| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jul 02, 2026, 13:07:50 | ||||
|
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login
vulnerable
|
Jul 02, 2026, 18:07:25 |
Min -
Max 6.0.9.2
|
The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a s... | |
|
vulnerable
|
Jul 02, 2026, 18:07:02 |
Min -
Max 4.2.2
|
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ShortPixel Enable Media Replace allows Stored XSS. This issue affects Enable Media Replace: from n/a through 4.2.1. | |
|
GiveWP – Donation Plugin and Fundraising Platform
vulnerable
|
Jul 02, 2026, 16:07:55 |
Min -
Max 4.16.1
|
The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitization and output escaping on user supplied attributes in CampaignCommentsShortcode::parseAttributes() and BlockRenderController::render(), where the blockId value is interpolated directly into a single-quoted HTML... | |
|
GiveWP – Donation Plugin and Fundraising Platform
vulnerable
|
Jul 02, 2026, 16:07:55 |
Min -
Max 4.15.4
|
The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |
|
Image Optimizer by Elementor – Compress, Resize and Optimize Images
vulnerable
|
Jul 02, 2026, 14:07:54 |
Min -
Max 1.7.5
|
The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachm... | |
|
LearnPress – WordPress LMS Plugin
vulnerable
|
Jul 02, 2026, 14:07:25 |
Min -
Max 4.4.0
|
The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the course enrollment progress and completion data belonging to any instructor or administrator account on the site. This IDOR does not apply w... | |
|
LearnPress – WordPress LMS Plugin
vulnerable
|
Jul 02, 2026, 14:07:25 |
Min -
Max 4.4.1
|
The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections() method at line 98, where the attacker-controlled attribute is inserted into an HTML class attribute via sprintf('<form class="%s">', $class_wrapper_form) without esc_attr() escaping. The FilterCourseShortcode::render() handler does no... | |
|
vulnerable
|
Jul 02, 2026, 13:07:33 |
Min -
Max 18.2
|
The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, 18.1. This is due to insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php, where the $_GET['place'] value is URL-decoded, stripslashes()'d, and echoed directly into an HTML value attribute with no esc_attr() call when the supplied place is not already a stored key in the wprev_google_crawls option. This makes ... | |
|
Slim SEO – Fast & Automated WordPress SEO Plugin
vulnerable
|
Jul 02, 2026, 12:07:39 |
Min -
Max 4.9.9
|
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass ... | |
|
Custom Payment Gateways for WooCommerce
vulnerable
|
Jul 02, 2026, 12:07:30 |
Min -
Max 2.2.0
|
The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST... | |