyen Ba Khanh | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39507",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T13:29:57.035853Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T17:11:48.235Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "instagram-slider-widget",
          "product": "Social Slider Feed",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.3.3",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.3.2",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed \u003c= 2.3.2 versions."
            }
          ],
          "value": "Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed \u003c= 2.3.2 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T20:17:56.914Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/instagram-slider-widget/vulnerability/wordpress-social-slider-feed-plugin-2-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress Social Slider Feed Plugin to the latest available version (at least 2.3.3)."
            }
          ],
          "value": "Update the WordPress Social Slider Feed Plugin to the latest available version (at least 2.3.3)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Social Slider Feed plugin \u003c= 2.3.2 - Cross Site Scripting (XSS) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-39507",
    "datePublished": "2026-06-15T20:17:56.914Z",
    "dateReserved": "2026-04-07T10:47:50.136Z",
    "dateUpdated": "2026-06-16T17:11:48.235Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-23970 (GCVE-0-2026-23970)

Vulnerability from cvelistv5 – Published: 2026-06-15 20:17 – Updated: 2026-06-16 14:19
VLAI?
Title
WordPress Redirection for Contact Form 7 plugin <= 3.2.8 - Cross Site Scripting (XSS) vulnerability
Summary
Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Themeisle Redirection for Contact Form 7 Affected: n/a , ≤ 3.2.8 (custom)
Create a notification for this product.
Credits
JongHwan Shin | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-23970",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T14:18:51.698776Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T14:19:01.623Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "wpcf7-redirect",
          "product": "Redirection for Contact Form 7",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "3.2.9",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "3.2.8",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "JongHwan Shin | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 \u003c= 3.2.8 versions."
            }
          ],
          "value": "Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 \u003c= 3.2.8 versions."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T20:17:30.879Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/wpcf7-redirect/vulnerability/wordpress-redirection-for-contact-form-7-plugin-3-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress Redirection for Contact Form 7 Plugin to the latest available version (at least 3.2.9)."
            }
          ],
          "value": "Update the WordPress Redirection for Contact Form 7 Plugin to the latest available version (at least 3.2.9)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Redirection for Contact Form 7 plugin \u003c= 3.2.8 - Cross Site Scripting (XSS) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-23970",
    "datePublished": "2026-06-15T20:17:30.879Z",
    "dateReserved": "2026-01-19T16:14:52.936Z",
    "dateUpdated": "2026-06-16T14:19:01.623Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2017-20251 (GCVE-0-2017-20251)

Vulnerability from cvelistv5 – Published: 2026-06-09 11:48 – Updated: 2026-06-09 16:13 Unsupported When Assigned
VLAI?
Title
WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API
Summary
WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server.
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
Impacted products
Vendor Product Version
Themeisle Woody Code Snippets Affected: 0 , < 3.3.1 (semver)
Create a notification for this product.
Credits
sucuri.net @sucurisecurity
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2017-20251",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-09T16:13:44.753300Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-09T16:13:54.058Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Woody Code Snippets",
          "vendor": "Themeisle",
          "versions": [
            {
              "lessThan": "3.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cm-wp:woody_code_snippets:*:*:*:*:*:wordpress:*:*",
                  "versionEndExcluding": "3.3.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "sucuri.net @sucurisecurity"
        }
      ],
      "datePublic": "2017-02-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "WordPress Insert PHP plugin versions before 3.3.1 contain a PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious shortcodes through the WordPress REST API. Attackers can send POST requests to the wp-json/wp/v2/posts endpoint with crafted content containing insert_php shortcodes to include and execute remote PHP files on the server."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-09T11:48:39.195Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "ExploitDB-41308",
          "tags": [
            "exploit"
          ],
          "url": "https://www.exploit-db.com/exploits/41308"
        },
        {
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ],
          "url": "https://fr.wordpress.org/plugins/insert-php/"
        },
        {
          "name": "VulnCheck Advisory: WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/wordpress-insert-php-plugin-php-code-injection-via-rest-api"
        }
      ],
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2017-20251",
    "datePublished": "2026-06-09T11:48:39.195Z",
    "dateReserved": "2026-06-08T11:54:25.459Z",
    "dateUpdated": "2026-06-09T16:13:54.058Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8976 (GCVE-0-2026-8976)

Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:45
VLAI?
Title
RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions
Summary
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users.
CWE
Assigner
Credits
Jack Pas
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8976",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-06T11:35:57.294756Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-06T11:45:36.299Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "5.1.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Jack Pas"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error logs, and enumerate taxonomy terms and post meta_key names. The nonce required to reach these sub-handlers is leaked to any user with the edit_posts capability via the feedzyjs localized script injected into the block editor, meaning no privileged nonce theft or separate exploit step is required for Contributor-level users."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-05T23:28:28.396Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e495c215-2e01-4a37-aca3-99a067c46791?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1256"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L3718"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1400"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L4090"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L4184"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1365"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L3891"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/admin/feedzy-rss-feeds-import.php#L1436"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L78"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.5/includes/feedzy-rss-feeds.php#L241"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1256"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L3718"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1400"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L4090"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L4184"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1365"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L3891"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/admin/feedzy-rss-feeds-import.php#L1436"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L78"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.2/includes/feedzy-rss-feeds.php#L241"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3552062%40feedzy-rss-feeds\u0026new=3552062%40feedzy-rss-feeds\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-19T13:15:18.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-06-05T10:46:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "RSS Aggregator by Feedzy \u003c= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-8976",
    "datePublished": "2026-06-05T23:28:28.396Z",
    "dateReserved": "2026-05-19T13:00:07.936Z",
    "dateUpdated": "2026-06-06T11:45:36.299Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-53209 (GCVE-0-2025-53209)

Vulnerability from cvelistv5 – Published: 2026-06-02 09:43 – Updated: 2026-06-02 10:43
VLAI?
Title
WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability
Summary
Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation. This issue affects Masteriyo LMS PRO: from n/a through 2.20.0.
CWE
  • CWE-266 - Incorrect Privilege Assignment
Assigner
Impacted products
Vendor Product Version
Themeisle Masteriyo LMS PRO Affected: n/a , ≤ 2.20.0 (custom)
Create a notification for this product.
Credits
0xd4rk5id3 | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-53209",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-02T10:36:33.120285Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-02T10:43:09.589Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Masteriyo LMS PRO",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.20.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.20.0",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "0xd4rk5id3 | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation.\u003cp\u003eThis issue affects Masteriyo LMS PRO: from n/a through 2.20.0.\u003c/p\u003e"
            }
          ],
          "value": "Incorrect Privilege Assignment vulnerability in Themeisle Masteriyo LMS PRO allows Privilege Escalation.\n\nThis issue affects Masteriyo LMS PRO: from n/a through 2.20.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-233",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-233 Privilege Escalation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-266",
              "description": "CWE-266 Incorrect Privilege Assignment",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T09:43:20.577Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/learning-management-system-pro/vulnerability/wordpress-masteriyo-lms-pro-2-20-0-privilege-escalation-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress Masteriyo LMS PRO plugin to the latest available version (at least 2.20.1)."
            }
          ],
          "value": "Update the WordPress Masteriyo LMS PRO plugin to the latest available version (at least 2.20.1)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Masteriyo LMS PRO plugin \u003c= 2.20.0  - Privilege Escalation Vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-53209",
    "datePublished": "2026-06-02T09:43:20.577Z",
    "dateReserved": "2025-06-27T10:27:45.005Z",
    "dateUpdated": "2026-06-02T10:43:09.589Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-8689 (GCVE-0-2026-8689)

Vulnerability from cvelistv5 – Published: 2026-05-28 07:43 – Updated: 2026-05-28 10:32
VLAI?
Title
Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions
Summary
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators.
CWE
Assigner
Impacted products
Credits
David Fernández Morilla
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-8689",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-28T10:10:48.268434Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-28T10:32:10.513Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Visualizer: Tables and Charts Manager for WordPress",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "3.11.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "David Fern\u00e1ndez Morilla"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.11.14. This is due to a missing capability check on the renderChartPages() and uploadData() functions, where the wp_ajax_visualizer-create-chart and wp_ajax_visualizer-edit-chart AJAX actions invoke renderChartPages() without any current_user_can() check, and wp_ajax_visualizer-upload-data invokes uploadData() which also lacks a capability check and validates its nonce without an action argument, making it trivially bypassable. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary chart posts and access or modify chart data belonging to other users, including administrators."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-28T07:43:43.470Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d18e9696-0f96-4478-9871-a93ac2976c11?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Chart.php#L531"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Chart.php#L1221"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/4.0.1/classes/Visualizer/Module/Chart.php#L56"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.14/classes/Visualizer/Module/Chart.php#L531"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.14/classes/Visualizer/Module/Chart.php#L1221"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.14/classes/Visualizer/Module/Chart.php#L56"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3474710"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-05-15T14:56:45.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-05-27T19:31:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Visualizer: Tables and Charts Manager for WordPress \u003c= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-8689",
    "datePublished": "2026-05-28T07:43:43.470Z",
    "dateReserved": "2026-05-15T14:41:35.110Z",
    "dateUpdated": "2026-05-28T10:32:10.513Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-42749 (GCVE-0-2026-42749)

Vulnerability from cvelistv5 – Published: 2026-05-27 09:49 – Updated: 2026-05-27 10:50
VLAI?
Title
WordPress Disable Comments for Any Post Types (Remove comments) plugin <= 1.3.0 - Broken Authentication vulnerability
Summary
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through <= 1.3.0.
CWE
  • CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
Impacted products
Credits
dodoh4t | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42749",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-27T10:43:47.087462Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-27T10:50:05.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "comments-plus",
          "product": "Disable Comments for Any Post Types (Remove comments)",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.3.1",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.3.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "dodoh4t | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-05-27T11:08:56.205Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.\u003cp\u003eThis issue affects Disable Comments for Any Post Types (Remove comments): from n/a through \u003c= 1.3.0.\u003c/p\u003e"
            }
          ],
          "value": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeisle Disable Comments for Any Post Types (Remove comments) comments-plus allows Password Recovery Exploitation.This issue affects Disable Comments for Any Post Types (Remove comments): from n/a through \u003c= 1.3.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-50",
          "descriptions": [
            {
              "lang": "en",
              "value": "Password Recovery Exploitation"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-288",
              "description": "Authentication Bypass Using an Alternate Path or Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-27T09:49:05.501Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/comments-plus/vulnerability/wordpress-disable-comments-for-any-post-types-remove-comments-plugin-1-3-0-broken-authentication-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Disable Comments for Any Post Types (Remove comments) plugin \u003c= 1.3.0 - Broken Authentication vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-42749",
    "datePublished": "2026-05-27T09:49:05.501Z",
    "dateReserved": "2026-04-29T09:05:35.592Z",
    "dateUpdated": "2026-05-27T10:50:05.078Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-24573 (GCVE-0-2026-24573)

Vulnerability from cvelistv5 – Published: 2026-05-20 12:54 – Updated: 2026-05-20 13:48 X_Open Source
VLAI?
Title
WordPress Visualizer plugin < 4.0.0 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
Themeisle Visualizer Affected: n/a , < 4.0.0 (custom)
Create a notification for this product.
Credits
Doan Dinh Van | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-24573",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-20T13:48:24.845893Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-20T13:48:33.272Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "visualizer",
          "product": "Visualizer",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "4.0.0",
                  "status": "unaffected"
                }
              ],
              "lessThan": "4.0.0",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Doan Dinh Van | Patchstack Bug Bounty Program"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeisle Visualizer allows Stored XSS.\u003cp\u003eThis issue affects Visualizer: from n/a before 4.0.0.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Themeisle Visualizer allows Stored XSS.\n\nThis issue affects Visualizer: from n/a before 4.0.0."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-592 Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-20T12:54:04.638Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/wordpress/plugin/visualizer/vulnerability/wordpress-visualizer-plugin-4-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update the WordPress Visualizer Plugin to the latest available version (at least 4.0.0)."
            }
          ],
          "value": "Update the WordPress Visualizer Plugin to the latest available version (at least 4.0.0)."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "WordPress Visualizer plugin \u003c 4.0.0 - Cross Site Scripting (XSS) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-24573",
    "datePublished": "2026-05-20T12:54:04.638Z",
    "dateReserved": "2026-01-23T12:32:02.838Z",
    "dateUpdated": "2026-05-20T13:48:33.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2892 (GCVE-0-2026-2892)

Vulnerability from cvelistv5 – Published: 2026-04-30 13:28 – Updated: 2026-05-01 16:38
VLAI?
Title
Otter Blocks <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie
Summary
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in the checkout block's HTML source.
CWE
Assigner
Credits
Drew Webber
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2892",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-01T16:06:00.958329Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-01T16:38:40.570Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Otter Blocks \u2013 Gutenberg Blocks, Page Builder for Gutenberg Editor \u0026 FSE",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "3.1.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Drew Webber"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the \u0027get_customer_data\u0027 method relying on an unsigned \u0027o_stripe_data\u0027 cookie to determine Stripe product ownership for unauthenticated users. The \u0027check_purchase\u0027 method trusts this cookie data without performing server-side verification against the Stripe API for one-time \u0027payment\u0027 mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the \u0027o_stripe_data\u0027 cookie with a target product ID, which is publicly exposed in the checkout block\u0027s HTML source."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285 Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-30T13:28:21.322Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3443950f-1f94-4e0b-8906-1a9b9602a746?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-stripe-api.php#L260"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-stripe-api.php#L284"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/otter-blocks/trunk/inc/plugins/class-block-conditions.php#L274"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3471326/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-20T18:35:32.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-04-29T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Otter Blocks \u003c= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-2892",
    "datePublished": "2026-04-30T13:28:21.322Z",
    "dateReserved": "2026-02-20T18:15:09.231Z",
    "dateUpdated": "2026-05-01T16:38:40.570Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25366 (GCVE-0-2026-25366)

Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-04-28 16:14
VLAI?
Title
WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1.
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
Impacted products
Vendor Product Version
Themeisle Woody ad snippets Affected: 0 , ≤ 2.7.1 (custom)
Create a notification for this product.
Credits
Nguyen Ba Khanh | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25366",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-25T19:54:20.568181Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-28T01:36:11.477Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "insert-php",
          "product": "Woody ad snippets",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "2.7.2",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "2.7.1",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-22T14:18:26.018Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.\u003cp\u003eThis issue affects Woody ad snippets: from n/a through \u003c= 2.7.1.\u003c/p\u003e"
            }
          ],
          "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through \u003c= 2.7.1."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:14:56.667Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/insert-php/vulnerability/wordpress-woody-ad-snippets-plugin-2-7-1-remote-code-execution-rce-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Woody ad snippets plugin \u003c= 2.7.1 - Remote Code Execution (RCE) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2026-25366",
    "datePublished": "2026-03-25T16:14:45.830Z",
    "dateReserved": "2026-02-02T12:52:55.300Z",
    "dateUpdated": "2026-04-28T16:14:56.667Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2410 (GCVE-0-2026-2410)

Vulnerability from cvelistv5 – Published: 2026-02-25 09:26 – Updated: 2026-04-08 17:16
VLAI?
Title
Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update
Summary
The Disable Admin Notices – Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
Impacted products
Credits
Lukasz Sobanski
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2410",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-25T21:11:14.917207Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-25T21:11:38.154Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Disable Admin Notices \u2013 Hide Dashboard Notifications",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "1.4.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukasz Sobanski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Disable Admin Notices \u2013 Hide Dashboard Notifications plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing nonce validation in the `showPageContent()` function. This makes it possible for unauthenticated attackers to add arbitrary URLs to the blocked redirects list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:16:33.594Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3011679-51e8-4a13-8364-1d0723656d08?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/tags/1.4.2/admin/pages/class-pages-edit-redirects.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php#L103"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3463239/disable-admin-notices/trunk/admin/pages/class-pages-edit-redirects.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-12T15:34:23.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-24T20:56:18.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Disable Admin Notices \u2013 Hide Dashboard Notifications \u003c= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-2410",
    "datePublished": "2026-02-25T09:26:50.985Z",
    "dateReserved": "2026-02-12T15:19:11.579Z",
    "dateUpdated": "2026-04-08T17:16:33.594Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1319 (GCVE-0-2026-1319)

Vulnerability from cvelistv5 – Published: 2026-02-05 08:25 – Updated: 2026-04-08 16:43
VLAI?
Title
Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field
Summary
The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Alternative Text' field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Credits
Vincent Theriault-Laine
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1319",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-05T15:04:08.798174Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-05T15:04:21.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Robin Image Optimizer \u2013 Unlimited Image Optimization \u0026 WebP Converter",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "2.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Vincent Theriault-Laine"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Robin Image Optimizer \u2013 Unlimited Image Optimization \u0026 WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027Alternative Text\u0027 field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:43:09.605Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-01-22T01:03:33.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-04T19:32:21.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Robin Image Optimizer \u003c= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1319",
    "datePublished": "2026-02-05T08:25:43.231Z",
    "dateReserved": "2026-01-22T00:47:13.386Z",
    "dateUpdated": "2026-04-08T16:43:09.605Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-1755 (GCVE-0-2026-1755)

Vulnerability from cvelistv5 – Published: 2026-02-03 22:22 – Updated: 2026-04-08 16:44
VLAI?
Title
Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting
Summary
The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
themeisle Menu Icons by ThemeIsle Affected: 0 , ≤ 0.13.20 (semver)
Create a notification for this product.
Credits
Lukasz Sobanski
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-1755",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-04T14:33:46.300321Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-04T14:35:12.337Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Menu Icons by ThemeIsle",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "0.13.20",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lukasz Sobanski"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u2018_wp_attachment_image_alt\u2019 post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:44:55.712Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3452685/menu-icons"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2026-02-02T10:08:31.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2026-02-03T09:50:11.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Menu Icons by ThemeIsle \u003c= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2026-1755",
    "datePublished": "2026-02-03T22:22:47.333Z",
    "dateReserved": "2026-02-02T09:51:51.317Z",
    "dateUpdated": "2026-04-08T16:44:55.712Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-14800 (GCVE-0-2025-14800)

Vulnerability from cvelistv5 – Published: 2025-12-21 07:31 – Updated: 2026-04-08 17:16
VLAI?
Title
Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload
Summary
The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_file_to_upload' function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server. If 'allow_url_fopen' is set to 'On', it is possible to upload a remote file to the server.
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Vendor Product Version
themeisle Redirection for Contact Form 7 Affected: 0 , ≤ 3.2.7 (semver)
Create a notification for this product.
Credits
LionTree
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-14800",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-22T16:36:55.828131Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-22T16:37:02.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Redirection for Contact Form 7",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "3.2.7",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "LionTree"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the \u0027move_file_to_upload\u0027 function in all versions up to, and including, 3.2.7. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site\u0027s server. If \u0027allow_url_fopen\u0027 is set to \u0027On\u0027, it is possible to upload a remote file to the server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:16:25.117Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b249ec90-a364-4644-94fb-d42eb6cc4d9a?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3423970/wpcf7-redirect"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/wpcf7-redirect/tags/3.2.7/classes/class-wpcf7r-save-files.php#L180"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-12-16T20:38:59.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-12-20T18:43:20.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Redirection for Contact Form 7 \u003c= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-14800",
    "datePublished": "2025-12-21T07:31:11.089Z",
    "dateReserved": "2025-12-16T20:20:41.998Z",
    "dateUpdated": "2026-04-08T17:16:25.117Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-13794 (GCVE-0-2025-13794)

Vulnerability from cvelistv5 – Published: 2025-12-16 05:25 – Updated: 2026-04-08 16:43
VLAI?
Title
Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification
Summary
The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own.
CWE
Assigner
Impacted products
Credits
Dmitrii Ignatyev
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-13794",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-16T17:38:10.133552Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-16T17:41:43.192Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Auto Featured Image (Auto Post Thumbnail)",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "4.2.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dmitrii Ignatyev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Auto Featured Image (Auto Post Thumbnail) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bulk_action_generate_handler function in all versions up to, and including, 4.2.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete or generate featured images on posts they do not own."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:43:21.304Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/29b0fd97-a669-42bb-b01e-bdc0395d697e?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/auto-post-thumbnail/tags/4.2.1/includes/class-plugin.php#L425"
        },
        {
          "url": "https://research.cleantalk.org/cve-2025-13794/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-11-19T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2025-11-30T12:38:10.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-12-15T16:51:43.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Auto Featured Image \u003c= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-13794",
    "datePublished": "2025-12-16T05:25:19.785Z",
    "dateReserved": "2025-11-30T12:22:33.208Z",
    "dateUpdated": "2026-04-08T16:43:21.304Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11467 (GCVE-0-2025-11467)

Vulnerability from cvelistv5 – Published: 2025-12-11 01:55 – Updated: 2026-04-08 16:54
VLAI?
Title
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.1 - Unauthenticated Blind Server-Side Request Forgery
Summary
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
Credits
Lucas Montes
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11467",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-11T15:34:23.524101Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-11T15:34:28.633Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "5.1.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lucas Montes"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 5.1.1 via the feedzy_lazy_load function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:54:19.734Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5754dce7-6b47-4490-a04a-7eabfded0720?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/tags/5.1.0/includes/abstract/feedzy-rss-feeds-admin-abstract.php#L551"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-02T00:00:00.000Z",
          "value": "Discovered"
        },
        {
          "lang": "en",
          "time": "2025-10-07T21:09:10.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-12-10T12:23:54.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator \u003c= 5.1.1 - Unauthenticated Blind Server-Side Request Forgery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-11467",
    "datePublished": "2025-12-11T01:55:32.407Z",
    "dateReserved": "2025-10-07T20:51:21.871Z",
    "dateUpdated": "2026-04-08T16:54:19.734Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12483 (GCVE-0-2025-12483)

Vulnerability from cvelistv5 – Published: 2025-12-02 06:40 – Updated: 2026-04-08 17:09
VLAI?
Title
Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL Injection
Summary
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'query' parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability.
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
Impacted products
Credits
Rafshanzani Suhada
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12483",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T14:05:44.915097Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-07T17:09:52.388Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Visualizer: Tables and Charts Manager for WordPress",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "3.11.12",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Rafshanzani Suhada"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to SQL Injection via the \u0027query\u0027 parameter in all versions up to, and including, 3.11.12 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Version 3.11.13 raises the minimum user-level for exploitation to administrator. 3.11.14 fully patches the vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:09:50.361Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/94392c66-6e50-48bb-93cb-9aa9d0229761?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Gutenberg/Block.php#L499"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/visualizer/tags/3.11.12/classes/Visualizer/Source/Query.php#L173"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3405160%40visualizer%2Ftrunk\u0026old=3355840%40visualizer%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-29T18:21:25.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-12-01T17:52:15.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Visualizer: Tables and Charts Manager for WordPress \u003c= 3.11.12 - Authenticated (Contributor+) SQL Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-12483",
    "datePublished": "2025-12-02T06:40:25.668Z",
    "dateReserved": "2025-10-29T18:05:54.435Z",
    "dateUpdated": "2026-04-08T17:09:50.361Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-66069 (GCVE-0-2025-66069)

Vulnerability from cvelistv5 – Published: 2025-11-21 12:29 – Updated: 2026-04-28 16:14
VLAI?
Title
WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through <= 33.0.16.
CWE
Assigner
Impacted products
Vendor Product Version
Themeisle PPOM for WooCommerce Affected: 0 , ≤ 33.0.16 (custom)
Create a notification for this product.
Credits
Legion Hunter | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-66069",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-21T16:40:15.058297Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-27T17:16:08.229Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "woocommerce-product-addon",
          "product": "PPOM for WooCommerce",
          "vendor": "Themeisle",
          "versions": [
            {
              "changes": [
                {
                  "at": "33.0.17",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "33.0.16",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Legion Hunter | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-22T14:24:30.126Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects PPOM for WooCommerce: from n/a through \u003c= 33.0.16.\u003c/p\u003e"
            }
          ],
          "value": "Missing Authorization vulnerability in Themeisle PPOM for WooCommerce woocommerce-product-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PPOM for WooCommerce: from n/a through \u003c= 33.0.16."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-180",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploiting Incorrectly Configured Access Control Security Levels"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:14:15.729Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-product-addon/vulnerability/wordpress-ppom-for-woocommerce-plugin-33-0-16-broken-access-control-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress PPOM for WooCommerce plugin \u003c= 33.0.16 - Broken Access Control vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-66069",
    "datePublished": "2025-11-21T12:29:56.025Z",
    "dateReserved": "2025-11-21T11:20:46.955Z",
    "dateUpdated": "2026-04-28T16:14:15.729Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-12045 (GCVE-0-2025-12045)

Vulnerability from cvelistv5 – Published: 2025-11-04 11:19 – Updated: 2026-04-08 16:36
VLAI?
Title
Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy
Summary
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Credits
Dmitrii Ignatyev
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-12045",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-11-04T18:53:18.230614Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-11-04T18:53:30.602Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "3.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dmitrii Ignatyev"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts \u0026 More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag \u0027name\u0027 parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:36:40.296Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/139a264b-082b-45db-ac9e-4974bf86c56f?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1912"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/obfx_modules/elementor-extra-widgets/widgets/elementor/posts-grid.php#L1878"
        },
        {
          "url": "https://research.cleantalk.org/cve-2025-12045/"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3388856/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-21T19:56:59.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-11-03T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Orbit Fox Companion \u003c= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-12045",
    "datePublished": "2025-11-04T11:19:27.966Z",
    "dateReserved": "2025-10-21T19:37:36.665Z",
    "dateUpdated": "2026-04-08T16:36:40.296Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-9322 (GCVE-0-2025-9322)

Vulnerability from cvelistv5 – Published: 2025-10-25 06:49 – Updated: 2026-04-08 17:05
VLAI?
Title
Stripe Payment Forms <= 8.3.1 - Unauthenticated SQL Injection
Summary
The Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions plugin for WordPress is vulnerable to SQL Injection via the 'wpfs-form-name' parameter in all versions up to, and including, 8.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
Credits
Michael Mazzolini
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-9322",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-27T15:44:15.155761Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-27T15:44:23.530Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Stripe Payment Forms by WP Full Pay \u2013 Accept Credit Card Payments, Donations \u0026 Subscriptions",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "8.3.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael Mazzolini"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Stripe Payment Forms by WP Full Pay \u2013 Accept Credit Card Payments, Donations \u0026 Subscriptions plugin for WordPress is vulnerable to SQL Injection via the \u0027wpfs-form-name\u0027 parameter in all versions up to, and including, 8.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:05:16.912Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/886b612a-d0d1-4880-b423-eb62410a28cd?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3378785%40wp-full-stripe-free\u0026new=3378785%40wp-full-stripe-free\u0026sfp_email=\u0026sfph_mail=#file6"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-09-26T20:26:17.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-10-24T18:16:58.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Stripe Payment Forms \u003c= 8.3.1 - Unauthenticated SQL Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-9322",
    "datePublished": "2025-10-25T06:49:23.256Z",
    "dateReserved": "2025-08-21T19:32:17.388Z",
    "dateUpdated": "2026-04-08T17:05:16.912Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11128 (GCVE-0-2025-11128)

Vulnerability from cvelistv5 – Published: 2025-10-23 12:32 – Updated: 2026-04-08 17:20
VLAI?
Title
Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery
Summary
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the 'feedzy_sanitize_feeds' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services.
CWE
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
Credits
Lucas Montes
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11128",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-23T13:38:55.005647Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-23T13:39:12.823Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "5.1.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Lucas Montes"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The RSS Aggregator by Feedzy \u2013 Feed to Post, Autoblogging, News \u0026 YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.1.0 via the \u0027feedzy_sanitize_feeds\u0027 function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query information from internal services."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:20:21.392Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c33ec58f-3e83-425a-9f0f-5e529be15e05?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L280"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L309"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L336"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/feedzy-rss-feeds/trunk/includes/gutenberg/feedzy-rss-feeds-gutenberg-block.php#L399"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3378828/"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-09-27T22:08:01.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-10-22T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Feedzy RSS Feeds Lite \u003c= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-11128",
    "datePublished": "2025-10-23T12:32:32.611Z",
    "dateReserved": "2025-09-27T21:52:08.932Z",
    "dateUpdated": "2026-04-08T17:20:21.392Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11691 (GCVE-0-2025-11691)

Vulnerability from cvelistv5 – Published: 2025-10-18 06:42 – Updated: 2026-04-08 17:31
VLAI?
Title
PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated SQL Injection
Summary
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled.
CWE
  • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
Impacted products
Credits
Talal Nasraddeen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11691",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-20T17:56:07.756295Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-20T17:59:48.112Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "33.0.15",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Talal Nasraddeen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the PPOM_Meta::get_fields_by_id() function in all versions up to, and including, 33.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable when the Enable Legacy Price Calculations setting is enabled."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:31:52.371Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eefcc290-b7f7-4cf0-9ccc-db4c883d6426?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/classes/ppom.class.php#L337"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3379431%40woocommerce-product-addon\u0026new=3379431%40woocommerce-product-addon\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-14T17:24:49.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-10-17T18:11:36.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce \u003c= 33.0.15 - Unauthenticated SQL Injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-11691",
    "datePublished": "2025-10-18T06:42:49.184Z",
    "dateReserved": "2025-10-13T15:24:04.178Z",
    "dateUpdated": "2026-04-08T17:31:52.371Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-11391 (GCVE-0-2025-11391)

Vulnerability from cvelistv5 – Published: 2025-10-18 06:42 – Updated: 2026-04-08 17:24
VLAI?
Title
PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload
Summary
The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated.
CWE
  • CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
Impacted products
Credits
Talal Nasraddeen
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11391",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-20T18:30:31.634936Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-20T18:30:53.727Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce",
          "vendor": "themeisle",
          "versions": [
            {
              "lessThanOrEqual": "33.0.15",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Talal Nasraddeen"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site\u0027s server which may make remote code execution possible. While the vulnerable code is in the free version, this only affected users with the paid version of the software installed and activated."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:24:40.895Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf851bed-f5d8-44e2-810d-906ba3d3c1c5?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/inc/hooks.php#L45"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3379431%40woocommerce-product-addon\u0026new=3379431%40woocommerce-product-addon\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-06T20:07:14.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-10-17T18:09:32.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "PPOM \u2013 Product Addons \u0026 Custom Fields for WooCommerce \u003c= 33.0.15 - Unauthenticated Arbitrary File Upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2025-11391",
    "datePublished": "2025-10-18T06:42:48.390Z",
    "dateReserved": "2025-10-06T20:04:27.764Z",
    "dateUpdated": "2026-04-08T17:24:40.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}