CVE

CVE-2026-2386 affects The Plus Addons for Elementor and it is an incorrect authorization vulnerability that lets a low privilege Elementor user create draft objects of post types they normally should not be able to create. The most important detail is that this is not about editing existing content. It is about crossing post type boundaries. An Author who only has edit_posts can still create draft Pages, Elementor templates, and other custom post types by supplying a client controlled post_type to an AJAX endpoint. That breaks the expectation that post type capabilities are enforced by WordPress, and it creates a security and governance problem because draft assets can be planted for later misuse. On sites with complex workflows, even draft creation can have side effects such as triggering automation, polluting template libraries, confusing editors, and setting up social engineering for administrators.

CVE-2026-1906 affects PDF Invoices and Packing Slips for WooCommerce and it is a broken access control vulnerability that allows an authenticated low privilege user to modify business critical EDI and Peppol identifiers for orders they do not own. The weakness sits in an AJAX handler that updates order meta and user meta based on an attacker supplied order_id and values payload. In real ecommerce deployments, those identifiers can determine where electronic invoices and structured business documents are delivered. When a customer can change them for other customers, the impact is not only data corruption. It can become misrouting of invoices and potential leakage of business documents to the wrong endpoint, which raises both integrity and confidentiality concerns in addition to operational disruption. With an install base around 300k plus, this is a high exposure class of issue for stores that enable invoice or e invoice flows.

CVE-2025-11737 affects VK All in One Expansion Unit and it is a stored cross site scripting vulnerability that can be triggered by a Contributor level user through a post level meta field named SNS Title. The vulnerability is dangerous because it lands in the page head as Open Graph metadata, which means it executes in a high trust context on every page view where the affected post is rendered. This is not a narrow admin only issue. Once the malicious value is stored, it can reach front end visitors and also administrators reviewing content, and it can become a persistent trap that fires repeatedly. With an install base around 100k plus, this is relevant to many multi author WordPress sites where Contributors exist by design.

CVE-2025-14895 affects PopupKit and it is a missing authorization vulnerability in REST endpoints that should be restricted to administrators but are reachable by any authenticated user who can obtain a WordPress REST nonce. The most important point is that the endpoint is not just leaking harmless counters. It can return and delete records that represent marketing leads and subscriber activity, which are often treated as sensitive business assets. When a Subscriber can access this data, the plugin breaks the expected privacy and role separation model of WordPress, and it also creates a direct integrity issue because the same low privilege user can erase records and undermine reporting. This vulnerability is particularly relevant on sites with public registration and large numbers of low privilege accounts, which is common in ecommerce, memberships, and community driven properties.

Ajax Load More is a popular WordPress plugin used for implementing infinite scroll, lazy loading, and dynamic content loading via AJAX. It allows developers to build flexible queries and display posts without reloading the page. During security testing, a Reflected

CVE-2026-0554 affects NotificationX and it is a missing authorization vulnerability that allows a low privilege authenticated user to perform destructive analytics operations against NotificationX campaigns they do not manage. The affected actions do not merely read data. They mutate campaign

CVE-2026-4659 affects Unlimited Elements for Elementor and it is an authenticated Local File Inclusion vulnerability that allows an Author level user to read arbitrary local files from the WordPress host. The bug is especially practical because it uses a normal looking Elementor widget feature. A repeater can load JSON or CSV data from a URL, which is a common pattern for dynamic widgets. The vulnerability appears when the plugin treats certain URLs as local filesystem paths and then reads them. When debug output is enabled, the plugin returns the raw file content in the response, which turns a file read primitive into direct exfiltration through the page preview. With an install base around 300k plus and common editorial setups where Authors can edit pages, this is a realistic path from a low privilege content role to server level secret disclosure.

CVE-2025-15380 affects NotificationX and it is an unauthenticated DOM based cross site scripting vulnerability that can execute JavaScript in a victim browser on public pages. The attack does not require a WordPress account and it does not require any special permissions. It abuses a front end preview mechanism where the plugin accepts attacker supplied configuration, decodes it, and renders it directly into the DOM. This matters because NotificationX is installed specifically to show attention grabbing UI elements like notification bars and press bars. If the preview path can be triggered by anyone, then any attacker can weaponize it to run script on the site origin and steal session data, run actions in the background, or plant further attacks through social engineering. Even a single successful execution can be enough to compromise administrators if they browse the front end while logged in.

CVE-2025-15370 affects Shield Security and it is a privilege boundary failure that weakens authentication rather than changing content or reading data. The vulnerability allows any authenticated user, including a Subscriber, to target another account and toggle that account’s Google Authenticator setting through a request parameter. That matters because MFA is one of the most important compensating controls in WordPress. When a plugin that is meant to harden security can be used by low privilege users to disable MFA on administrators, it becomes a security downgrade primitive. The practical consequence is that attackers only need a second ingredient like a password leak or phishing success to turn this downgrade into a full admin takeover.

CVE-2026-4267 affects Query Monitor and it is a reflected cross site scripting vulnerability that can be triggered by an unauthenticated attacker and executed in the browser of a logged in user who can view Query Monitor output. Query Monitor is often installed on development and staging sites, but it is also frequently left enabled on production environments during troubleshooting, which increases the chance that administrators will have it active while browsing the dashboard. The bug is dangerous because it sits inside a diagnostic panel that administrators trust. Once script execution is achieved in an admin session, the attacker can move from a simple reflected injection to nonce theft and privileged state changing actions in the WordPress backend.