Wordfence Intelligence Weekly WordPress Vulnerability Report (January 19, 2026 to January 25, 2026)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 215 vulnerabilities disclosed in 180 WordPress Plugins and 17 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 65 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 33,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• • • WAF-RULE-891 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Nabil Irawan	25
Phat RiO	24
João Pedro S Alcântara (Kinorth)	22
Skalucy	10
theviper17y	9
0x34rth	7
Legion Hunter	6
Muhammad Nur Ibnu Hubab (Ibnu)	6
daroo	6
0xd4rk5id3	5
type5afe	5
zaim	5
afnaan	5
Athiwat Tiprasaharn (Jitlada)	5
Sarawut Poolkhet (MisterHelloz)	4
NumeX	4
Jarno Vos (jarnovos)	3
benzdeus	3
Muhammad Yudha – DJ	3
Mdr	3
andrea bocchetti	3
Abdulsamad Yusuf (0xVenus)	3
Trương Hữu Phúc (truonghuuphuc)	2
Rapid0nion	2
Doan Dinh Van (DinhVan52)	2
Itthidej Aramsri (Boeing777)	2
WPscan	2
shark3y	2
Moose Love	2
Arkadiusz Hydzik	2
Kazuma Matsumoto	2
Dmitrii Ignatyev	2
Lior Yeshayahu	2
Webbernaut	1
Mohammad Amin Hajian (mamadrce)	1
Pouria Shahba (p0or1ya)	1
stealthcopter	1
Que Thanh Tuan	1
Balamurugan R	1
kr0d	1
MD ISMAIL	1
Williwollo (CybrX)	1
Mohamad Fattyr	1
Vilaysone CHANTHAVONG (0xJ0cKkY)	1
mikemyers	1
Md. Moniruzzaman Prodhan (NomanProdhan)	1
Ryan Kozak	1
johska	1
Waris Damkham	1
vgo0	1
Kai Aizen	1
Khaled Alenazi (Nxploited)	1
Osvaldo Noe Gonzalez Del Rio (Os)	1
ChamlaVic	1
Drew Webber (mcdruid)	1
Sergej Ljubojevic	1
Boris Bogosavac	1
Hector Ruiz Ruiz	1
MD. TAREQ AHAMED JONY (itztrq)	1
blue0x1	1
Paolo Tresso	1
knani alaaeddine (iwd)	1
wackydawg	1
Bonds	1
w41bu1	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-15521

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Academy LMS – WordPress LMS Plugin for Complete eLearning Solution

Researcher

vgo0

More Details >

Advanced Custom Fields: Extended <= 0.9.2.1 – Unauthenticated Privilege Escalation via Insert User Form Action

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14533

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Advanced Custom Fields: Extended

Researcher

andrea bocchetti

More Details >

Booking Activities <= 1.16.44 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-67953

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Booking Activities

Researcher

daroo

More Details >

Directorist Social Login <= 2.1.1 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2026-22337

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Directorist Social Login

Researcher

0xd4rk5id3

More Details >

Hydra Booking <= 1.1.32 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-68027

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Hydra Booking — Appointment Scheduling & Booking Calendar

Researcher

daroo

More Details >

Kalrav AI Agent <= 2.3.3 – Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13374

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Kalrav AI Agent

Researcher

Ryan Kozak

More Details >

LA-Studio Element Kit for Elementor <= 1.5.6.3 – Unauthenticated Privilege Escalation via Backdoor to Administrative User Creation via lakit_bkrole parameter

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2026-0920

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
LA-Studio Element Kit for Elementor

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Waris Damkham

More Details >

LazyTasks <= 1.4.01 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-68869

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart

Researcher

0xd4rk5id3

More Details >

Movie Booking <= 1.1.5 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-67963

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Movie Booking

Researcher

Phat RiO

More Details >

Beaver Builder <= 2.9.4.1 – Authenticated (Contributor+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-69319

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Beaver Builder Page Builder – Drag and Drop Website Builder

Researcher

Drew Webber (mcdruid)

More Details >

Creator LMS – The LMS for Creators, Coaches, and Trainers <= 1.1.12 – Missing Authorization to Authenticated (Contributor+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-15347

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Creator LMS – The LMS for Creators, Coaches, and Trainers

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

Final User <= 1.2.5 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-69293

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Final User

Researcher

Phat RiO

More Details >

Hospital Doctor Directory <= 1.3.9 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-69183

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Hospital Doctor Directory

Researcher

Phat RiO

More Details >

Institutions Directory <= 1.3.4 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-69182

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Institutions Directory

Researcher

Phat RiO

More Details >

Lawyer Directory <= 1.3.3 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-67966

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Lawyer Directory

Researcher

Phat RiO

More Details >

Melapress Role Editor <= 1.1.1 – Improper Authorization to Authenticated (Subscriber+) Privilege Escalation via Secondary Role Assignment

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-14866

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Melapress Role Editor

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

Membership <= 1.6.4 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-69292

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
WP Membership

Researcher

Phat RiO

More Details >

Real Homes CRM <= 1.0.0 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-67968

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
RealHomes CRM

Researcher

wackydawg

More Details >

Xpro Elementor Addons <= 1.4.19.1 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-69312

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Xpro Addons — 140+ Widgets for Elementor

Researcher

Mdr

More Details >

AdForest <= 6.0.11 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67946

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
AdForest

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy <= 4.2.4 – Insecure Direct Object Reference to PayPal Account Takeover and Sensitive Information Disclosure

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14977

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy

Researcher

shark3y

More Details >

EcoBlue <= 1.15 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-22338

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
EcoBlue

Researcher

Bonds

More Details >

Listivo Core <= 2.3.77 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67957

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Listivo Core

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

MyHome Core <= 4.1.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67955

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
MyHome Core

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Nexter Extension – Site Enhancements Toolkit <= 4.4.6 – Unauthenticated PHP Object Injection via ‘nxt_unserialize_replace’

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2026-0726

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Nexter Extension – Site Enhancements Toolkit

Researcher

Webbernaut

More Details >

PeakShops < 1.5.9 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69322

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
PeakShops – Modern & Multi-Concept WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Werkstatt < 4.8.3 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69314

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Werkstatt – Creative Portfolio WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Administrative Shortcodes <= 0.3.4 – Authenticated (Contributor+) Local File Inclusion via ‘slug’ Shortcode Attribute

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-1257

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Administrative Shortcodes

Researcher

zaim

More Details >

Coven Core <= 1.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-69295

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Coven – Furniture Store WooCommerce Theme

Researcher

Phat RiO

More Details >

Directorist Booking <= 2.4.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-22336

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Booking (Reservation & Appointment)

Researcher

0xd4rk5id3

More Details >

Eventin <= 4.1.1 – Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68047

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)

Researcher

w41bu1

More Details >

Hustle <= 7.8.9.2 – Authenticated (Subscriber+) Arbitrary File Upoload via Module Import

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-0911

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
Hustle – Email Marketing, Lead Generation, Optins, Popups

Researcher

Williwollo (CybrX)

More Details >

Kentha Elementor Widgets < 3.1 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-24390

Patch Status
Patched

Published
Jan 24, 2026

Affected Software
Kentha Elementor Widgets

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Koko Analytics <= 2.1.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-22850

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Koko Analytics – Privacy+Friendly statistics for WordPress

Researcher

Hector Ruiz Ruiz

More Details >

MailerLite – WooCommerce integration <= 3.1.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67945

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
MailerLite – WooCommerce integration

Researcher

NumeX

More Details >

Omnipress <= 1.6.7 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-24538

Patch Status
Unpatched

Published
Jan 24, 2026

Affected Software
Omnipress

Researcher

theviper17y

More Details >

Paid Downloads <= 3.15 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-68857

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Paid Downloads

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

PeakShops <= 1.5.9 – Authenticated (Contributor+) PHP Object Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-69294

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
PeakShops – Modern & Multi-Concept WooCommerce Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Prowess <= 2.3 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-24531

Patch Status
Unpatched

Published
Jan 25, 2026

Affected Software
Prowess – Fitness and Gym WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

BuddyPress <= 14.3.3 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-11976

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
BuddyPress

Researcher

mikemyers

More Details >

AdForest Elementor <= 3.0.11 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67947

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
AdForest Elementor

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

amr cron manager <= 2.3 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-68848

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
amr cron manager

Researcher

Skalucy

More Details >

Dinatur <= 1.18 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-68866

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Dinatur

Researcher

Jarno Vos (jarnovos)

More Details >

Frontis Blocks <= 1.1.6 – Unauthenticated Server-Side Request Forgery via ‘url’ Parameter

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2026-0807

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
Frontis Blocks — Block Library for the Block Editor

Researchers

Itthidej Aramsri (Boeing777)

Vilaysone CHANTHAVONG (0xJ0cKkY)

More Details >

Grand Tour < 5.6.2 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67952

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Grand Tour | Travel Agency WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Homey Core <= 2.4.3 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67964

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Homey Core

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Hostiko < 94.3.6 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67949

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Hostiko – Hosting WordPress & WHMCS Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

JobWP <= 2.4.5 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-69318

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
JobWP – Job Board, Job Listing, Career Page and Recruitment Plugin

Researcher

daroo

More Details >

My auctions allegro <= 3.6.32 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67943

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
My auctions allegro

Researcher

Skalucy

More Details >

Nelio AB Testing <= 8.1.8 – Authenticated (Editor+) Remote Code Execution

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67944

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Nelio A/B Testing – AB Tests and Heatmaps for Better Conversion Optimization

Researcher

daroo

More Details >

NotificationX <= 3.2.0 – Unauthenticated DOM-Based Cross-Site Scripting via ‘nx-preview’

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-15380

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar

Researcher

Dmitrii Ignatyev

More Details >

Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2019-25297

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Poll, Survey & Quiz Maker Plugin by Opinion Stage

Researcher

WPscan

More Details >

Poll, Survey & Quiz Maker Plugin by Opinion Stage < 19.6.25 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
Unknown

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Poll, Survey & Quiz Maker Plugin by Opinion Stage

Researcher

WPscan

More Details >

Radio Player <= 2.0.91 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2026-24548

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player

Researcher

Nabil Irawan

More Details >

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20251210 – Unauthenticated Stored Cross-Site Scripting via Custom Field

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2026-0800

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
User Submitted Posts – Enable Users to Submit Posts from the Front End

Researcher

Balamurugan R

More Details >

WorkScout <= 4.1.07 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67959

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
WorkScout – Job Board WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

WorkScout-Core <= 1.7.06 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67960

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Workscout Core

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

All-in-One Video Gallery <= 4.6.4 – Missing Authorization to Unauthenticated Bunny Stream Video Creation/Deletion

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14947

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
All-in-One Video Gallery

Researcher

andrea bocchetti

More Details >

AppExperts <= 1.4.5 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68881

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
APPExperts – Mobile App Builder for WordPress | WooCommerce to iOS and Android Apps

Researcher

Jarno Vos (jarnovos)

More Details >

Frontis Blocks <= 1.1.5 – Unauthenticated Server-Side Request Forgery

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68030

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Frontis Blocks — Block Library for the Block Editor

Researcher

0xd4rk5id3

More Details >

Happy Addons for Elementor <= 3.20.4 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-68999

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
Happy Addons for Elementor

Researcher

knani alaaeddine (iwd)

More Details >

Nelio Content <= 4.2.0 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2026-24572

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Nelio Content – Editorial Calendar & Social Media Auto-Posting

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Traveler < 3.2.8 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2026-24367

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Travel Booking WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Ultra Portfolio <= 6.7 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-69180

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Ultra Portfolio

Researcher

Phat RiO

More Details >

ABG Rich Pins <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-24558

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
ABG Rich Pins

Researcher

johska

More Details >

Administrative Shortcodes <= 0.3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘login’ and ‘logout’ Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-1099

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Administrative Shortcodes

Researcher

zaim

More Details >

Alpha Blocks <= 1.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘alpha_block_css’ Post Meta

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14985

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Alpha Blocks

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

ArtPlacer Widget <= 2.23.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-24555

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
ArtPlacer Widget

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Blockons <= 1.2.15 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-24550

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Blockons – Gutenberg blocks for WordPress and WooCommerce websites

Researcher

theviper17y

More Details >

Canto Testimonials <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘fx’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-1095

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Canto Testimonials

Researcher

theviper17y

More Details >

CM CSS Columns <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘tag’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-1098

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
CM CSS Columns

Researcher

theviper17y

More Details >

Enfold <= 7.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-68900

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
enfold

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

FlatPM – Ad Manager, AdSense and Custom Code <= 3.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Post Meta

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0690

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
FlatPM – Ad Manager, AdSense and Custom Code

Researcher

Muhammad Yudha – DJ

More Details >

GZSEO <= 2.0.11 – Authenticated (Contributor+) Authorization Bypass to Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14941

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
GZSEO

Researcher

Paolo Tresso

More Details >

Head Meta Data <= 20251118 – Authenticated (Contributor+) Stored Cross-Site Scripting via Post Meta

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0608

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Head Meta Data

Researcher

Muhammad Yudha – DJ

More Details >

LeadBI Plugin for WordPress <= 1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘form_id’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-1189

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
LeadBI Plugin for WordPress

Researcher

theviper17y

More Details >

RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via wp-rss-aggregator Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14745

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging

Researcher

zaim

More Details >

Schema & Structured Data for WP & AMP <= 1.54 – Authenticated (Contributor+) Stored Cross-Site Scripting via User Custom Schema

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14069

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Schema & Structured Data for WP & AMP

Researcher

type5afe

More Details >

ThemeRuby Multi Authors <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘before’ and ‘after’ Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-1097

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
ThemeRuby Multi Authors – Assign Multiple Writers to Posts

Researcher

zaim

More Details >

Tutor LMS BunnyNet Integration <= 1.0.0 – Authenticated (Tutor instructor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-24584

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
Tutor LMS BunnyNet Integration

Researcher

Nabil Irawan

More Details >

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.10.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-15522

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Researcher

zaim

More Details >

UX Flat <= 5.4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-24576

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
UX Flat

Researcher

theviper17y

More Details >

VK Google Job Posting Manager <= 1.2.20 – Authenticated (Author+) Stored Cross-Site Scripting via Job Description Field

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12836

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
VK Google Job Posting Manager

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

WP DSGVO Tools (GDPR) <= 3.1.36 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘lw_content_block’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0914

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
WP DSGVO Tools (GDPR)

Researcher

Muhammad Yudha – DJ

More Details >

WPO365 <= 40.0 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67961

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
WPO365 | SEAMLESS WORDPRESS + MICROSOFT INTEGRATION (WPO365 | LOGIN)

Researcher

Phat RiO

More Details >

CarSpot < 2.4.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69317

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
CarSpot – Dealership WordPress Classified Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Craft <= 2.3.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68538

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Craft | Coffee Shop Cafe Restaurant WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

DotLife < 4.9.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68520

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
DotLife | Coaching Online Courses WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Easy Theme Options <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68839

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Easy Theme Options

Researcher

Skalucy

More Details >

Grand Magazine <= 3.5.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69320

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Grand Magazine | Blog WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Grand Spa <= 3.5.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69321

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Grand Spa | Massage Salon WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Hoteller < 6.8.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68518

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Hoteller Booking WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

iRobots.txt SEO <= 1.1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68840

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
iRobots.txt SEO

Researcher

Skalucy

More Details >

JustClick registration plugin <= 0.1 – Reflected Cross-Site Scripting via PHP_SELF

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13676

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
JustClick registration plugin

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

MemberPress Discord Addon <= 1.1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68838

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
ExpressTechSoftwares Addon for MemberPress and Discord

Researcher

Skalucy

More Details >

My Post Order <= 1.2.1.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68004

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
My Post Order

Researcher

Skalucy

More Details >

Ravpage <= 2.33 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68835

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
ravpage

Researcher

Skalucy

More Details >

Save as PDF Plugin by PDFCrowd <= 4.5.5 – Reflected Cross-Site Scripting via options

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2026-0862

Patch Status
Patched

Published
Jan 24, 2026

Affected Software
Save as PDF Plugin by PDFCrowd

Researcher

Arkadiusz Hydzik

More Details >

ShoutOut <= 4.0.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68894

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
ShoutOut

Researcher

Skalucy

More Details >

Table of Contents Creator <= 1.6.4.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68836

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
Table of Contents Creator

Researcher

Skalucy

More Details >

TableOn <= 1.0.4.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-69316

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
TableOn – WordPress Posts Table Filterable 

Researcher

Skalucy

More Details >

Timeline Event History <= 3.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2026-1127

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Timeline Event History

Researcher

Arkadiusz Hydzik

More Details >

wpCAS <= 1.07 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-68858

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
wpCAS

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

AIKTP <= 5.0.04 – Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2026-1103

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
AIKTP

Researcher

Osvaldo Noe Gonzalez Del Rio (Os)

More Details >

Image Photo Gallery Final Tiles Grid <= 3.6.9 – Missing Authorization to Authenticated (Contributor+) Arbitrary Gallery Management

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-15466

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Image Photo Gallery Final Tiles Grid

Researchers

Mohammad Amin Hajian (mamadrce)

Pouria Shahba (p0or1ya)

More Details >

Same Category Posts <= 1.1.19 – Authenticated (Author+) Stored Cross-Site Scripting via Widget Title Placeholder

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14797

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
Same Category Posts

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Textmetrics <= 3.6.3 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2026-24564

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Textmetrics

Researcher

theviper17y

More Details >

The Events Calendar <= 6.15.13 – Missing Authorization to Authenticated (Subscriber+) Data Migration Control

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-15043

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
The Events Calendar

Researcher

type5afe

More Details >

Tutor LMS – eLearning and online course solution <= 3.9.4 – Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2026-0548

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

type5afe

More Details >

Alchemist Ajax Upload <= 1.1 – Missing Authorization to Unauthenticated Arbitrary Media File Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14629

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Alchemist Ajax Upload

Researcher

ChamlaVic

More Details >

BackItUp <= 2.1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68039

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
WP BackItUp Community Edition

Researcher

Legion Hunter

More Details >

Contact Form 7 GetResponse Extension <= 1.0.8 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24557

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Contact Form 7 GetResponse Extension

Researcher

Nabil Irawan

More Details >

Custom Fonts – Host Your Fonts Locally <= 2.1.16 – Missing Authorization to Unauthenticated Font Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14351

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Custom Fonts – Host Your Fonts Locally

Researcher

type5afe

More Details >

Download After Email <= 2.1.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24541

Patch Status
Unpatched

Published
Jan 24, 2026

Affected Software
Download After Email – Subscribe & Download Form Plugin

Researcher

Nabil Irawan

More Details >

Easy Property Listings <= 3.5.17 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68072

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Easy Property Listings

Researcher

daroo

More Details >

ElementCamp <= 2.3.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24556

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
ElementCamp

Researcher

Nabil Irawan

More Details >

Final User <= 1.2.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69187

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Final User

Researcher

Phat RiO

More Details >

Fitness Trainer <= 1.7.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69188

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Fitness Trainer- Training Membership Plugin

Researcher

Phat RiO

More Details >

Hospital Doctor Directory <= 1.3.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69186

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Hospital Doctor Directory

Researcher

Phat RiO

More Details >

Hotel Listing <= 1.4.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69185

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Hotel Listings

Researcher

Phat RiO

More Details >

Institutions Directory <= 1.3.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69184

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Institutions Directory

Researcher

Phat RiO

More Details >

JobBank <= 1.2.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69189

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
JobBank – WordPress Job manager plugin

Researcher

Phat RiO

More Details >

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15 – Missing Authorization to Unauthenticated Limited Arbitrary File Upload

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0927

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
KiviCare – Clinic & Patient Management System (EHR)

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

Lawyer Directory <= 1.3.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69181

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Lawyer Directory

Researcher

Phat RiO

More Details >

LearnPress – WordPress LMS Plugin <= 4.3.2.4 – Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14798

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

Researcher

andrea bocchetti

More Details >

Listihub <= 1.0.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69190

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Listihub – Directory Listing WordPress Theme

Researcher

Phat RiO

More Details >

ListingHub <= 1.2.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69191

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
ListingHub

Researcher

Phat RiO

More Details >

Membership <= 1.6.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69193

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
WP Membership

Researcher

Phat RiO

More Details >

Order Listener for WooCommerce <= 3.6.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68018

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
Order Notification for WooCommerce – Get Audio Alert on new Orders

Researcher

NumeX

More Details >

PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) <= 1.119.8 – Missing Authorization to Unauthenticated Order Status Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14978

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Photo Gallery by 10Web – Mobile-Friendly Image Gallery <= 1.8.36 – Missing Authorization to Unauthenticated Arbitrary Comment Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-1036

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Researcher

Moose Love

More Details >

Pie Register <= 3.8.4.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24577

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Pie Register – User Registration, Profiles & Content Restriction

Researcher

Mdr

More Details >

PostX <= 5.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69313

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Researcher

MD ISMAIL

More Details >

Protección de datos – RGPD <= 0.68 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24539

Patch Status
Patched

Published
Jan 24, 2026

Affected Software
Protección de datos – RGPD

Researcher

Nabil Irawan

More Details >

Real Estate Pro <= 2.1.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69192

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Real Estate Pro – WordPress Plugin

Researcher

Phat RiO

More Details >

Ryviu – Product Reviews for WooCommerce <= 3.1.26 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24562

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Ryviu – Product Reviews for WooCommerce

Researcher

Legion Hunter

More Details >

Scalenut <= 1.1.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68882

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Scalenut

Researcher

NumeX

More Details >

SEO Booster <= 6.1.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68019

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
SEO Booster

Researcher

Legion Hunter

More Details >

Simply Schedule Appointments <= 1.6.9.15 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69315

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Researcher

benzdeus

More Details >

SumUp Payment Gateway For WooCommerce <= 2.7.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24583

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
SumUp Payment Gateway For WooCommerce

Researcher

Legion Hunter

More Details >

Tabby Checkout <= 5.8.4 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68035

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Tabby Checkout

Researcher

benzdeus

More Details >

TaxCloud for WooCommerce <= 8.3.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67958

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
TaxCloud for WooCommerce

Researcher

Legion Hunter

More Details >

Travel <= 11.1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24568

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
WP Travel – Ultimate Travel Booking System, Tour Management Engine

Researcher

Nabil Irawan

More Details >

UPI QR Code Payment Gateway for WooCommerce <= 1.5.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67969

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
UPI QR Code Payment Gateway for WooCommerce

Researcher

NumeX

More Details >

User Registration <= 4.4.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67956

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

Researcher

Mdr

More Details >

WANotifier <= 2.7.12 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68020

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Send Notifications from Woocommerce, Form Plugins and More!

Researcher

Legion Hunter

More Details >

Webpushr <= 4.38.0 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-24536

Patch Status
Unpatched

Published
Jan 25, 2026

Affected Software
Web Push Notifications – Webpushr

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

weMail <= 2.0.7 – Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14348

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation

Researcher

shark3y

More Details >

Wise Analytics <= 1.1.9 – Missing Authorization to Unauthenticated Arbitrary Analytics Database Disclosure via ‘name’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14609

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Wise Analytics

Researcher

Lior Yeshayahu

More Details >

Wizit Gateway for WooCommerce <= 1.2.9 – Missing Authentication to Unauthenticated Arbitrary Order Cancellation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14843

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Wizit Gateway for WooCommerce

Researcher

MD. TAREQ AHAMED JONY (itztrq)

More Details >

WP Directory Kit <= 1.4.9 – Unauthenticated Email Exposure via wdk_public_action

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13920

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
WP Directory Kit

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

WP Go Maps (formerly WP Google Maps) <= 10.0.04 – Missing Authorization to Authenticated (Subscriber+) Map Engine Setting Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0593

Patch Status
Patched

Published
Jan 24, 2026

Affected Software
WP Go Maps (formerly WP Google Maps)

Researcher

Moose Love

More Details >

WP-ClanWars <= 2.0.1 – Authenticated (Administrator+) SQL Injection via ‘orderby’ Parameter

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2026-0806

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
WP-ClanWars

Researcher

0x34rth

More Details >

Cookie consent for developers <= 1.7.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Multiple Settings Fields

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1084

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Cookie consent for developers

Researcher

0x34rth

More Details >

JavaScript Notifier <= 1.2.8 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1191

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
JavaScript Notifier

Researcher

0x34rth

More Details >

Meta-box GalleryMeta <= 3.0.1 – Authenticated (Editor+) Stored Cross-Site Scripting via Image Caption

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1302

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Meta-box GalleryMeta

Researcher

Kazuma Matsumoto

More Details >

Postalicious <= 3.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1266

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Postalicious

Researcher

0x34rth

More Details >

Responsive Header Plugin <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1300

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Responsive Header Plugin

Researcher

0x34rth

More Details >

Viet contact <= 1.3.2 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘ll1’, ‘ll2’, ‘ll3’, and ‘ll4’ Parameters

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1045

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
Viet contact

Researcher

0x34rth

More Details >

WP Hello Bar <= 1.02 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘digit_one’ and ‘digit_two’ Parameters

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2026-1042

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
WP Hello Bar

Researcher

0x34rth

More Details >

Admin login URL Change <= 1.1.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24578

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Admin login URL Change

Researcher

Mohamad Fattyr

More Details >

AdminQuickbar <= 1.9.3 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14630

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
AdminQuickbar

Researcher

Lior Yeshayahu

More Details >

Ai Image Alt Text Generator for WP <= 1.1.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24579

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Ai Image Alt Text Generator for WP

Researcher

Nabil Irawan

More Details >

Alex User Counter <= 6.0 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1070

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Alex User Counter

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

All-in-One Video Gallery 4.1.0 – 4.6.4 – Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-15516

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
All-in-One Video Gallery

Researcher

kr0d

More Details >

Anything Order by Terms <= 1.4.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24567

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Anything Order by Terms

Researcher

Nabil Irawan

More Details >

Automatic Featured Images from Videos <= 1.2.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24535

Patch Status
Patched

Published
Jan 25, 2026

Affected Software
Automatic Featured Images from Videos

Researcher

Nabil Irawan

More Details >

B Accordion <= 2.0.0 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24565

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Accordion – Add Horizontal / Vertical Accordion in WP

Researcher

theviper17y

More Details >

Bookingor <= 1.0.12 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12573

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Bookingor – Booking System for Appointment Calendar, Meeting Scheduler & WooCommerce Bookings

Researcher

Khaled Alenazi (Nxploited)

More Details >

Booter <= 1.5.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24534

Patch Status
Unpatched

Published
Jan 25, 2026

Affected Software
Booter – Bots & Crawlers Manager

Researcher

Nabil Irawan

More Details >

BOX NOW Delivery <= 3.0.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24571

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
BOX NOW Delivery

Researcher

Nabil Irawan

More Details >

Broadstreet Ads <= 1.52.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69311

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Broadstreet

Researcher

Que Thanh Tuan

More Details >

Cloudinary <= 3.3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24560

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Cloudinary – Deliver Images and Videos at Scale

Researcher

Nabil Irawan

More Details >

Contact Form & Lead Form Elementor Builder <= 2.0.1 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68046

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Responsive Contact Form Builder & Lead Generation Plugin

Researcher

benzdeus

More Details >

CubeWP – All-in-One Dynamic Content Framework <= 1.1.27 – Unauthenticated Post Disclosure in class-cubewp-search-ajax-hooks.php

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-6461

Patch Status
Patched

Published
Jan 24, 2026

Affected Software
CubeWP Framework

Researcher

stealthcopter

More Details >

Ecwid Shopping Cart <= 7.0.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24580

Patch Status
Unpatched

Published
Jan 19, 2026

Affected Software
Ecwid by Lightspeed Ecommerce Shopping Cart

Researcher

Rapid0nion

More Details >

Edwiser Bridge <= 4.3.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24570

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
Edwiser Bridge – WordPress Moodle Integration

Researcher

Nabil Irawan

More Details >

FluentBoards <= 1.91.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24561

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration

Researcher

Nabil Irawan

More Details >

Fraud Prevention For Woocommerce <= 2.3.1 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24553

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Fraud Prevention For WooCommerce and EDD

Researcher

Jarno Vos (jarnovos)

More Details >

Friendly Functions for Welcart <= 1.2.5 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1208

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
Friendly Functions for Welcart

Researcher

Kai Aizen

More Details >

GDPR CCPA Compliance Support <= 2.7.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68073

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
GDPR CCPA Compliance & Cookie Consent Banner

Researcher

Nabil Irawan

More Details >

GeoDirectory <= 2.8.149 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24549

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
GeoDirectory – WP Business Directory Plugin and Classified Listings Directory

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

HD Quiz <= 2.0.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24544

Patch Status
Unpatched

Published
Jan 24, 2026

Affected Software
HD Quiz

Researcher

Nabil Irawan

More Details >

Hospital Doctor Directory <= 1.3.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68057

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Hospital Doctor Directory

Researcher

Phat RiO

More Details >

Hotel Listing <= 1.4.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68059

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Hotel Listings

Researcher

Phat RiO

More Details >

iNET Webkit <= 1.2.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24566

Patch Status
Unpatched

Published
Jan 21, 2026

Affected Software
iNET Webkit

Researcher

theviper17y

More Details >

Institutions Directory <= 1.3..4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68058

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
Institutions Directory

Researcher

Phat RiO

More Details >

Integrate Google Drive <= 1.5.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24540

Patch Status
Unpatched

Published
Jan 24, 2026

Affected Software
File Manager for Google Drive – Integrate Google Drive

Researcher

Nabil Irawan

More Details >

Integration for Contact Form 7 HubSpot <= 1.4.3 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24559

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms

Researcher

Nabil Irawan

More Details >

Job Portal <= 2.4.3 – Authenticated (Subscriber+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24379

Patch Status
Patched

Published
Jan 24, 2026

Affected Software
WP Job Portal – AI-Powered Recruitment System for Company or Job Board website

Researcher

Nabil Irawan

More Details >

Lawyer Directory <= 1.3.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67967

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
Lawyer Directory

Researcher

Phat RiO

More Details >

LifePress <= 2.2.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24563

Patch Status
Unpatched

Published
Jan 22, 2026

Affected Software
LifePress

Researcher

Doan Dinh Van (DinhVan52)

More Details >

Login Page Editor <= 1.2 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1088

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Login Page Editor

Researcher

afnaan

More Details >

Materialis Companion <= 1.3.52 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24543

Patch Status
Unpatched

Published
Jan 24, 2026

Affected Software
Materialis Companion

Researcher

Nabil Irawan

More Details >

Media Library File Size <= 1.6.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24569

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Media Library File Size

Researcher

Nabil Irawan

More Details >

Meta-box GalleryMeta <= 3.0.1 – Missing Authorization to Authenticated (Author+) Gallery Management

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-0687

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Meta-box GalleryMeta

Researcher

Kazuma Matsumoto

More Details >

Moderate Selected Posts <= 1.4 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14907

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Moderate Selected Posts

Researcher

afnaan

More Details >

Monetag Official <= 1.1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24551

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Monetag Official Plugin

Researcher

Nabil Irawan

More Details >

Newsletter – Send awesome emails from WordPress <= 9.1.0 – Cross-Site Request Forgery to Newsletter Unsubscription

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1051

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Newsletter – Send awesome emails from WordPress

Researchers

Sergej Ljubojevic

Boris Bogosavac

More Details >

NotificationX <= 3.1.11 – Missing Authorization to Authenticated (Contributor+) Analytics Reset

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-0554

Patch Status
Patched

Published
Jan 20, 2026

Affected Software
NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar

Researcher

Dmitrii Ignatyev

More Details >

Points and Rewards for WooCommerce <= 2.9.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24581

Patch Status
Patched

Published
Jan 19, 2026

Affected Software
Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification

Researcher

Rapid0nion

More Details >

Set Bulk Post Categories <= 1.1 – Cross-Site Request Forgery to Bulk Post Category Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1081

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Set Bulk Post Categories

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Simple Crypto Shortcodes <= 1.0.2 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14903

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Simple Crypto Shortcodes

Researcher

afnaan

More Details >

SiteLock Security <= 5.0.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24532

Patch Status
Unpatched

Published
Jan 25, 2026

Affected Software
SiteLock Security – WP Hardening, Login Security & Malware Scans

Researcher

Nabil Irawan

More Details >

Star Review Manager <= 1.2.2 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1076

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
Star Review Manager

Researcher

afnaan

More Details >

SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 – Cross-Site Request Forgery to Survey Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13139

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
SurveyJS: Drag & Drop Form Builder

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 – Cross-Site Request Forgery to Survey Cloning

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13205

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
SurveyJS: Drag & Drop Form Builder

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity <= 1.12.20 – Cross-Site Request Forgery to Survey Renaming

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13194

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
SurveyJS: Drag & Drop Form Builder

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Term Order <= 2.1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24542

Patch Status
Unpatched

Published
Jan 24, 2026

Affected Software
WP Term Order

Researcher

Nabil Irawan

More Details >

weDocs <= 2.1.16 – Missing Authorization to Authenticated (Subscriber+) Documentation Post Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13921

Patch Status
Patched

Published
Jan 22, 2026

Affected Software
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

Researcher

blue0x1

More Details >

WishList Member X <= 3.29.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-24575

Patch Status
Unpatched

Published
Jan 20, 2026

Affected Software
Wishlist Member

Researcher

0xd4rk5id3

More Details >

WP Youtube Video Gallery <= 1.0 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14906

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
WP Youtube Video Gallery

Researcher

afnaan

More Details >

ZT Captcha <= 1.0.4 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-1075

Patch Status
Unpatched

Published
Jan 23, 2026

Affected Software
ZT Captcha

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor <= 4.1.0 – Unauthenticated Form Submission Exposure via Forgeable Cookie Value

3.7

CVSS Rating
Low (3.7)

CVE-ID
CVE-2026-0633

Patch Status
Patched

Published
Jan 23, 2026

Affected Software
MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor

Researcher

type5afe

More Details >

Salon booking system <= 10.30.3 – Authenticated (Subscriber+) Information Exposure

3.1

CVSS Rating
Low (3.1)

CVE-ID
CVE-2025-67954

Patch Status
Patched

Published
Jan 21, 2026

Affected Software
Salon Booking System – Free Version

Researcher

daroo

More Details >