CVE-2024-7083 affects Email Encoder and it is a high privilege stored cross site scripting vulnerability in the plugin settings workflow. The vulnerable protection_text option could store attacker controlled markup when the settings page request is submitted, allowing script execution on content that renders the protected shortcode even when unfiltered_html is restricted.
CVE-2026-2917 – Happy Addons – IDOR allows unauthorized cloning of content and sensitive widget metadata – POC

CVE-2026-2917 affects Happy Addons for Elementor and it is an authenticated Contributor level insecure direct object reference in the Happy Clone post duplication flow. The vulnerable admin action accepts a user supplied post_id and checks only the broad edit_posts capability, which lets an attacker clone other users’ published objects into a draft that they own. When the source object contains Elementor metadata or widget configuration, the copied draft can expose sensitive settings and create content integrity risk.
CVE-2026-2918 – Happy Addons – Stored XSS – POC

CVE-2026-2918 affects Happy Addons for Elementor and it is an authenticated Contributor level stored cross site scripting vulnerability in the Theme Builder Template Conditions workflow. The vulnerable AJAX action accepts an arbitrary template_id and performs a broad edit_posts capability check instead of checking the specific ha_library template. A Contributor with access to the Elementor editor nonce can change conditions for another published template and store crafted condition data that is later rendered as unsafe HTML attributes in the Elementor editor. When an administrator opens Template Conditions, the payload can run in the admin browser context, which can lead to nonce theft, privileged actions, and full site compromise.
CVE-2026-8438 – All-In-One Security – Stored XSS – POC

CVE-2026-8438 affects All-In-One Security (AIOS) – Security and Firewall and it is an unauthenticated stored cross site scripting vulnerability in the debug log workflow. When debug mode and the REST API restriction for non-logged in users are enabled, an attacker can place HTML or JavaScript in the REST request path. The decoded path is written into the debug log and later rendered without escaping in the AIOS Dashboard Debug logs page. A single request can therefore plant script that runs in an administrator browser session when the log view is opened, which can lead to nonce theft, privileged actions, and full site compromise.
CVE-2026-0722 – Shield Security – CSRF to SQLi – POC

CVE-2026-0722 affects Shield Security and covers a CSRF bypass that can be chained into SQL injection in versions up to and including 21.0.8. The vulnerable AJAX flow can be reached through wp-admin/admin-ajax.php with action=shield_action and ex=traffictable_action, where a forged request can disable nonce verification through action_overrides[is_nonce_verify_required]=0.
CVE-2026-0561 – Shield Security – Unauth Reflected XSS – POC

CVE-2026-0561 affects Shield Security and describes an unauthenticated reflected Cross-Site Scripting issue in versions up to and including 21.0.8. The vulnerable dynamic page renderer accepts the message parameter on the shield_action flow and reflects it into a generated page without sufficient sanitization and output escaping. An attacker does not need a WordPress account. They only need to persuade a victim to open a crafted URL, which can make script run in the victim browser under the site origin. For logged in administrators, that can expose WordPress nonces and allow authenticated browser actions through the victim session.
CVE-2026-7660 – Easy Updates Manager – Reflected XSS – POC

CVE-2026-7660 affects Easy Updates Manager in versions up to 9.0.20 and it is a reflected Cross Site Scripting issue in the admin pagination flow. The vulnerable path is the Updates Options plugins tab, where the paged request parameter can be reflected into the value attribute of the current page input when action=eum_ajax is present. A successful attack requires an administrator or another user with update management access to open a crafted admin URL, so the practical risk is a privileged reflected script sink that can execute in the WordPress dashboard if the browser accepts the injected attribute payload.
CVE-2026-9284 – WooCommerce PayPal Payments – Missing Authorization – POC

CVE-2026-9284 affects WooCommerce PayPal Payments and it is a missing authorization issue in the subscription approval checkout flow. In vulnerable builds up to 4.0.1, a public WC-AJAX request can place a client supplied PayPal subscription identifier into the WooCommerce session, and the subscriptions integration can later treat that session value as enough evidence to complete a WooCommerce order. On stores that use WooCommerce Subscriptions with PayPal subscription checkout, this can let an unauthenticated visitor move an order to a paid state without a successful PayPal capture or approval, which creates direct financial risk and unreliable payment records.
CVE-2025-13048 – Official StatCounter Plugin – Stored XSS to Contributor+ Persistent Script Execution – POC

CVE-2025-13048 affects Official StatCounter Plugin and it is an authenticated Stored Cross-Site Scripting vulnerability that allows a Contributor or higher user to store a crafted payload in the WordPress Nickname field. The vulnerability is triggered when the affected post is viewed and the plugin renders the author nickname into a JavaScript context without proper sanitization and escaping. The practical security outcome is persistent browser side code execution against visitors and administrators who open the injected post. On real sites this can lead to session theft, unauthorized admin actions, malicious redirects, or further compromise of the WordPress dashboard.
CVE-2026-2515 – Hostinger Reach – Missing Authorization to Authenticated (Subscriber+) Integration API Key Update – POC

CVE-2026-2515 affects Hostinger Reach and it is a missing authorization vulnerability that allows a low privilege authenticated user to trigger an admin only site connection flow and ultimately overwrite the persistent Reach bearer credential stored in WordPress options. The practical security outcome is not a minor UI glitch. It is third party integration takeover. A Subscriber can rebind the WordPress site to an attacker controlled Reach tenant, disrupt the legitimate integration, and potentially divert marketing data and automation feeds. On sites where WooCommerce related automation is enabled, the downstream impact can extend to billing and order PII flowing into the attacker account because the plugin believes it is still connected to the correct Reach backend.