CVE

CVE-2025-15370 affects Shield Security and it is a privilege boundary failure that weakens authentication rather than changing content or reading data. The vulnerability allows any authenticated user, including a Subscriber, to target another account and toggle that account’s Google Authenticator setting through a request parameter. That matters because MFA is one of the most important compensating controls in WordPress. When a plugin that is meant to harden security can be used by low privilege users to disable MFA on administrators, it becomes a security downgrade primitive. The practical consequence is that attackers only need a second ingredient like a password leak or phishing success to turn this downgrade into a full admin takeover.

CVE-2026-4267 affects Query Monitor and it is a reflected cross site scripting vulnerability that can be triggered by an unauthenticated attacker and executed in the browser of a logged in user who can view Query Monitor output. Query Monitor is often installed on development and staging sites, but it is also frequently left enabled on production environments during troubleshooting, which increases the chance that administrators will have it active while browsing the dashboard. The bug is dangerous because it sits inside a diagnostic panel that administrators trust. Once script execution is achieved in an admin session, the attacker can move from a simple reflected injection to nonce theft and privileged state changing actions in the WordPress backend.

CVE-2026-1710 affects WooPayments and it is an unauthenticated cache poisoning and denial of service vulnerability that targets the checkout payment UI rather than the WordPress admin. The core issue is that a public AJAX endpoint allows any visitor to submit attacker controlled Stripe Elements appearance configuration, and the plugin stores that data in globally shared transients that are later consumed by all shoppers. This transforms a single anonymous request into site wide persistent checkout manipulation that can last for up to a day. On stores where card payments are a primary revenue path, disrupting the payment form is operationally severe because it blocks checkout completion for real customers while looking like a normal front end glitch.

CVE-2026-3098 affects Smart Slider 3 and it enables an authenticated low privilege user to turn normal slider and image management flows into an arbitrary local file read. The practical impact is not limited to viewing a file inside the WordPress UI. The vulnerability chain can package the contents of server files into an exported Smart Slider archive, which the attacker can then download and inspect offline. This is dangerous because the exported artifact becomes a clean exfiltration channel for configuration files, credentials, and application secrets that should never leave the server. With an install base around 800k plus, this is a realistic risk for many sites where Subscriber accounts exist through registration, memberships, or WooCommerce, and where plugin permissions are often assumed to be safe by default.

CVE-2025-13393 affects Featured Image from URL FIFU and it enables a Contributor level user to coerce the WordPress server into making outbound requests to attacker chosen destinations during the Elementor save workflow. The vulnerability is blind server side request forgery because the plugin does not return the fetched response body to the attacker. Instead it triggers a network request as a side effect of extracting image dimensions. This is still high impact because the attacker gains a reliable primitive to reach internal hosts that are not accessible from the internet, which can be used for reconnaissance and chaining. Install base around 70k plus makes this relevant to real sites where Contributors and Authors are common in editorial and marketing teams.

CVE-2025-13753 affects WP Table Builder and it is an incorrect authorization vulnerability where a low privilege authenticated user can create new tables even when the site owner configured the plugin to allow table management only for specific roles. The bug is subtle because the plugin does have an authorization model and a dedicated allowed roles gate, yet one AJAX entry point introduces an alternative access path that relies only on possession of a nonce like value and skips the capability check entirely. In practical terms this means a Subscriber can perform a privileged content creation action as soon as they can see or steal the security code that is exposed in front end or editor context, which breaks the expected role separation that administrators rely on in multi user WordPress installations.

CVE-2026-3231 affects Checkout Field Editor Checkout Manager for WooCommerce and it is an unauthenticated stored cross site scripting vulnerability that can fire in high value contexts such as the WooCommerce admin order screen and customer order details. The reason this matters is that checkout fields sit directly on the boundary between untrusted shopper input and trusted back office workflows. If an attacker can store HTML that later executes in an administrator’s browser, the impact quickly escalates from a cosmetic script popup into session theft and administrative actions performed in the background. With an install base around 500k plus, the vulnerable pattern is relevant for many production stores, especially those that use custom checkout fields to collect contact data, delivery preferences, or consent options.

CVE-2026-3585 affects The Events Calendar and its Event Aggregator import workflow. It is an authenticated Local File Inclusion issue in the CSV import path where a low privilege user who can manage event imports can point the importer at an arbitrary local path and force the server to open it as if it were a CSV file. Even though this does not look like code execution, the security impact is serious because it turns an editorial role into a tool for reading sensitive server files that were never meant to be exposed through the application. Given the plugin’s large install base around 700k plus, this becomes especially relevant on multi author sites and organizations where event staff have elevated content permissions but should not have access to server level secrets.

CVE-2025-14980 affects BetterDocs and it exposes a high value secret through a surprisingly common WordPress anti pattern. The plugin places an OpenAI API key into a JavaScript object that is printed in the admin area, and that admin screen is reachable by Contributor level users. This means a user who is not trusted to manage integrations can still read the key simply by opening the BetterDocs dashboard and inspecting the page source or DevTools network responses. The immediate consequence is that a low privilege account can obtain a reusable external credential that is valid outside WordPress, which changes the risk from a local dashboard information leak into a broader third party account abuse scenario.

CVE-2025-13749 affects Clearfy version 2.4.0 and it is a Cross Site Request Forgery weakness inside the Clearfy Updates Manager module that allows an attacker to change update visibility and auto update behavior without the administrator’s consent. The most important security property here is stealth. Once the request succeeds, the targeted plugin or theme immediately disappears from the update list and the familiar yellow update banner no longer appears, so the administrator receives no obvious signal that anything changed. This is not a flashy exploit like code execution, but it is a persistence enabler that keeps vulnerable software in place and increases compromise probability over time because patching is silently disabled.