CVE

CVE-2026-0561 affects Shield Security and describes an unauthenticated reflected Cross-Site Scripting issue in versions up to and including 21.0.8. The vulnerable dynamic page renderer accepts the message parameter on the shield_action flow and reflects it into a generated page without sufficient sanitization and output escaping. An attacker does not need a WordPress account. They only need to persuade a victim to open a crafted URL, which can make script run in the victim browser under the site origin. For logged in administrators, that can expose WordPress nonces and allow authenticated browser actions through the victim session.

CVE-2026-7660 affects Easy Updates Manager in versions up to 9.0.20 and it is a reflected Cross Site Scripting issue in the admin pagination flow. The vulnerable path is the Updates Options plugins tab, where the paged request parameter can be reflected into the value attribute of the current page input when action=eum_ajax is present. A successful attack requires an administrator or another user with update management access to open a crafted admin URL, so the practical risk is a privileged reflected script sink that can execute in the WordPress dashboard if the browser accepts the injected attribute payload.

CVE-2026-9284 affects WooCommerce PayPal Payments and it is a missing authorization issue in the subscription approval checkout flow. In vulnerable builds up to 4.0.1, a public WC-AJAX request can place a client supplied PayPal subscription identifier into the WooCommerce session, and the subscriptions integration can later treat that session value as enough evidence to complete a WooCommerce order. On stores that use WooCommerce Subscriptions with PayPal subscription checkout, this can let an unauthenticated visitor move an order to a paid state without a successful PayPal capture or approval, which creates direct financial risk and unreliable payment records.

CVE-2025-13048 affects Official StatCounter Plugin and it is an authenticated Stored Cross-Site Scripting vulnerability that allows a Contributor or higher user to store a crafted payload in the WordPress Nickname field. The vulnerability is triggered when the affected post is viewed and the plugin renders the author nickname into a JavaScript context without proper sanitization and escaping. The practical security outcome is persistent browser side code execution against visitors and administrators who open the injected post. On real sites this can lead to session theft, unauthorized admin actions, malicious redirects, or further compromise of the WordPress dashboard.

CVE-2026-2515 affects Hostinger Reach and it is a missing authorization vulnerability that allows a low privilege authenticated user to trigger an admin only site connection flow and ultimately overwrite the persistent Reach bearer credential stored in WordPress options. The practical security outcome is not a minor UI glitch. It is third party integration takeover. A Subscriber can rebind the WordPress site to an attacker controlled Reach tenant, disrupt the legitimate integration, and potentially divert marketing data and automation feeds. On sites where WooCommerce related automation is enabled, the downstream impact can extend to billing and order PII flowing into the attacker account because the plugin believes it is still connected to the correct Reach backend.

CVE-2026-5371 affects MonsterInsights and it is a missing authorization vulnerability that turns a low privilege WordPress account into a bridge for cross platform credential theft. The issue is not limited to reading plugin settings. It allows a Subscriber to obtain a live Google OAuth access token that was granted during the site owner’s Google onboarding flow, and it also allows the same low privilege user to reset the Google Ads integration state. That combination creates both confidentiality and integrity impact. The token is a portable bearer credential which means it can be used outside WordPress against Google APIs until it expires or is revoked. With a reported install base above two million, the exposure is significant because many sites have public registration and routinely have low privilege accounts that are easy to obtain.

CVE-2026-1404 affects Ultimate Member and it is an unauthenticated reflected cross site scripting vulnerability that can be triggered through a crafted URL to a public Members List page. The important security property is that the attacker does not need an

CVE-2026-2386 affects The Plus Addons for Elementor and it is an incorrect authorization vulnerability that lets a low privilege Elementor user create draft objects of post types they normally should not be able to create. The most important detail is that this is not about editing existing content. It is about crossing post type boundaries. An Author who only has edit_posts can still create draft Pages, Elementor templates, and other custom post types by supplying a client controlled post_type to an AJAX endpoint. That breaks the expectation that post type capabilities are enforced by WordPress, and it creates a security and governance problem because draft assets can be planted for later misuse. On sites with complex workflows, even draft creation can have side effects such as triggering automation, polluting template libraries, confusing editors, and setting up social engineering for administrators.

CVE-2026-1906 affects PDF Invoices and Packing Slips for WooCommerce and it is a broken access control vulnerability that allows an authenticated low privilege user to modify business critical EDI and Peppol identifiers for orders they do not own. The weakness sits in an AJAX handler that updates order meta and user meta based on an attacker supplied order_id and values payload. In real ecommerce deployments, those identifiers can determine where electronic invoices and structured business documents are delivered. When a customer can change them for other customers, the impact is not only data corruption. It can become misrouting of invoices and potential leakage of business documents to the wrong endpoint, which raises both integrity and confidentiality concerns in addition to operational disruption. With an install base around 300k plus, this is a high exposure class of issue for stores that enable invoice or e invoice flows.

CVE-2025-11737 affects VK All in One Expansion Unit and it is a stored cross site scripting vulnerability that can be triggered by a Contributor level user through a post level meta field named SNS Title. The vulnerability is dangerous because it lands in the page head as Open Graph metadata, which means it executes in a high trust context on every page view where the affected post is rendered. This is not a narrow admin only issue. Once the malicious value is stored, it can reach front end visitors and also administrators reviewing content, and it can become a persistent trap that fires repeatedly. With an install base around 100k plus, this is relevant to many multi author WordPress sites where Contributors exist by design.