Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
			Actual on: May 23, 2026, 14:05:42
CVE-2026-9104	Draft List vulnerable	May 23, 2026, 19:05:04	Min - Max 2.6.4	The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unescaped injection path is triggered specifically when the viewing user lacks edit capabilities, meaning payloa...
CVE-2026-3481	WP Blockade – Visual Page Builder vulnerable	May 23, 2026, 18:05:20	Min - Max 0.9.14	The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The function receives user input from $_GET['shortcode'], passes it through stripslashes() without any sanitization, and then outputs it directly via echo do_shortcode($shortcode) on line 393. When the input is not a valid WordPress shortcode...
CVE-2026-9284	WooCommerce PayPal Payments vulnerable	May 23, 2026, 18:05:02	Min - Max 4.0.2	WooCommerce PayPal Payments [woocommerce-paypal-payments] < 4.0.2 CVE-2026-9284
CVE-2026-7462	VatanSMS WP SMS vulnerable	May 23, 2026, 12:05:17	Min - Max 1.01	The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `page` parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link.
CVE-2026-7798	Email Marketing, Newsletter, Email Automation and CRM Plugin for WordPress by FluentCRM vulnerable	May 23, 2026, 10:05:54	Min - Max 3.0.0	FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution [fluent-crm] < 3.0.0 CVE-2026-7798
CVE-2026-42672	WP Directory Kit vulnerable	May 23, 2026, 09:05:57	Min - Max 1.5.2	WP Directory Kit [wpdirectorykit] < 1.5.2 CVE-2026-42672
CVE-2026-5293	診断ジェネレータ作成プラグイン vulnerable	May 23, 2026, 09:05:30	Min - Max 1.4.16	The 診断ジェネレータ作成プラグイン (Diagnosis Generator) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc() function. The function is hooked to 'admin_init' and processes theme update requests without verifying user capabilities, allowing any authenticated user (including subscribers) to save malicious JavaScript to theme files. Additionally, the s...
CVE-2026-45209	MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce vulnerable	May 23, 2026, 09:05:21	Min - Max 2.162	MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce [mycryptocheckout] < 2.162 CVE-2026-45209
CVE-2026-8626	SponsorMe vulnerable	May 23, 2026, 09:05:05	Min - Max 0.5.2	The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The PHP_SELF value is reflected in two separate locations within the vulnerable function — a form actio...
CVE-2026-8685	Infility Global vulnerable	May 23, 2026, 08:05:58	Min - Max 2.15.16	The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to appe...

Recent approved applications
Application	Date	Description	Details
			Actual on: May 23, 2026, 14:05:42
Advanced Editor Tools	May 01, 2026, 14:05:56	Editor enhancement plugins operate directly on the boundary between content creation, rich-text formatting, block editor behavior, Classic Editor compatibility, and front-end rendering. These plugins influence how authors create content, how formatting is stored, how editor settings are applied, and how HTML produced by rich-text tools eventually appears on public pages. A weakness in this class of plugin can lead to stored XSS through editor content or settings, unauthorized configuration changes, unsafe h...
Really Simple SSL	May 01, 2026, 14:05:56	Security and SSL enforcement plugins operate across some of the most sensitive trust boundaries in WordPress because they can influence HTTPS migration, redirect behavior, security headers, login protection, two-factor authentication, vulnerability detection, and site hardening controls. Weaknesses in this class of plugin can affect confidentiality, session safety, authentication integrity, administrative access control, or the reliability of security configuration across the entire site. Really Simple Secu...
WP Booking Calendar	Apr 28, 2026, 17:04:40	Booking and reservation plugins operate across a sensitive boundary between public form submission, calendar availability, customer-provided booking data, admin-side reservation management, and in some configurations external calendar synchronization. These plugins often process names, contact details, selected dates, time slots, service requests, event information, and notification templates, while also controlling whether a date or resource can be booked. A weakness in this class of plugin can lead to sto...
UiCore Animate	Apr 28, 2026, 17:04:40	Animation and interaction plugins operate on a sensitive boundary between front-end rendering, visual builder controls, Gutenberg block behavior, Elementor widget configuration, and client-side JavaScript execution. These plugins often modify how content appears, moves, loads, transitions between pages, and reacts to scrolling or user interaction. A weakness in this class of plugin can lead to stored XSS through animation settings, unsafe rendering of visual effects, unauthorized modification of design beha...
YayMail – WooCommerce Email Customizer	Apr 28, 2026, 17:04:40	WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage throu...
Direct Checkout for WooCommerce	Apr 28, 2026, 17:04:40	Checkout optimization plugins operate directly on one of the most commercially sensitive workflows in WordPress: the path between product selection and order completion. Because these plugins modify cart behavior, checkout redirects, AJAX add-to-cart flows, and checkout field visibility, weaknesses in this class of software can affect both security and business integrity. Improper handling of redirects, checkout configuration, request validation, or administrative settings may lead to unauthorized behavior,...
MailPoet – Newsletters, Email Marketing, and Automation	Apr 24, 2026, 10:04:53	Email marketing plugins operate across several high-risk boundaries in WordPress because they combine subscriber data handling, admin-side campaign management, form collection and segmentation, scheduled and automated sending logic, and in some deployments external delivery infrastructure. Weaknesses in this class of plugin can lead to stored XSS in administrative interfaces, unauthorized access to subscriber information, misuse of automation workflows, or abuse of privileged settings that affect site commu...
Backup Migration	Apr 23, 2026, 12:04:30	Backup and migration plugins sit on one of the most sensitive trust boundaries in WordPress because they routinely interact with site files, database contents, archive generation and extraction, and sometimes remote storage or cross-site transfer flows. A weakness in this class of plugin can quickly translate into unauthorized data exposure, integrity loss during restore operations, or abuse of privileged backup management features. Backup Migration version 2.1.5.1 has successfully completed the CleanTalk P...
Element Pack Elementor Addons (Header Footer, Free Template Library, Grid, Carousel, Table, Parallax Animation, Register Form,	Apr 16, 2026, 12:04:16	Elementor addon suites are security-relevant because they add a large amount of front-end rendering and stored widget configuration into WordPress. These plugins frequently process user-controlled strings (titles, labels, URLs, templates) and expose admin-side builders and settings that, if not defended correctly, can become paths to stored XSS, CSRF-driven configuration changes, privilege boundary issues, or information disclosure via misconfigured endpoints. Element Pack – Widgets, Templates & Addons for ...
Metform Elementor Contact Form Builder	Mar 30, 2026, 11:03:54	MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor (v4.1.3) is a powerful drag-and-drop form builder plugin designed to extend Elementor with advanced form creation capabilities. It allows users to build complex forms such as contact forms, surveys, booking forms, payment forms, and more without writing code. Built for websites running on WordPress, MetForm integrates deeply into both frontend and backend workflows, handling user input, data storage, AJAX submissions, file uploads, a...

Recent vulnerability researches

Recent approved applications