Wordfence Intelligence Weekly WordPress Vulnerability Report (January 5, 2026 to January 11, 2026)

Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest.

Last week, there were 264 vulnerabilities disclosed in 214 WordPress Plugins and 31 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 78 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 32,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• • • WAF-RULE-885 – Data redacted while we work with the vendor on a patch.
    • WAF-RULE-886 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
João Pedro S Alcântara (Kinorth)	24
Tran Nguyen Bao Khanh	21
Nabil Irawan	13
Legion Hunter	12
Athiwat Tiprasaharn (Jitlada)	11
Gilang – DJ	9
Muhammad Yudha – DJ	9
Abdulsamad Yusuf (0xVenus)	9
Itthidej Aramsri (Boeing777)	9
zakaria	8
Supakiad S. (m3ez)	7
Dmitrii Ignatyev	7
andrea bocchetti	6
Md. Moniruzzaman Prodhan (NomanProdhan)	6
Rafie Muhammad	6
Bonds	6
theviper17y	6
0x34rth	5
Powpy	5
daroo	5
afnaan	4
Drew Webber (mcdruid)	4
shark3y	4
Sopon Tangpathum (SoNaJaa)	4
Waris Damkham	4
type5afe	3
Phat RiO – BlueRock	3
dayea song	3
NumeX	3
Muhammad Nur Ibnu Hubab (Ibnu)	3
ChamlaVic	2
Abu Hurayra (HurayraIIT)	2
thinnawarth mathuros	2
Paolo Tresso	2
zaim	2
MD ISMAIL	2
Rahul Sreenivasan (Tr0j4n)	2
Sarawut Poolkhet (MisterHelloz)	2
Webbernaut	2
Skalucy	2
DityaRA	2
Ivan Cese	1
Ryan Novotny	1
Bao – BlueRock	1
0N0ise	1
Filippo Decortes	1
tmrswrr	1
Mrreee	1
Kai Aizen	1
Peerapat Samatathanyakorn	1
ifoundbug	1
Krissaphat Jankaew	1
Jack Taylor	1
Kannika Khongpan	1
Teerachai Somprasong	1
Nguyen C	1
omer yeshayahu	1
bxdman	1
Deniz Mert (dennywise)	1
Arif Shaikh	1
theviper17	1
Lucas Montes (NiRoX)	1
Muhamad Visat	1
kr0d	1
Tharadol Suksamran	1
Kishan Vyas	1
mahdi salhi (CaptinSharky01)	1
0xd4rk5id3	1
fallenofalbaz	1
SangNQ29	1
Brizzle	1
greenhats	1
Edisc1	1
Sergej Ljubojevic	1
Bhayanak Atma	1
Marcin Dudek (dudekmar)	1
Abdualrhman Muzamil	1
ZAST.AI	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

AS Password Field In Default Registration Form <= 2.0.0 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14996

Patch Status
Unpatched

Published
Jan 5, 2026

Affected Software
AS Password Field In Default Registration Form

Researcher

Drew Webber (mcdruid)

More Details >

Frontend Admin by DynamiApps <= 3.28.25 – Unauthenticated Privilege Escalation to Administrator via Role Form Field

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-14736

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Frontend Admin by DynamiApps

Researcher

andrea bocchetti

More Details >

FS Registration Password <= 1.0.1 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-15001

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
FS Registration Password

Researcher

Drew Webber (mcdruid)

More Details >

Optional Email <= 1.3.11 – Unauthenticated Privilege Escalation to Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-15018

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Optional Email

Researcher

Drew Webber (mcdruid)

More Details >

Frontend Admin by DynamiApps <= 3.28.25 – Missing Authorization to Unauthenticated Arbitrary Data Deletion via ‘delete post’ Form Element

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-14741

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Frontend Admin by DynamiApps

Researcher

andrea bocchetti

More Details >

Corpkit <= 2.0 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-67924

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Corpkit – Business Consulting WordPress Theme

Researcher

Bonds

More Details >

WP Enable WebP <= 1.0 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-15158

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
WP Enable WebP

Researcher

ZAST.AI

More Details >

Money Space <= 2.13.9 – Unauthenticated Sensitive Information Exposure

8.6

CVSS Rating
High (8.6)

CVE-ID
CVE-2025-13371

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Money Space

Researcher

Kannika Khongpan

More Details >

iPaymu Payment Gateway for WooCommerce <= 2.0.2 – Missing Authentication to Unauthenticated Payment Bypass and Order Information Disclosure

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2026-0656

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
iPaymu Payment Gateway for WooCommerce

Researcher

Teerachai Somprasong

More Details >

AeroLand <= 1.6.6 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14429

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
AeroLand – App Landing Software Website WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Amuli <= 2.3.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-50003

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Amuli | Property & Real Estate Marketplace WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Anarkali <= 1.0.9 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-47474

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Anarkali – Fashion Shop WooCommerce Elementor Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Athens <= 1.1.6 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-49994

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Athens – Law Agency WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Atlas <= 2.1.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-22509

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
atlas

Researcher

Tran Nguyen Bao Khanh

More Details >

Brook <= 2.9.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14430

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Brook – Agency Business Creative WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Curly < 3.3 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67936

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Curly – A Stylish WordPress Theme for Hairdressers and Hair Salons

Researcher

Tran Nguyen Bao Khanh

More Details >

Depot <= 1.16 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-54003

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Depot – eCommerce WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Hendon < 1.7 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67937

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Hendon – Single Property WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Mitech <= 2.3.4 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-22708

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Mitech – Technology IT Solutions & Services WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Moody <= 2.7.3 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-22707

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
tm-moody

Researcher

Tran Nguyen Bao Khanh

More Details >

Navian <= 1.5.4 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14431

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Navian – Multi-Purpose Responsive WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Neo Ocular < 1.2 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67920

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Neo Ocular – Optician and Optical Store WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

OchaHouse <= 2.2.8 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-12550

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
OchaHouse – Organic Tea Store WooCommerce WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Optimize < 2.4 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67935

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Optimize – SEO & Social Media WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Oshine <= 7.2.7 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-14359

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Oshin

Researcher

Rafie Muhammad

More Details >

Photography < 7.7.5 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-68510

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
photography

Researcher

Rafie Muhammad

More Details >

Racquet <= 1.12.0 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-69369

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Racquet – Tennis, Badminton & Squash WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Rozy – Flower Shop <= 1.2.25 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-12549

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Rozy – Flower Shop WooCommerce WordPress Theme (4+ Indexes + Mobile Layouts Ready)

Researcher

Tran Nguyen Bao Khanh

More Details >

Typify <= 3.0.2 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-22712

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Typify – Newspaper & Magazine WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

VideoPro <= 2.3.8.1 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-58913

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
VideoPro – Video WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Wellspring < 2.8 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-67934

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
WellSpring | Aqua Filters & Drinking Water Delivery WordPress Theme

Researcher

Tran Nguyen Bao Khanh

More Details >

Automotive Listings <= 18.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67928

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Automotive Listings

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Corpkit <= 2.0 – Authenticated (Subscriber+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-67925

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Corpkit – Business Consulting WordPress Theme

Researcher

Bonds

More Details >

Felan Framework <= 1.1.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-23993

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Felan Framework

Researcher

0xd4rk5id3

More Details >

Handmade Framework <= 3.9 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2026-22521

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Handmade Framework

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Latest Registered Users <= 1.4 – Missing Authorization to Unauthenticated Sensitive Information Exposure via User Data Export

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-13493

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Latest Registered Users

Researcher

Legion Hunter

More Details >

Lead Capturing Pages <= 2.5 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-49055

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
WP Lead Capturing Pages

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Reviewify <= 1.0.7 – Missing Authorization to Authenticated (Contributor+) Arbitrary WooCommerce Coupon Creation

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-14070

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Reviewify — Review Discounts & Photo/Video Reviews for WooCommerce

Researcher

Itthidej Aramsri (Boeing777)

More Details >

TheGem Theme Elements (for Elementor) <= 5.11.0 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-69356

Patch Status
Patched

Published
Jan 10, 2026

Affected Software
TheGem Theme Elements

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

User Activity Log <= 2.2 – Unauthenticated Limited Options Update via Failed Login

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-11877

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
User Activity Log

Researcher

shark3y

More Details >

WooCommerce Square <= 5.1.1 – Unauthenticated Insecure Direct Object Reference to Sensitive Information Exposure in get_token_by_id

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-13457

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
WooCommerce Square

Researcher

DityaRA

More Details >

Yoco Payments <= 3.9.0 – Unauthenticated Arbitrary File Read

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-13801

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Yoco Payments

Researcher

NumeX

More Details >

Download Manager <= 3.3.40 – Unauthenticated Limited Privilege Escalation via updatePassword

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2025-15364

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Download Manager

Researcher

Drew Webber (mcdruid)

More Details >

Brevo for WooCommerce <= 4.0.49 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14436

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Brevo for WooCommerce

Researcher

shark3y

More Details >

BuddyPress Xprofile Custom Field Types <= 1.2.8 – Authenticated (Subscriber+) Arbitrary File Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14997

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
BuddyPress Xprofile Custom Field Types

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered) <= 4.0.51 – Missing Authorization to Unauthenticated Stored Cross-Site Scripting via ‘post_settings’

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14657

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Eventin – Event Manager, Event Booking, Calendar, Tickets and Registration Plugin (AI Powered)

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

Frontend Admin by DynamiApps <= 3.28.23 – Unauthenticated Stored Cross-Site Scripting via ‘update_field’

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-14937

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Frontend Admin by DynamiApps

Researcher

Paolo Tresso

More Details >

JetEngine <= 3.7.7 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-67923

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
JetEngine

Researcher

Bonds

More Details >

ListingHub 1.2.6 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-12551

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
ListingHub

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

SlimStat Analytics <= 5.3.3 – Unauthenticated Stored Cross-Site Scripting via ‘fh’ Parameter

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-15057

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
SlimStat Analytics

Researcher

Supakiad S. (m3ez)

More Details >

SlimStat Analytics <= 5.3.4 – Unauthenticated Stored Cross-Site Scripting via ‘notes/resource’ Parameters

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-15055

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
SlimStat Analytics

Researcher

Supakiad S. (m3ez)

More Details >

Virtual Assistant <= 3.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-22725

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
WP Virtual Assistant

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

WP Photo Album Plus <= 9.1.05.008 – Reflected Cross-Site Scripting

7.1

CVSS Rating
High (7.1)

CVE-ID
CVE-2025-14835

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
WP Photo Album Plus

Researcher

Muhammad Yudha – DJ

More Details >

Appointment Booking and Scheduling Calendar Plugin – WP Timetics <= 1.0.36 – Missing Authorization to Unauthenticated Booking Details View And Modification

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-5919

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Appointment Booking Calendar – WP Timetics Booking Plugin

Researcher

greenhats

More Details >

Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.5 – Unauthenticated Sensitive Information Exposure

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-11723

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin

Researcher

Lucas Montes (NiRoX)

More Details >

BetterDocs <= 4.3.3 – Authenticated (Contributor+) Sensitive Information Exposure

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14980

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
BetterDocs – Knowledge Base Documentation & FAQ Solution for Elementor & Block Editor

Researcher

Dmitrii Ignatyev

More Details >

Bit Form – Contact Form Plugin <= 2.21.6 – Missing Authorization to Unauthenticated Workflow Replay

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14901

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Bit Form – Custom Contact Form, Multi Step, Conversational Form & Payment Form builder

Researcher

andrea bocchetti

More Details >

CBX Bookmark & Favorite <= 2.0.4 – Authenticated (Subscriber+) SQL Injection via `orderby` Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13652

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
CBX Bookmark & Favorite

Researcher

Muhamad Visat

More Details >

DeepDigital <= 1.0.2 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2026-22469

Patch Status
Unpatched

Published
Jan 5, 2026

Affected Software
DeepDigital – Web Design Agency WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

EmailKit <= 1.6.1 – Authenticated (Author+) Arbitrary File Read via Path Traversal

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14059

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
EmailKit – Email Customizer for WooCommerce & WP

Researcher

Dmitrii Ignatyev

More Details >

FastDup <= 2.7 – Authenticated (Contributor+) Path Traversal via ‘dir_path’ REST Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2026-0604

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
FastDup – Fastest WordPress Migration & Duplicator

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Flashcard Plugin for WordPress <= 0.9 – Authenticated (Contributor+) Arbitrary File Read via Path Traversal

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14867

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Flashcard Plugin for WordPress

Researcher

0x34rth

More Details >

GiveWP <= 4.13.1 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-66533

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
GiveWP – Donation Plugin and Fundraising Platform

Researcher

Kishan Vyas

More Details >

Lobo < 2.8.6 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-67921

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Lobo – WordPress Portfolio for Freelancers & Agencies

Researcher

Tran Nguyen Bao Khanh

More Details >

Ninja Tables <= 5.2.4 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-69351

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Ninja Tables – Easy Data Table Builder

Researcher

daroo

More Details >

Page Expire Popup/Redirection for WordPress <= 1.0 – Authenticated (Author+) SQL Injection via ‘id’ Shortcode Attribute

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14153

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Page Expire Popup/Redirection for WordPress

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

More Details >

Quiz and Survey Master (QSM) <= 10.3.1 – Authenticated (Subscriber+) SQL Injection via `is_linking` Query Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-9318

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Rahul Sreenivasan (Tr0j4n)

More Details >

Quiz and Survey Master (QSM) <= 10.3.1 – Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-9637

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Rahul Sreenivasan (Tr0j4n)

More Details >

Tutor LMS <= 3.9.3 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via tutor_order_details

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13679

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

Supakiad S. (m3ez)

More Details >

WooCommerce Orders & Customers Exporter <= 5.4 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22713

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
WooCommerce Orders & Customers Exporter

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Workreap (theme’s plugin) <= 3.3.6 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-22728

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Workreap

Researcher

Bonds

More Details >

WP Page Permalink Extension <= 1.5.4 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Rewrite Rules Flush

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-14172

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
WP Page Permalink Extension

Researcher

Legion Hunter

More Details >

1180px Shortcodes <= 1.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘class’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14114

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
1180px Shortcodes

Researcher

zakaria

More Details >

AD Sliding FAQ <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14122

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
AD Sliding FAQ

Researcher

Muhammad Yudha – DJ

More Details >

AH Shortcodes <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘column’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14109

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
AH Shortcodes

Researcher

zakaria

More Details >

AI BotKit <= 1.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13887

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
AI BotKit – AI Chatbot & Live Chat for WordPress (No-Code)

Researcher

theviper17y

More Details >

AMP for WP <= 1.1.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0627

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
AMP for WP – Accelerated Mobile Pages

Researcher

andrea bocchetti

More Details >

Autogen Headers Menu <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘head_class’ Shortcode Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13704

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Autogen Headers Menu

Researcher

theviper17y

More Details >

BIALTY – Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-15019

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Bulk Auto Image Alt Text (Alt tag, Alt attribute) optimizer (image SEO)

Researcher

Muhammad Yudha – DJ

More Details >

Client Testimonial Slider <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘aft_testimonial_meta_name’ Metabox Field

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13897

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Client Testimonial Slider

Researcher

Muhammad Yudha – DJ

More Details >

ConvertForce Popup Builder <= 0.0.7 – Stored Cross-Site Scripting via entrance_animation

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14506

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
ConvertForce Popup Builder

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

More Details >

Cool YT Player <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13849

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Cool YT Player

Researcher

Gilang – DJ

More Details >

Countdown Timer – Widget Countdown <= 2.7.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14555

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Countdown Timer – Widget Countdown

Researcher

Muhammad Yudha – DJ

More Details >

Curved Text <= 0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13854

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Curved Text

Researcher

Gilang – DJ

More Details >

Customer Reviews for WooCommerce <= 5.93.1 – Authenticated (Subscriber+) Stored Cross-Site Scripting via displayName Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14891

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Customer Reviews for WooCommerce

Researcher

shark3y

More Details >

Debt.com Business in a Box <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13852

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Debt.com Business in a Box

Researcher

theviper17y

More Details >

Easy GitHub Gist Shortcodes <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘id’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14147

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Easy GitHub Gist Shortcodes

Researcher

zakaria

More Details >

Easy Media Download <= 1.1.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69169

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Easy Media Download

Researcher

Krissaphat Jankaew

More Details >

EDD Download Info <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14121

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
EDD Download Info

Researcher

Muhammad Yudha – DJ

More Details >

Entry Views <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13729

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Entry Views

Researcher

Muhammad Yudha – DJ

More Details >

Essential Addons for Elementor <= 6.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69092

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Researcher

Bonds

More Details >

ForumWP – Forum & Discussion Board <= 2.1.6 – Authenticated (Subscriber+) Stored Cross-Site Scripting via Display Name

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13746

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
ForumWP – Forum & Discussion Board

Researcher

Sergej Ljubojevic

More Details >

Gutenverse Form <= 2.3.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14984

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor

Researcher

andrea bocchetti

More Details >

Header and Footer Scripts <= 2.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-11453

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Header and Footer Scripts

Researcher

Powpy

More Details >

IMGspider <= 2.3.12 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-22482

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
IMGspider – 图片采集抓取插件

Researcher

Nabil Irawan

More Details >

IndieWeb <= 4.0.5 – Authenticated (Author+) Stored Cross-Site Scripting via ‘Telephone’ Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14893

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
IndieWeb

Researcher

Tharadol Suksamran

More Details >

Jeg Elementor Kit <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14275

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress

Researcher

Webbernaut

More Details >

MediaPress <= 1.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin’s Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14552

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
MediaPress

Researcher

zaim

More Details >

MediaPress <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-22519

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
MediaPress

Researcher

zaim

More Details >

Menu Card <= 0.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13862

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Menu Card

Researcher

theviper17y

More Details >

Mstoic Shortcodes <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘start’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14144

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Mstoic Shortcodes

Researcher

zakaria

More Details >

My Album Gallery <= 1.0.4 – Authenticated (Author+) Stored Cross-Site Scripting via Image Title

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14796

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
My Album Gallery

Researcher

Itthidej Aramsri (Boeing777)

More Details >

My Album Gallery <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘style_css’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14453

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
My Album Gallery

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

More Details >

Nearby Now Reviews <= 5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13853

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Nearby Now Reviews

Researcher

Gilang – DJ

More Details >

Niche Hero | Beautifully-designed blocks in seconds <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘spacing’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14145

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Niche Hero | Beautifully-designed blocks in seconds

Researcher

zakaria

More Details >

nK Themes Helper <= 1.7.9 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-22726

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
nK Themes Helper

Researcher

Bonds

More Details >

Phlox <= 2.17.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via `data-caption` HTML Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4776

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Phlox

Researcher

Webbernaut

More Details >

PhotoFade <= 0.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13847

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
PhotoFade

Researcher

Gilang – DJ

More Details >

PullQuote <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13903

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
PullQuote

Researcher

Gilang – DJ

More Details >

QR Code for WooCommerce order emails, PDF invoices, packing slips <= 1.9.42 – Authenticated (Contributor+) Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14626

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
QR Code for WooCommerce order emails, PDF invoices, packing slips

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

Peerapat Samatathanyakorn

More Details >

Recras WordPress plugin <= 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘recrasname’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13497

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Recras

Researcher

Sopon Tangpathum (SoNaJaa)

More Details >

Responsive Pricing Table <= 5.1.12 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13418

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Responsive Pricing Table

Researcher

Itthidej Aramsri (Boeing777)

More Details >

Responsive Pricing Table <= 5.1.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘table_currency’

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-15058

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Responsive Pricing Table

Researcher

Muhammad Yudha – DJ

More Details >

Shortcodes and extra features for Phlox theme <= 2.17.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12379

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Shortcodes and extra features for Phlox theme

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Smart App Banners <= 1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘size’ and ‘verticalalign’ Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13841

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Smart App Banners

Researcher

Gilang – DJ

More Details >

Snillrik Restaurant <= 2.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘menu_style’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14112

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Snillrik Restaurant

Researcher

zakaria

More Details >

STM Gallery 1.9 <= 0.9 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13848

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
STM Gallery 1.9

Researcher

Gilang – DJ

More Details >

Stylish Order Form Builder <= 1.0 – Authenticated (Subscriber+) Stored Cross-Site Scripting via ‘product_name’ Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13531

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Stylish Order Form Builder

Researcher

Sopon Tangpathum (SoNaJaa)

More Details >

Table Field Add-on for ACF and SCF <= 1.3.30 – Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12067

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Table Field Add-on for ACF and SCF

Researcher

shark3y

More Details >

The Tooltip <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13908

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
The Tooltip

Researcher

Gilang – DJ

More Details >

TheGem Theme Elements (for Elementor) <= 5.11.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69357

Patch Status
Patched

Published
Jan 10, 2026

Affected Software
TheGem Theme Elements

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

TheGem Theme Elements (for WPBakery) <= 5.11.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-69360

Patch Status
Patched

Published
Jan 10, 2026

Affected Software
TheGem Theme Elements (for WPBakery)

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Travel Bucket List <= 0.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14053

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Travel Bucket List – Wish To Go

Researcher

ChamlaVic

More Details >

URL Image Importer <= 1.0.7 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14120

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
URL Image Importer

Researcher

bxdman

More Details >

Viitor Button Shortcodes <= 3.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘link’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14113

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Viitor Button Shortcodes

Researcher

zakaria

More Details >

Woodpecker for WordPress <= 3.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘form_name’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13967

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Woodpecker for WordPress

Researcher

Gilang – DJ

More Details >

WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘wpgsv_map’ Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-0563

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
WP Google Street View (with 360° virtual tour) & Google maps + Local SEO

Researcher

Paolo Tresso

More Details >

WP Js List Pages Shortcodes <= 1.21 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘class’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14110

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
WP Js List Pages Shortcodes

Researcher

zakaria

More Details >

WP Popup Magic <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘name’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13900

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
WP Popup Magic

Researcher

Muhammad Yudha – DJ

More Details >

WP Recipe Manager <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘Skill Level’ Input Field

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13667

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
WP Recipe Manager

Researcher

ChamlaVic

More Details >

X Addons for Elementor <= 1.0.23 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2026-22518

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
X Addons for Elementor

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Xagio SEO <= 7.1.0.30 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-14438

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Xagio SEO – AI Powered SEO

Researcher

Jack Taylor

More Details >

CountDown With Image or Video Background <= 1.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-27002

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
CountDown With Image or Video Background

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 – Unauthenticated Limited Arbitrary File Upload

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14842

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Drag and Drop Multiple File Upload for Contact Form 7

Researcher

andrea bocchetti

More Details >

eHive Search <= 2.5.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67930

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
eHive Search

Researcher

Skalucy

More Details >

Famous – Responsive Image And Video Grid Gallery WordPress <= 1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-27004

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Famous – Responsive Image And Video Grid Gallery WordPress Plugin

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Grand Restaurant < 7.0.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67922

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Grand Restaurant WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

HBLPAY Payment Gateway for WooCommerce <= 5.0.0 – Reflected Cross-Site Scripting via ‘cusdata’ Parameter

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14875

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
HBLPAY Payment Gateway for WooCommerce

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

HTML5 Video Player <= 5.3.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-27005

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
HTML5 Video Player WordPress Plugin

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

HTML5 Video Player with Playlist & Multiple Skins <= 5.3.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-32123

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
HTML5 Video Player with Playlist & Multiple Skins

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Image&Video FullScreen Background <= 1.6.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47666

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Image&Video FullScreen Background

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Jobify <= 4.3.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67916

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Jobify – Job Board WordPress Theme

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Lesson Plan Book <= 1.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13893

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Lesson Plan Book

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Link Whisper Free <= 0.8.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67927

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Link Whisper Free

Researcher

Ryan Novotny

More Details >

Listeo Core < 2.0.19 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67932

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Listeo-Core – Directory Plugin by Purethemes

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Magic Responsive Slider and Carousel WordPress <= 1.6 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49043

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Magic Responsive Slider and Carousel WordPress

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Magic Slider <= 2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-48094

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Magic Responsive Slider and Carousel

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

MG AdvancedOptions <= 1.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13892

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
MG AdvancedOptions

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Post Like Dislike <= 1.0 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14130

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Post Like Dislike

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Premmerce WooCommerce Customers Manager <= 1.1.14 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13369

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Premmerce WooCommerce Customers Manager

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

More Details >

Real Estate Pro <= 2.1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13504

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Real Estate Pro – WordPress Plugin

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Shabat Keeper <= 0.4.4 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13701

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Shabat Keeper

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Starred Review <= 1.4.2 – Reflected Cross-Site Scripting via PHP_SELF Variable

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14118

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Starred Review

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Stumble! for WordPress <= 1.1.1 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14128

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Stumble! for WordPress

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Super Interactive Maps <= 2.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-49045

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Super Interactive Maps

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

SVG Map Plugin <= 1.0.0 – Cross-Site Request Forgery to Settings Update and Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13519

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
SVG Map Plugin

Researcher

dayea song

More Details >

Taskbuilder <= 4.0.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67933

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Taskbuilder – WordPress Project Management & Task Management

Researcher

Skalucy

More Details >

Testimonial Master <= 0.2.1 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14127

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Testimonial Master

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Top Position Google Finance <= 0.1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13895

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Top Position Google Finance

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Woffice <= 5.4.30 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-67918

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Woffice CRM

Researcher

Rafie Muhammad

More Details >

WP Widget Changer <= 1.2.5 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-14131

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
WP Widget Changer

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

aBlocks – WordPress Gutenberg Blocks <= 2.4.0 – Missing Authorization to Authenticated (Subscriber+) Settings Modification

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-12449

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder

Researcher

mahdi salhi (CaptinSharky01)

More Details >

LearnPress – WordPress LMS Plugin <= 4.3.2.2 – Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14802

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

Researcher

Deniz Mert (dennywise)

More Details >

MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-13766

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
MasterStudy LMS WordPress Plugin – for Online Courses and Education

Researcher

thinnawarth mathuros

More Details >

Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.3 – Missing Authorization to Authenticated (Contributor+) Workflow Manipulation

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14718

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

User Registration & Membership <= 4.4.8 – Cross-Site Request Forgery to Arbitrary Post Deletion

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-14976

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin

Researcher

theviper17y

More Details >

AA Block country <= 1.0.1 – Unauthenticated IP Address Spoofing via X-Forwarded-For Header

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13694

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
AA Block country

Researcher

Ivan Cese

More Details >

Attractive Donations System – Easy Stripe & Paypal donations <= 1.25 – Missing Authorization to Unauthenticated Arbitrary Content Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-22715

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
WP Attractive Donations System – Easy Stripe & Paypal donations

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Awesome Hotel Booking <= 1.0.3 – Incorrect Authorization to Unauthenticated Arbitrary Booking Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14352

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Awesome Hotel Booking

Researcher

Itthidej Aramsri (Boeing777)

More Details >

Blockons <= 1.2.15 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14360

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Blockons – Gutenberg blocks for WordPress and WooCommerce websites

Researcher

MD ISMAIL

More Details >

Booking Calendar <= 10.14.10 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14146

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Booking Calendar

Researcher

Filippo Decortes

More Details >

Booking for Appointments and Events Calendar – Amelia <= 1.2.38 – Missing Authorization to Unauthenticated Multiple AJAX Actions

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14720

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Booking for Appointments and Events Calendar – Amelia

Researcher

type5afe

More Details >

BulletProof Security <= 6.9 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67931

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
BulletProof Security

Researcher

Nabil Irawan

More Details >

Contact Form vCard Generator <= 2.4 – Missing Authorization to Unauthenticated Sensitive Information Exposure via ‘wp-gvc-cf-download-id’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13717

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Contact Form vCard Generator

Researcher

Sopon Tangpathum (SoNaJaa)

More Details >

Cookies and Content Security Policy <= 2.34 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63019

Patch Status
Unpatched

Published
Jan 5, 2026

Affected Software
Cookies and Content Security Policy

Researcher

MD ISMAIL

More Details >

Creator LMS <= 1.1.12 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69359

Patch Status
Patched

Published
Jan 10, 2026

Affected Software
Creator LMS – The LMS for Creators, Coaches, and Trainers

Researcher

NumeX

More Details >

Dashboard Welcome for Beaver Builder <= 1.0.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-22488

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Dashboard Welcome for Beaver Builder

Researcher

Nabil Irawan

More Details >

Depicter <= 4.0.7 – Missing Authorization to Unauthenticated Display Rule Updates

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-11370

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Depicter — Popup & Slider Builder

Researcher

Brizzle

More Details >

Depicter Slider <= 4.0.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68558

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Depicter — Popup & Slider Builder

Researcher

Edisc1

More Details >

Fluent Forms <= 6.1.7 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Creation via AI Builder

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13722

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Researcher

Marcin Dudek (dudekmar)

More Details >

Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 – Missing Authorization to Authenticated (Forminator User+) CSV Export

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14782

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder

Researcher

type5afe

More Details >

Guest posting / Frontend Posting / Front Editor – WP Front User Submit <= 5.0.0 – Missing Authorization to Unauthenticated Media Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13419

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Guest posting / Frontend Posting / Front Editor – WP Front User Submit

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Icegram <= 3.1.35 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-68507

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Icegram Engage – Popups, Optins, CTAs & lot more…

Researcher

Legion Hunter

More Details >

ilGhera Support System for WooCommerce <= 1.2.6 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Ticket Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14034

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
ilGhera Support System for WooCommerce

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Japanized for WooCommerce <= 2.7.17 – Missing Authorization to Unauthenticated Order Status Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14886

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Japanized for WooCommerce

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

LearnPress – WordPress LMS Plugin <= 4.3.2 – Missing Authentication to Unauthenticated Course Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13964

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
LearnPress – WordPress LMS Plugin for Create and Sell Online Courses

Researcher

Supakiad S. (m3ez)

More Details >

miniOrange OTP Verification and SMS Notification for WooCommerce <= 4.3.8 – Missing Authorization to Unauthenticated Notification Settings Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14948

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
miniOrange OTP Verification and SMS Notification for WooCommerce

Researcher

Abdualrhman Muzamil

More Details >

Moosend Landing Pages <= 1.1.6 – Missing Authorization to Authenticated (Subscriber+) Option Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13496

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Moosend Landing Pages

Researcher

Legion Hunter

More Details >

NextGEN Download Gallery <= 1.6.2 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0675

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
NextGEN Download Gallery

Researcher

Nabil Irawan

More Details >

Piraeus Bank WooCommerce Payment Gateway <= 3.1.4 – Missing Authorization to Unauthenticated Arbitrary Order Status Change

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14460

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Piraeus Bank WooCommerce Payment Gateway

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Popupkit <= 2.2.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Subscriber Data Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14441

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Quote Comments <= 3.0.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14370

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Quote Comments

Researcher

Legion Hunter

More Details >

Re Gallery – Responsive Photo Gallery <= 1.17.19 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-22486

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Re Gallery – Responsive Image & Photo Gallery

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

REHub Framework <= 19.9.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14358

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
reHub Framework

Researcher

Rafie Muhammad

More Details >

ShopMagic <= 4.7.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-69093

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
ShopMagic – email automation

Researcher

Arif Shaikh

More Details >

Shortcodes and extra features for Phlox theme <= 2.17.13 – Unauthenticated Draft Posts Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13215

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Shortcodes and extra features for Phlox theme

Researcher

Nguyen C

More Details >

Templately <= 3.4.8 – Unauthenticated Limited Arbitrary JSON File Write

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0831

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Templately – Elementor & Gutenberg Template Library: 6500+ Free & Pro Ready Templates And Cloud!

Researcher

type5afe

More Details >

Timetics <= 1.0.46 – Incorrect Authorization to Authenticated (Timetics Customer+) User Creation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67915

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Appointment Booking Calendar – WP Timetics Booking Plugin

Researcher

daroo

More Details >

Traveler <= 3.2.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67917

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Travel Booking WordPress Theme

Researcher

Rafie Muhammad

More Details >

Unify <= 3.4.9 – Missing Authorization to Unauthenticated Option Deletion via ‘unify_plugin_downgrade’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13529

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Unify

Researcher

Legion Hunter

More Details >

weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.1.15 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-14574

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

Researcher

DityaRA

More Details >

Woffice Core <= 5.4.30 – Unauthenticated Insecure Direct Object Reference

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67919

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Woffice Core

Researcher

Rafie Muhammad

More Details >

WP-Members Membership Plugin <= 3.5.4.4 – Unauthenticated Information Exposure via Unprotected Files

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12648

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
WP-Members Membership Plugin

Researcher

thinnawarth mathuros

More Details >

Zorka <= 1.5.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2026-0676

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
zorka

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

FireStorm Professional Real Estate <= 2.7.11 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2026-22470

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
FireStorm Professional Real Estate Plugin

Researcher

Mrreee

More Details >

Form Vibes – Database Manager for Forms <= 1.4.13 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-13409

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Form Vibes – Database Manager for Forms

Researcher

tmrswrr

More Details >

ShareThis Dashboard for Google Analytics <= 3.2.4 – Unauthenticated Google Analytics Data Exposure

4.7

CVSS Rating
Medium (4.7)

CVE-ID
CVE-2025-12540

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
ShareThis Dashboard for Google Analytics

Researcher

ifoundbug

More Details >

Accordion <= 3.0.3 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-69350

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Accordions – Responsive Accordion & FAQ Plugin for WordPress

Researcher

NumeX

More Details >

Contact Us Simple Form <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14028

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Contact Us Simple Form

Researcher

0x34rth

More Details >

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder <= 2.6.7 – Authenticated (Administrator+) Stored Cross-Site Scripting via Email Template Content

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-13974

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

Researcher

fallenofalbaz

More Details >

Key Figures <= 1.1 – Authenticated (Admin+) Stored Cross-Site Scripting via kf_field_figure_default_color_render

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14792

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Key Figures

Researcher

afnaan

More Details >

Multi-column Tag Map <= 17.0.39 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘mctm_css_conditional’ Parameter

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14057

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Multi-column Tag Map

Researcher

Bhayanak Atma

More Details >

Page Keys <= 1.3.3 – Authenticated (Administrator+) Stored Cross-Site Scripting via ‘page_key’ Parameter

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-15000

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
Page Keys

Researcher

0x34rth

More Details >

Simple User Meta Editor <= 1.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14888

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Simple User Meta Editor

Researcher

0x34rth

More Details >

twinklesmtp – Email Service Provider For WordPress <= 1.03 – Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-14887

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
twinklesmtp – Email Service Provider For WordPress

Researcher

0x34rth

More Details >

Absolute Addons For Elementor <= 1.0.14 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22468

Patch Status
Unpatched

Published
Jan 5, 2026

Affected Software
Absolute Addons For Elementor

Researcher

Legion Hunter

More Details >

ACF to REST API <= 3.3.4 – Insecure Direct Object Reference to Authenticated (Contributor+) ACF Field/Option Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12030

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
ACF to REST API

Researcher

Kai Aizen

More Details >

AffiliateX <= 1.3.9.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69346

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
AffiliateX – Amazon Affiliate Plugin

Researcher

Legion Hunter

More Details >

AMP for WP – Accelerated Mobile Pages <= 1.1.9 – Cross-Site Request Forgery to Comment Submission

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14468

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
AMP for WP – Accelerated Mobile Pages

Researcher

0N0ise

More Details >

BD Courier Order Ratio Checker <= 2.0.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22481

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
BD Courier Order Ratio Checker

Researcher

Nabil Irawan

More Details >

Better Business Reviews <= 0.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69354

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Better Business Reviews – Trustpilot WordPress Plugin

Researcher

Nabil Irawan

More Details >

Block Slider <= 2.2.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22522

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Block Slider – Responsive Image Slider, Video Slider & Post Slider

Researcher

theviper17

More Details >

Blog2Social: Social Media Auto Post & Scheduler <= 8.7.2 – Incorrect Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14943

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Blog2Social: Social Media Auto Post & Scheduler

Researcher

theviper17y

More Details >

Bulk Landing Page Creator for WordPress LPagery <= 2.4.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22490

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Bulk Page Generator – LPagery

Researcher

Nabil Irawan

More Details >

Campaign Monitor for WordPress <= 2.9.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-0674

Patch Status
Unpatched

Published
Jan 8, 2026

Affected Software
Campaign Monitor for WordPress

Researcher

Nabil Irawan

More Details >

Clearfy <= 2.4.0 – Cross-Site Request Forgery to Update Notification Tampering

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13749

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer

Researcher

Dmitrii Ignatyev

More Details >

Crumber <= 1.0.10 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66143

Patch Status
Unpatched

Published
Jan 10, 2026

Affected Software
Breadcrumbs for Elementor – Crumber

Researcher

Phat RiO – BlueRock

More Details >

Demo Importer Plus <= 2.0.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69091

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Demo Importer Plus

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Docket Cache <= 24.07.04 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22492

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Docket Cache – Object Cache Accelerator

Researcher

Legion Hunter

More Details >

Easy Form Builder <= 3.9.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22472

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Easy Form Builder by WhiteStudio — Drag & Drop Form Builder

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Featured Image from URL (FIFU) <= 5.3.1 – Authenticated (Contributor+) Server-Side Request Forgery via ‘fifu_input_url’

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13393

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Featured Image from URL (FIFU)

Researcher

Dmitrii Ignatyev

More Details >

Fluent Support <= 1.10.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67926

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Fluent Support – Helpdesk & Customer Support Ticket System

Researcher

daroo

More Details >

Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager <= 3.1.5 – Missing Authorization to Authenticated (Author+) Media Replacement

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12640

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
Folders – Unlimited Folders to Organize Media Library Folder, Pages, Posts, File Manager

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

GA4WP: Google Analytics for WordPress <= 2.10.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22517

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
GA4WP – Analytics Dashboard for the Website

Researcher

Legion Hunter

More Details >

GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 – Missing Authorization to Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13812

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Researcher

kr0d

More Details >

HelpDesk contact form plugin <= 1.1.5 – Cross-Site Request Forgery to Settings Update via handle_query_args

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13657

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
HelpDesk Contact Form

Researcher

Sopon Tangpathum (SoNaJaa)

More Details >

Image Slider Slideshow <= 1.8 – Authenticated (Contributor+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22489

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Image Slider Slideshow

Researcher

Nabil Irawan

More Details >

Latest Tabs <= 1.5 – Cross-Site Request Forgery to Plugin’s Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14999

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Latest Tabs

Researcher

omer yeshayahu

More Details >

Mamurjor Employee Info <= 1.0.0 – Cross-Site Request Forgery to Arbitrary Employee and Related Data Manipulation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13990

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Mamurjor Employee Info

Researcher

dayea song

More Details >

MTCaptcha WordPress Plugin <= 2.7.2 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13520

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
MTCaptcha WordPress Plugin

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Newsletter Email Subscribe <= 2.4 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14904

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Newsletter Email Subscribe

Researcher

afnaan

More Details >

NS IE Compatibility Fixer <= 2.1.5 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14845

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
NS Ie Compatibility Fixer

Researcher

afnaan

More Details >

Post and Page Builder by BoldGrid <= 1.27.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69345

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Post and Page Builder by BoldGrid – Visual Drag and Drop Editor

Researcher

daroo

More Details >

Post Expirator <= 4.9.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69361

Patch Status
Patched

Published
Jan 11, 2026

Affected Software
Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories

Researcher

Bao – BlueRock

More Details >

Proxy & VPN Blocker <= 3.5.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69353

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Proxy & VPN Blocker

Researcher

Legion Hunter

More Details >

Quiz And Survey Master <= 10.3.1 – Missing Authorization to Authenticated (Subscriber+) Quiz Results Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-9294

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker

Researcher

Dmitrii Ignatyev

More Details >

RSS Feed Widget <= 3.0.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69349

Patch Status
Patched

Published
Jan 7, 2026

Affected Software
RSS Feed Widget

Researcher

Nabil Irawan

More Details >

Simcast <= 1.0.0 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14077

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Simcast

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Speed Kit <= 2.0.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22487

Patch Status
Unpatched

Published
Jan 7, 2026

Affected Software
Speed Kit

Researcher

Nabil Irawan

More Details >

Spiffy Calendar <= 5.0.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-68523

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Spiffy Calendar

Researcher

daroo

More Details >

Sticky Action Buttons <= 1.1 – Cross-Site Request Forgery to Plugin Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14465

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Sticky Action Buttons

Researcher

afnaan

More Details >

TaxoPress <= 3.41.0 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-14371

Patch Status
Patched

Published
Jan 5, 2026

Affected Software
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI

Researcher

Dmitrii Ignatyev

More Details >

teachPress <= 9.0.12 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2026-22483

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
teachPress

Researcher

Nabil Irawan

More Details >

The Events Calendar <= 6.15.12.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69352

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
The Events Calendar

Researcher

Phat RiO – BlueRock

More Details >

The Events Calendar Countdown Addon <= 1.4.15 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69348

Patch Status
Patched

Published
Jan 6, 2026

Affected Software
The Events Calendar Countdown Addon

Researcher

Legion Hunter

More Details >

Tickera <= 3.5.6.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-69355

Patch Status
Patched

Published
Jan 9, 2026

Affected Software
Tickera – Sell Tickets & Manage Events

Researcher

Nabil Irawan

More Details >

Tutor LMS – eLearning and online course solution <= 3.9.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13628

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

Supakiad S. (m3ez)

More Details >

Tutor LMS – eLearning and online course solution <= 3.9.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Course Completion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13935

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

Supakiad S. (m3ez)

More Details >

Tutor LMS – eLearning and online course solution <= 3.9.3 – Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13934

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
Tutor LMS – eLearning and online course solution

Researcher

Supakiad S. (m3ez)

More Details >

Uper for Elementor <= 1.0.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66140

Patch Status
Unpatched

Published
Jan 10, 2026

Affected Software
Uper – Back to Top Button for Elementor

Researcher

Phat RiO – BlueRock

More Details >

WP Status Notifier <= 1.0 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13521

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
WP Status Notifier

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

WP Table Builder <= 2.0.19 – Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Table Creation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13753

Patch Status
Patched

Published
Jan 8, 2026

Affected Software
WP Table Builder – Drag & Drop Table Builder

Researcher

Dmitrii Ignatyev

More Details >

xShare <= 1.0.1 – Cross-Site Request Forgery to ‘rs_plugin_reset’ Parameter

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13527

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
xShare

Researcher

dayea song

More Details >

Rankology SEO and Analytics Tool <= 2.0 – Incorrect Authorization to Authenticated (Editor+) Header & Footer Code Creation

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-12958

Patch Status
Unpatched

Published
Jan 6, 2026

Affected Software
Rankology SEO and Analytics Tool

Researcher

SangNQ29

More Details >