| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Apr 29, 2026, 10:04:41 | ||||
|
vulnerable
|
Apr 29, 2026, 07:04:15 |
Min -
Max 1.7.07
|
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function ignoring the server-calculated amount when confirming the payment. While the server correctly calculates the booking cost via getAmount() based on services, guests, taxes, and coupons, this calculated amount is nev... | |
|
vulnerable
|
Apr 28, 2026, 18:04:57 |
Min -
Max 3.6.2
|
Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data.This issue affects Templately: from n/a through 3.6.1. | |
|
WPIDE – File Manager & Code Editor
SAFE & CERTIFIED
|
Apr 28, 2026, 17:04:40 |
Min 3.5.6
Max 3.5.6
|
File manager and code editor plugins operate on one of the most security-critical boundaries in WordPress because they provide direct access to site files, plugin and theme code, uploaded assets, archive operations, and in some cases filesystem-level modification workflows from inside wp-admin. A weakness in this class of plugin can lead to arbitrary file upload, unauthorized file read or deletion, stored XSS through file metadata or previews, privilege escalation, remote code execution, or full site compro... | |
|
SAFE & CERTIFIED
|
Apr 28, 2026, 17:04:40 |
Min 2.2.4
Max 2.2.4
|
Animation and interaction plugins operate on a sensitive boundary between front-end rendering, visual builder controls, Gutenberg block behavior, Elementor widget configuration, and client-side JavaScript execution. These plugins often modify how content appears, moves, loads, transitions between pages, and reacts to scrolling or user interaction. A weakness in this class of plugin can lead to stored XSS through animation settings, unsafe rendering of visual effects, unauthorized modification of design beha... | |
|
SAFE & CERTIFIED
|
Apr 28, 2026, 17:04:40 |
Min 10.15.6
Max 10.15.6
|
Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto... | |
|
YayMail – WooCommerce Email Customizer
SAFE & CERTIFIED
|
Apr 28, 2026, 17:04:40 |
Min 4.4.0
Max 4.4.0
|
WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage throu... | |
|
Direct Checkout for WooCommerce
SAFE & CERTIFIED
|
Apr 28, 2026, 17:04:40 |
Min 3.6.6
Max 3.6.6
|
Checkout optimization plugins operate directly on one of the most commercially sensitive workflows in WordPress: the path between product selection and order completion. Because these plugins modify cart behavior, checkout redirects, AJAX add-to-cart flows, and checkout field visibility, weaknesses in this class of software can affect both security and business integrity. Improper handling of redirects, checkout configuration, request validation, or administrative settings may lead to unauthorized behavior,... | |
|
iControlWP – Multiple WordPress Management
vulnerable
|
Apr 28, 2026, 03:04:48 |
Min -
Max 5.5.4
|
iControlWP [worpit-admin-dashboard-plugin] < 5.5.4 CVE-2026-34901 | |
|
vulnerable
|
Apr 28, 2026, 02:04:16 |
Min -
Max 1.4.8
|
The WPS Visitor Counter WordPress plugin through 1.4.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | |
|
vulnerable
|
Apr 28, 2026, 02:04:06 |
Min -
Max 1.5.1
|
WP Directory Kit [wpdirectorykit] < 1.5.1 CVE-2026-39534 | |