| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jul 08, 2026, 22:07:16 | ||||
|
WCFM Membership – WooCommerce Memberships for Multivendor Marketplace
vulnerable
|
Jul 09, 2026, 03:07:11 |
Min -
Max 2.11.11
|
The WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.11.10. This is due to the 'wcfmvm_membership_change' AJAX action not validating user permission to modify other users. This makes it possible for authenticated attackers, with vendor level access and above, to change any user's role to 'wcfm_vendor' by changing their membership plan. | |
|
WANotifier – Send Message Notifications Using Cloud API
vulnerable
|
Jul 08, 2026, 22:07:17 |
Min -
Max 2.6
|
The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on the server. | |
|
vulnerable
|
Jul 08, 2026, 19:07:47 |
Min -
Max 6.6.3
|
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced from The Events Calendar. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page... | |
|
FileOrganizer – Manage WordPress and Website Files
vulnerable
|
Jul 08, 2026, 19:07:30 |
Min -
Max 1.1.9
|
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions. | |
|
FileOrganizer – Manage WordPress and Website Files
vulnerable
|
Jul 08, 2026, 19:07:30 |
Min -
Max 1.2.0
|
The FileOrganizer WordPress plugin before 1.2.0 does not validate the file type on several of its file-management operations, allowing authenticated users who have been granted file-manager access — which its premium add-on can extend to sub-administrator roles — to upload arbitrary PHP files and achieve remote code execution. This is an incomplete fix of CVE-2024-7985, which only added file-type validation to the upload operation. | |
|
vulnerable
|
Jul 08, 2026, 17:07:40 |
Min -
Max 4.7.5
|
The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, nor escape a value taken from them before outputting it in an administrator notice, allowing unauthenticated attackers to inject arbitrary web scripts that execute in the context of a logged-in administrator. | |
|
AMP for WP – Accelerated Mobile Pages
vulnerable
|
Jul 08, 2026, 14:07:34 |
Min -
Max 1.1.13
|
The AMP for WP – Accelerated Mobile Pages plugin for WordPress is vulnerable to Arbitrary File Write in versions up to and including 1.1.12. This is due to unsafe ZIP file extraction in the ampforwp_save_local_font() function combined with inadequate cleanup that fails to remove nested directories and files. This makes it possible for authenticated attackers, with Author-level access and above, and permissions granted by an Administrator, to write arbitrary files to the server in a web-accessible location, ... | |
|
Smash Balloon Social Photo Feed – Best Social Feed Plugin for WordPress
vulnerable
|
Jul 08, 2026, 13:07:24 |
Min -
Max 6.11.2
|
Smash Balloon Social Photo Feed – Easy Social Feeds Plugin [instagram-feed] < 6.11.2 CVE-2026-12002 | |
|
File Manager Pro – Filester
vulnerable
|
Jul 08, 2026, 12:07:52 |
Min -
Max 2.1.1
|
The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions. | |
|
Exclusive Addons for Elementor
vulnerable
|
Jul 08, 2026, 12:07:11 |
Min -
Max 2.7.9.9
|
The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title parameter in all versions up to, and including, 2.7.9.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |