| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jul 14, 2026, 10:07:31 | ||||
|
Unlimited Elements For Elementor (Free Widgets, Addons, Templates)
vulnerable
|
Jul 14, 2026, 14:07:19 |
Min -
Max 2.0.13
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Unlimited Elements Unlimited Elements For Elementor (Free Widgets, Addons, Templates) unlimited-elements-for-elementor allows Reflected XSS.This issue affects Unlimited Elements For Elementor (Free Widgets, Addons, Templates): from n/a through <= 2.0.12. | |
|
vulnerable
|
Jul 14, 2026, 00:07:22 |
Min -
Max 12.1.1.1
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1. | |
|
vulnerable
|
Jul 13, 2026, 13:07:57 |
Min -
Max 1.4.6
|
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. The `upload_extension_files()` function hooks into WordPress's `wp_check_filetype_and_ext` filter and uses `strpos()` to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-l... | |
|
vulnerable
|
Jul 13, 2026, 13:07:28 |
Min -
Max 1.1.0
|
The BuddyHolis TableSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
|
Better Chat Support – Chat Bubble and Chat Button with Gutenberg, Elementor and Shortcode
vulnerable
|
Jul 13, 2026, 13:07:20 |
Min -
Max 3.1.4
|
The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}. This is due to the plugin not performing any authentication and authorization checks. This makes it possible for unauthenticated attackers to extract sensitive data including customer names, email addresses, phone numbers, WhatsApp messages, complete geolocation... | |
|
Planyo online reservation system
vulnerable
|
Jul 13, 2026, 12:07:33 |
Min -
Max 3.1
|
The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authentication. The send_http_post() function validates the host of the provided URL against an allowlist that includes 'localhost', but critically fails to validate the URL scheme/protocol. This makes it possible for unauthenti... | |
|
Starboard Suite Reservation Calendars
vulnerable
|
Jul 13, 2026, 08:07:19 |
Min -
Max 3.1.5
|
The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |
|
Affilia Lite – Affiliate Program With MLM
vulnerable
|
Jul 13, 2026, 07:07:20 |
Min -
Max 3.3.4
|
The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve or reject affiliate referrals, credit commissions to affiliate wallets, delete referral records, and modify custom banner plugin options, enabl... | |
|
vulnerable
|
Jul 13, 2026, 06:07:56 |
Min -
Max 0.9.34
|
The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has bee... | |
|
NEX-Forms – Ultimate Form Builder – Contact forms and much more
vulnerable
|
Jul 13, 2026, 06:07:43 |
Min -
Max 9.2.3
|
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the saved_admin_email, saved_user_email, and saved_user_email_address fields of arbitrary form entries belonging to other users, and cause the site to dispatch attacker-controlled email content... | |