CVE-2026-1830
published 2026-04-09CVE-2026-1830: The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient…
PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.09%
86.1th percentile
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidfcarr | quick_playground | <= 1.3.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to the REST API endpoint /wp-json/quickplayground/v1/upload_image/ — this is the upload vector used to deliver PHP webshells via path traversal. ↗
- →Detect path traversal sequences (e.g., '../../../') in the 'filename' field of JSON payloads sent to the Quick Playground REST API upload endpoint. ↗
- →Alert on PHP files appearing in the WordPress web root (outside of expected plugin/theme directories) following requests to the Quick Playground upload endpoint — these are dropped webshells. ↗
- →Detect unauthenticated retrieval of the sync code via REST API endpoints on the Quick Playground plugin, which is a prerequisite step before the file upload attack. ↗
- →Look for base64-encoded PHP webshell content in JSON POST bodies targeting the Quick Playground upload endpoint, specifically the 'base64' and 'sync_code' fields. ↗
- →Flag GET requests to newly created .php files in the WordPress root directory with a 'cmd' query parameter, indicating webshell execution attempts post-upload. ↗
- ·The exploit requires a known or retrieved sync code ('sync_code' field in the JSON payload). The sync code is stored in the WordPress option 'qckply_sync_code_default' and can be fetched unauthenticated via the REST API before the upload step. ↗
- ·All versions up to and including 1.3.1 of the Quick Playground plugin are vulnerable; a patched version exists per vendor disclosure. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Wiz
CVE-2026-3781 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3781 [CRITICAL] CVE-2026-3781 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3781 :
WordPress vulnerability analysis and mitigation
The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 5.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-4654 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4654 [CRITICAL] CVE-2026-4654 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4654 :
WordPress vulnerability analysis and mitigation
The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release D
Wiz
CVE-2026-4141 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4141 [CRITICAL] CVE-2026-4141 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4141 :
WordPress vulnerability analysis and mitigation
The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options() function that handles the plugin's settings page. The function processes POST requests to update plugin options via update_option() without any wp_nonce_field() in the form or wp_verify_nonce()/check_admin_referer() verification before processing. This makes it possible for unauthenticated attackers to modify plugin settings (toggling display options for PDF, RSS, podcast, media player links, playlist title, and playlist code) via a forged request granted they can trick a site administrator into performing an action such a
Wiz
CVE-2026-3568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-3568 [MEDIUM] CVE-2026-3568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3568 :
WordPress vulnerability analysis and mitigation
The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the update_user_profile() function in controllers/flutter-user.php processing the 'meta_data' JSON parameter without any allowlist, blocklist, or validation of meta keys. The function reads raw JSON from php://input (line 1012), decodes it (line 1013), authenticates the user via cookie validation (line 1015), and then directly iterates over the user-supplied meta_data array passing arbitrary keys and values to update_user_meta() (line 1080) with no sanitization or restrictions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify
Wiz
CVE-2026-2263 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2263 [CRITICAL] CVE-2026-2263 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2263 :
WordPress vulnerability analysis and mitigation
The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitati
Wiz
CVE-2026-3396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3396 [CRITICAL] CVE-2026-3396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3396 :
WordPress vulnerability analysis and mitigation
WCAPF – WooCommerce Ajax Product Filter plugin is vulnerable to time-based SQL Injection via the 'post-author' parameter in all versions up to, and including, 4.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPS
Wiz
CVE-2026-3142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3142 [CRITICAL] CVE-2026-3142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3142 :
WordPress vulnerability analysis and mitigation
The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probabili
Wiz
CVE-2025-14732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14732 [MEDIUM] CVE-2025-14732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14732 :
WordPress vulnerability analysis and mitigation
The Elementor Website Builder – More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widget parameters in all versions up to, and including, 3.35.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Explo
Wiz
CVE-2026-3499 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3499 [CRITICAL] CVE-2026-3499 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3499 :
WordPress vulnerability analysis and mitigation
The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajax_migrate_to_custom_post_type, ajax_adt_clear_custom_attributes_product_meta_keys, ajax_update_file_url_to_lower_case, ajax_use_legacy_filters_and_rules, and ajax_fix_duplicate_feed functions. This makes it possible for unauthenticated attackers to trigger feed migration, clear custom-attribute transient caches, rewrite feed file URLs to lowercase, toggle legacy filter and rule settings, and delete duplicated feed posts via a forged request granted they can trick a site administra
Wiz
CVE-2026-3594 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3594 [CRITICAL] CVE-2026-3594 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3594 :
WordPress vulnerability analysis and mitigation
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permission_callback' set to '__return_true', meaning no authentication or authorization checks are performed. The endpoint queries WooCommerce order data from the database and returns it to the requester, including customer first and last names, customer IDs, order IDs, order totals, order dates, currencies, and order statuses. This makes it possible for unauthenticated attackers to extract sensitive customer and order information from the WooCommerce store.
Source : NVD
## 5.3
Wiz
CVE-2026-3311 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3311 [CRITICAL] CVE-2026-3311 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3311 :
WordPress vulnerability analysis and mitigation
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Bar shortcode in all versions up to, and including, 6.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-3600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3600 [CRITICAL] CVE-2026-3600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3600 :
WordPress vulnerability analysis and mitigation
The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, 1.0.26. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the 'maximum-num-years' attribute value is read directly from shortcode attributes and interpolated into a double-quoted HTML attribute without any escaping (no esc_attr(), htmlspecialchars(), or similar). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
S
Wiz
CVE-2026-4394 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4394 [CRITICAL] CVE-2026-4394 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4394 :
WordPress vulnerability analysis and mitigation
input_.4
get_value_entry_detail()
GF_Field_CreditCard
get_value_save_entry()
input_.4
Source : NVD
## 6.1
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gravityforms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publishe
Wiz
CVE-2026-3513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3513 [CRITICAL] CVE-2026-3513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3513 :
WordPress vulnerability analysis and mitigation
The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= " {$key}='{$value}'"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitra
Wiz
CVE-2026-3618 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3618 [CRITICAL] CVE-2026-3618 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3618 :
WordPress vulnerability analysis and mitigation
The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The shortcode receives the 'id' parameter via shortcode_atts() at line 596 and directly embeds it into HTML output at line 731 (in a div id attribute) and into inline CSS at lines 672-729 without any escaping or sanitization. While the SQL query uses %d to cast the value to an integer for database lookup, the original unsanitized string value of $id is still used in the HTML/CSS output. This makes it possible for authenticated attackers,
Wiz
CVE-2026-1672 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-1672 [MEDIUM] CVE-2026-1672 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1672 :
WordPress vulnerability analysis and mitigation
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_redraw_table_row() function. This makes it possible for unauthenticated attackers to update WooCommerce product data including prices, descriptions, and other product fields via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
Source : NVD
## 6.5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-4079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4079 [CRITICAL] CVE-2026-4079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4079 :
WordPress vulnerability analysis and mitigation
The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against the dynamic filter functionality.
Source : NVD
## 6.5
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sql-chart-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2026-3177 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3177 [CRITICAL] CVE-2026-3177 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3177 :
WordPress vulnerability analysis and mitigation
The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 1.8.9.7. This is due to missing cryptographic verification of incoming Stripe webhook events. This makes it possible for unauthenticated attackers to forge payment_intent.succeeded webhook payloads and mark pending donations as completed without a real payment.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2026-1673 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-1673 [MEDIUM] CVE-2026-1673 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1673 :
WordPress vulnerability analysis and mitigation
The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobe_delete_tax_term() function. This makes it possible for unauthenticated attackers to delete WooCommerce taxonomy terms (categories, tags, etc.) via a forged request granted they can trick a site administrator or shop manager into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CIS
Wiz
CVE-2026-5436 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-5436 [HIGH] CVE-2026-5436 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5436 :
WordPress vulnerability analysis and mitigation
The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. The attacker-controlled key is injected via the mwf_upload_files[] POST parameter, which is loaded into the plugin's Data model via _set_request_valiables(). During form processing, regenerate_upload_file_keys() iterates over these keys and calls generate_user_filepath() with the attacker-supplied key as the $name argument — the key survives valid
Wiz
CVE-2026-5465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5465 [CRITICAL] CVE-2026-5465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5465 :
WordPress vulnerability analysis and mitigation
UpdateProviderCommandHandler
externalId
externalId
wp_set_password()
wp_update_user()
externalId
Source : NVD
## 8.8
Score
Published April 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ameliabooking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has f
Wiz
CVE-2026-4379 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4379 [CRITICAL] CVE-2026-4379 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4379 :
WordPress vulnerability analysis and mitigation
group
[gallery]
group
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-jquery-lightbox
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-1830
CRITICAL
9.8
WordPress
quick-playgr
Wiz
CVE-2026-3646 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3646 [CRITICAL] CVE-2026-3646 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3646 :
WordPress vulnerability analysis and mitigation
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that directly processes GET parameters and updates WordPress options. This makes it possible for unauthenticated attackers to modify the plugin's subscription plan settings, effectively downgrading the store from a paid plan to the Trial Plan, changing the store type, and manipulating subscription expiration dates, potentially disabling premium features such as Dropship and Hazardous Material handling.
Source : NVD
## 5.3
Score
Publis
Wiz
CVE-2026-1865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1865 [CRITICAL] CVE-2026-1865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1865 :
WordPress vulnerability analysis and mitigation
The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the ‘membership_ids[]’ parameter in all versions up to, and including, 5.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 6.5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.5
Affected T
Wiz
CVE-2026-3239 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3239 [CRITICAL] CVE-2026-3239 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3239 :
WordPress vulnerability analysis and mitigation
The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's testimonial_view shortcode in all versions up to, and including, 3.2.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Wiz
CVE-2026-5357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5357 [CRITICAL] CVE-2026-5357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5357 :
WordPress vulnerability analysis and mitigation
The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sid' parameter of the 'wpdm_members' shortcode in versions up to and including 3.3.52. This is due to insufficient input sanitization and output escaping on the user-supplied 'sid' shortcode attribute. The sid parameter is extracted without sanitization in the members() function and stored via update_post_meta(), then echoed directly into an HTML id attribute in the members.php template without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page.
Source : NVD
## 6
Wiz
CVE-2026-5169 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5169 [CRITICAL] CVE-2026-5169 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5169 :
WordPress vulnerability analysis and mitigation
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input sanitization when saving via update_option() and lack of output escaping when displaying the stored value. The vulnerability exists in two locations: (1) the plugin settings page at inq_form.php line 180 where the value is echoed into an HTML attribute without esc_attr(), and (2) the front-end shortcode output at inquery_form_to_posts_or_pages.php line 139 where the value is output in HTML content without esc_html(). This makes it possible for authenticated attackers with administrator-level access to inject arbitrary web scr
Wiz
CVE-2025-1794 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-1794 [MEDIUM] CVE-2025-1794 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-1794 :
WordPress vulnerability analysis and mitigation
The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 5.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and
Wiz
CVE-2026-4333 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4333 [CRITICAL] CVE-2026-4333 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4333 :
WordPress vulnerability analysis and mitigation
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and including 4.3.3. This is due to insufficient input sanitization and output escaping on the 'skin' shortcode attribute. The attribute value is used directly in an sprintf() call that generates HTML (class attribute and data-layout attribute) without any esc_attr() escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDI
Wiz
CVE-2026-3574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3574 [CRITICAL] CVE-2026-3574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3574 :
WordPress vulnerability analysis and mitigation
The Experto Dashboard for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's settings fields (including 'Navigation Font Size', 'Navigation Font Weight', 'Heading Font Size', 'Heading Font Weight', 'Text Font Size', and 'Text Font Weight') in all versions up to and including 1.0.4. This is due to insufficient input sanitization (no sanitize callback in register_setting()) and missing output escaping (no esc_attr() in the field_callback() printf output) on user-supplied values. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in the plugin settings page that will execute whenever a user accesses the set
Wiz
CVE-2026-2519 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2519 [CRITICAL] CVE-2026-2519 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2519 :
WordPress vulnerability analysis and mitigation
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to price manipulation via the 'tips' parameter in all versions up to, and including, 27.0. This is due to the plugin trusting a user-supplied input without server-side validation against the configured price. This makes it possible for unauthenticated attackers to submit a negative number to the 'tips' parameter, causing the total price to be reduced to zero.
Source : NVD
## 5.3
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exp
Wiz
CVE-2026-5742 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5742 [CRITICAL] CVE-2026-5742 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5742 :
WordPress vulnerability analysis and mitigation
The UsersWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.2.60. This is due to insufficient input sanitization of user-supplied URL fields and improper output escaping when rendering user profile data in badge widgets. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts that will execute whenever a user accesses a page containing the affected badge widget.
Source : NVD
## 6.4
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-4326 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4326 [CRITICAL] CVE-2026-4326 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4326 :
WordPress vulnerability analysis and mitigation
The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activate_required_plugins() function. Specifically, the current_user_can('install_plugins') capability check does not terminate execution when it fails — it only sets an error message variable while allowing the plugin installation and activation code to execute. The error response is only sent after the installation and activation have already completed. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins from the WordPress.
Source : NVD
## 8.8
Sc
Wiz
CVE-2026-5167 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5167 [CRITICAL] CVE-2026-5167 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5167 :
WordPress vulnerability analysis and mitigation
The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handle_webhook() function. The webhook endpoint processes unauthenticated requests and only performs signature verification if both the webhook_secret setting is configured AND the HTTP_STRIPE_SIGNATURE header is present. Since webhook_secret defaults to an empty string, the webhook processes attacker-controlled JSON payloads without any verification. This makes it possible for unauthenticated attackers to send fake Stripe webhook events with arbitrary order_id
Wiz
CVE-2025-15611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-15611 [MEDIUM] CVE-2025-15611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15611 :
WordPress vulnerability analysis and mitigation
The Popup Box WordPress plugin before 5.5.0 does not properly validate nonces in the add_or_edit_popupbox() function before saving popup data, allowing unauthenticated attackers to perform Cross-Site Request Forgery attacks. When an authenticated admin visits a malicious page, the attacker can create or modify popups with arbitrary JavaScript that executes in the admin panel and frontend.
Source : NVD
## 5.4
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-5451 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5451 [CRITICAL] CVE-2026-5451 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5451 :
WordPress vulnerability analysis and mitigation
The Extensions for Leaflet Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'elevation-track' shortcode in all versions up to, and including, 4.14. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-2509 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2509 [CRITICAL] CVE-2026-2509 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2509 :
WordPress vulnerability analysis and mitigation
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, which blocks common, but not all, event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Dat
Wiz
CVE-2026-4808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4808 [CRITICAL] CVE-2026-4808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4808 :
WordPress vulnerability analysis and mitigation
The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 7.2
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 47
Exploitation Probability (EPSS) 0.2
Affected packag
Wiz
CVE-2026-1830 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1830 [CRITICAL] CVE-2026-1830 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1830 :
WordPress vulnerability analysis and mitigation
The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. This is due to insufficient authorization checks on REST API endpoints that expose a sync code and allow arbitrary file uploads. This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server.
Source : NVD
## 9.8
Score
Published April 9, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 39.5
Exploitation Probability (EPSS) 0.2
Wiz
CVE-2025-14944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14944 [MEDIUM] CVE-2025-14944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14944 :
WordPress vulnerability analysis and mitigation
The Backup Migration plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.0.0. This is due to a missing capability check on the 'initializeOfflineAjax' function and lack of proper nonce verification. The endpoint only validates against hardcoded tokens which are publicly exposed in the plugin's JavaScript. This makes it possible for unauthenticated attackers to trigger the backup upload queue processing, potentially causing unexpected backup transfers to configured cloud storage targets and resource exhaustion.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit
Wiz
CVE-2026-5711 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5711 [CRITICAL] CVE-2026-5711 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5711 :
WordPress vulnerability analysis and mitigation
The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-4330 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4330 [CRITICAL] CVE-2026-4330 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4330 :
WordPress vulnerability analysis and mitigation
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2s_id' parameter belongs to the current user before performing UPDATE and DELETE operations. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify, reschedule, or delete other users' scheduled social media posts.
Source : NVD
## 4.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
C
Wiz
CVE-2026-33290 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33290 [MEDIUM] CVE-2026-33290 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33290 :
WordPress vulnerability analysis and mitigation
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user (including a custom role with zero capabilities) to change moderation status of their own comment (for example to APPROVE) without the moderate_comments capability. This can bypass moderation workflows and let untrusted users self-approve content. Version 2.10.0 contains a patch.
## Details
In WPGraphQL 2.9.1 (tested), authorization for updateComment is owner-based, not field-based:
plugins/wp-graphql/src/Mutation/CommentUpdate.php:92 allows moderators.
plugins/wp-graphql/src/Mutation/CommentUpdate.php:99:99 also allows the comment owner, even if they lack
Wiz
CVE-2026-4871 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4871 [CRITICAL] CVE-2026-4871 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4871 :
WordPress vulnerability analysis and mitigation
scm_member_data
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sports-club-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-1830
CRITICAL
9.8
WordPress
quick-playground
Wiz
CVE-2026-4300 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4300 [CRITICAL] CVE-2026-4300 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4300 :
WordPress vulnerability analysis and mitigation
|***...***|
fixJsFunction()
json_encode()
fixJsFunction()
"|***
***|"
rbs_gallery_LoadingWord
rbstext
sanitize_text_field()
|***...***|
|***alert(document.domain)***|
renderMainBlock()
capability_type => 'post'
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
robo-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-2481 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2481 [CRITICAL] CVE-2026-2481 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2481 :
WordPress vulnerability analysis and mitigation
The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'settings[js]' parameter in versions up to, and including, 2.10.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploita
Wiz
CVE-2026-0814 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-0814 [MEDIUM] CVE-2026-0814 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0814 :
WordPress vulnerability analysis and mitigation
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz_cf7_export_to_excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to export form submissions to excel file.
Source : NVD
## 4.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
advanced-cf7-db
Sources
NVD
## Get a
Wiz
CVE-2026-4338 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4338 [CRITICAL] CVE-2026-4338 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4338 :
WordPress vulnerability analysis and mitigation
The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
activitypub
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-4655 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4655 [CRITICAL] CVE-2026-4655 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4655 :
WordPress vulnerability analysis and mitigation
The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient input sanitization and output escaping on SVG content fetched from remote URLs in the render_svg() function. The function fetches SVG content using wp_safe_remote_get() and then directly echoes it to the page without any sanitization, only applying a preg_replace() to add attributes to the SVG tag which does not remove malicious event handlers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary JavaScript in SVG files that will execute whenever a user accesses a page c
Wiz
CVE-2026-3477 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3477 [CRITICAL] CVE-2026-3477 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3477 :
WordPress vulnerability analysis and mitigation
The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possi
Wiz
CVE-2026-5508 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5508 [CRITICAL] CVE-2026-5508 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5508 :
WordPress vulnerability analysis and mitigation
wowpress
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wowpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-1830
CRITICAL
9.8
WordPress
quick-playground
No
Yes
Apr 09, 20
Wiz
CVE-2026-3243 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3243 [CRITICAL] CVE-2026-3243 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3243 :
WordPress vulnerability analysis and mitigation
The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability was partially patched in version 1.2.5.
Source : NVD
## 8.8
Score
Published April 8, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-3480 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3480 [CRITICAL] CVE-2026-3480 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3480 :
WordPress vulnerability analysis and mitigation
The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' that maps to the render_shortcode_preview() function. This function lacks any capability check (current_user_can()) and nonce verification, allowing any authenticated user to execute arbitrary WordPress shortcodes. The function takes a user-supplied 'shortcode' parameter from $_GET, passes it through stripslashes(), and directly executes it via do_shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes, which could lead to information disclosure, p
Wiz
CVE-2026-4303 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4303 [CRITICAL] CVE-2026-4303 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4303 :
WordPress vulnerability analysis and mitigation
The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2026-2942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2942 [CRITICAL] CVE-2026-2942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2942 :
WordPress vulnerability analysis and mitigation
The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 9.8
Score
Published April 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
prosolution-wp-client
Wiz
CVE-2026-3005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3005 [CRITICAL] CVE-2026-3005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3005 :
WordPress vulnerability analysis and mitigation
The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploit
Wiz
CVE-2026-4401 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4401 [CRITICAL] CVE-2026-4401 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4401 :
WordPress vulnerability analysis and mitigation
actions_handler()
bulk_actions_handler()
class-dlm-downloads-path.php
Source : NVD
## 5.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
download-monitor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-202
Wiz
CVE-2026-34889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-34889 [CRITICAL] CVE-2026-34889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34889 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force Ultimate Addons for WPBakery Page Builder allows DOM-Based XSS.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a before 3.21.4.
Source : NVD
## 6.5
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Ultimate_VC_Addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2026-4785 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4785 [CRITICAL] CVE-2026-4785 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4785 :
WordPress vulnerability analysis and mitigation
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-4299 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4299 [CRITICAL] CVE-2026-4299 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4299 :
WordPress vulnerability analysis and mitigation
The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() function in the Live_Update class. This makes it possible for authenticated attackers, with Subscriber-level access and above, to obtain MainWP Child Reports activity log entries (including action summaries, user information, IP addresses, and contextual data) via the WordPress Heartbeat API by sending a crafted heartbeat request with the 'wp-mainwp-stream-heartbeat' data key.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CIS
Wiz
CVE-2026-2988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2988 [CRITICAL] CVE-2026-2988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2988 :
WordPress vulnerability analysis and mitigation
The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploitation Probability (EPSS)
Wiz
CVE-2026-4406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4406 [CRITICAL] CVE-2026-4406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4406 :
WordPress vulnerability analysis and mitigation
form_ids
gform_get_config
GFCommon::send_json()
echo
wp_die()
Content-Type: text/html
application/json
wp_json_encode()
form_ids
config_nonce
wp_create_nonce('gform_config_ajax')
Source : NVD
## 4.7
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gravityforms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2026-2838 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2838 [CRITICAL] CVE-2026-2838 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2838 :
WordPress vulnerability analysis and mitigation
The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-4336 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4336 [CRITICAL] CVE-2026-4336 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4336 :
WordPress vulnerability analysis and mitigation
The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling html_entity_decode() on post_content during rendering in the set_display_variables() function (View.FAQ.class.php, line 746), which converts HTML entity-encoded payloads back into executable HTML, combined with insufficient output escaping in the faq-answer.php template where the decoded content is echoed without wp_kses_post() or any other sanitization. The ufaq custom post type is registered with 'show_in_rest' => true and defaults to 'post' capability_type, allowing Author-level users to create and publish FAQs via the REST API. An Au
Wiz
CVE-2026-1900 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1900 [CRITICAL] CVE-2026-1900 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1900 :
WordPress vulnerability analysis and mitigation
The Link Whisper Free WordPress plugin before 0.9.1 has a publicly accessible REST endpoint that allows unauthenticated settings updates.
Source : NVD
## 6.5
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
link-whisper
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Com
Wiz
CVE-2026-3296 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3296 [CRITICAL] CVE-2026-3296 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3296 :
WordPress vulnerability analysis and mitigation
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to the html-admin-page-entries-view.php file calling PHP's native unserialize() on stored entry meta values without passing the allowed_classes parameter. This makes it possible for unauthenticated attackers to inject a serialized PHP object payload through any public Everest Forms form field. The payload survives sanitize_text_field() sanitization (serialization control characters are not stripped) and is stored in the wp_evf_entrymeta database table. When an administrator views entries or views an individual entry, the unsafe
Wiz
CVE-2026-3535 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3535 [CRITICAL] CVE-2026-3535 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3535 :
WordPress vulnerability analysis and mitigation
DSGVOGWPdownloadGoogleFonts()
wp_ajax_nopriv_
Source : NVD
## 9.8
Score
Published April 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 51.8
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
dsgvo-google-web-fonts-gdpr
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-1830
CRI
Wiz
CVE-2026-1396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-1396 [MEDIUM] CVE-2026-1396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1396 :
WordPress vulnerability analysis and mitigation
The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2026-4073 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4073 [CRITICAL] CVE-2026-4073 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4073 :
WordPress vulnerability analysis and mitigation
The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The output_shortcode() function directly concatenates the user-supplied $text variable into HTML output without applying esc_html() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPres
Wiz
CVE-2026-4341 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4341 [CRITICAL] CVE-2026-4341 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4341 :
WordPress vulnerability analysis and mitigation
render_social_link()
modules/mount/widgets/mount.php
follow_us_text
echo
_elementor_data
update_post_meta
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bdthemes-prime-slider-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
Wiz
CVE-2026-4003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4003 [CRITICAL] CVE-2026-4003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4003 :
WordPress vulnerability analysis and mitigation
The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic check in the userspn_ajax_nopriv_server() function within the 'userspn_form_save' case. The conditional only blocks unauthenticated users when the user_id is empty, but when a non-empty user_id is supplied, execution bypasses this check entirely and proceeds to update arbitrary user meta via update_user_meta() without any authentication or authorization verification. Additionally, the nonce required for this AJAX endpoint ('userspn-nonce') is exposed to all visitors via wp_localize_script on the public wp_enqueue_scripts hoo
Wiz
CVE-2026-4025 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4025 [CRITICAL] CVE-2026-4025 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4025 :
WordPress vulnerability analysis and mitigation
The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Scor
Wiz
CVE-2026-0811 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-0811 [MEDIUM] CVE-2026-0811 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0811 :
WordPress vulnerability analysis and mitigation
The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz_cf7_save_setting_callback' function. This makes it possible for unauthenticated attackers to delete form entry via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 5.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (
Wiz
CVE-2026-4124 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4124 [CRITICAL] CVE-2026-4124 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4124 :
WordPress vulnerability analysis and mitigation
The Ziggeo plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1. The wp_ajax_ziggeo_ajax handler only verifies a nonce (check_ajax_referer) but performs no capability checks via current_user_can(). Furthermore, the nonce ('ziggeo_ajax_nonce') is exposed to all logged-in users on every page via the wp_head and admin_head hooks . This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke multiple administrative operations including: saving arbitrary translation strings (translations_panel_save_strings via update_option('ziggeo_translations')), creating/updating/deleting event templates (event_editor_save_template/update_template/re
Wiz
CVE-2026-4065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4065 [CRITICAL] CVE-2026-4065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4065 :
WordPress vulnerability analysis and mitigation
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp_ajax_smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display_admin_ajax() method does not call checkForCap() (which requires unfiltered_html capability), and several controller actions only validate the nonce (validateToken()) without calling validatePermission(). This makes it possible for authenticated attackers, with Contributor-level access and above, to enumerate slider metadata and create, modify, and delete image storage records by obtaining the nextend_nonce exposed on post editor pages.
Source : NVD
## 5.4
Score
Published A
Wiz
CVE-2026-4429 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4429 [CRITICAL] CVE-2026-4429 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4429 :
WordPress vulnerability analysis and mitigation
The OSM – OpenStreetMap plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_name' and 'file_color_list' shortcode attribute of the [osm_map_v3] shortcode in all versions up to and including 6.1.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2026-5506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-5506 [CRITICAL] CVE-2026-5506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5506 :
WordPress vulnerability analysis and mitigation
wave
Source : NVD
## 6.4
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wavr
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-1830
CRITICAL
9.8
WordPress
quick-playground
No
Yes
Apr 09, 2026
CVE-
https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39https://plugins.trac.wordpress.org/browser/quick-playground/trunk/expro-api.php#L419https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3500839%40quick-playground&new=3500839%40quick-playground&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/308cd28a-a477-4bc6-a392-ad5a9eca1cb5?source=cve
2026-04-09
Published