Vulnerabilities and Security Researches

Recent vulnerability researches
CVE/PSC	Application	Date	Affected versions	Description
	Actual on: Jun 20, 2026, 06:06:17
CVE-2026-56012	Media Library Assistant vulnerable	Jun 20, 2026, 10:06:50	Min - Max 3.36	Media Library Assistant [media-library-assistant] < 3.36 CVE-2026-56012 [en] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35.
CVE-2026-54817	MStore API vulnerable	Jun 20, 2026, 10:06:30	Min - Max 4.19.0	Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4.
CVE-2026-56009	Bricksable for Bricks Builder vulnerable	Jun 20, 2026, 10:06:15	Min - Max 1.6.84	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricksable for Bricks Builder allows Stored XSS. This issue affects Bricksable for Bricks Builder: from n/a through 1.6.83.
CVE-2026-9860	Offload, AI & Optimize with Cloudflare Images vulnerable	Jun 20, 2026, 10:06:04	Min - Max 1.10.3	The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, an...
CVE-2026-8118	Royal Elementor Addons and Templates vulnerable	Jun 20, 2026, 09:06:56	Min - Max 1.7.1060	The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, 'r') on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes ...
CVE-2026-9013	Bogo vulnerable	Jun 20, 2026, 09:06:52	Min - Max 3.9.2	The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated...
CVE-2026-56007	Ocean Product Sharing vulnerable	Jun 20, 2026, 09:06:39	Min - Max 2.2.3	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Product Sharing allows Stored XSS. This issue affects Ocean Product Sharing: from n/a through 2.2.2.
CVE-2026-11775	User Admin Simplifier vulnerable	Jun 20, 2026, 09:06:23	Min - Max 3.0.1	The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged re...
CVE-2026-7850	WP Magnific Popup vulnerable	Jun 20, 2026, 09:06:03	Min - Max 1.0	The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.
CVE-2026-2021	Slideshow Gallery LITE vulnerable	Jun 20, 2026, 09:06:01	Min - Max 1.8.6	The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2026-56012

vulnerable

Jun 20, 2026, 10:06:50

Min -

Max 3.36

Media Library Assistant [media-library-assistant] < 3.36 CVE-2026-56012 [en] Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in David Lingren Media LIbrary Assistant allows Blind SQL Injection. This issue affects Media LIbrary Assistant: from n/a through 3.35.

CVE-2026-54817

MStore API

vulnerable

Jun 20, 2026, 10:06:30

Min -

Max 4.19.0

Authentication Bypass Using an Alternate Path or Channel vulnerability in FluxBuilder MStore API allows Password Recovery Exploitation. This issue affects MStore API: from n/a through 4.18.4.

CVE-2026-56009

Bricksable for Bricks Builder

vulnerable

Jun 20, 2026, 10:06:15

Min -

Max 1.6.84

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bricksable for Bricks Builder allows Stored XSS. This issue affects Bricksable for Bricks Builder: from n/a through 1.6.83.

CVE-2026-9860

Offload, AI & Optimize with Cloudflare Images

vulnerable

Jun 20, 2026, 10:06:04

Min -

Max 1.10.3

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cf_images_do_setup AJAX handler, which requires only the upload_files capability (Author+) rather than manage_options before writing to wp-config.php, combined with the absence of single-quote escaping — sanitize_text_field() does not strip single quotes, an...

CVE-2026-8118

Royal Elementor Addons and Templates

vulnerable

Jun 20, 2026, 09:06:56

Min -

Max 1.7.1060

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wpr_get_csv_handle() helper (introduced in version 1.7.1058 as part of the patch for CVE-2026-6229) falling back to is_readable() and fopen($source, 'r') on the attacker-controlled settings.table_upload_csv.url value when it does not parse as an HTTP URL, with no allow-list, traversal block, or extension check. This makes ...

CVE-2026-9013

Bogo

vulnerable

Jun 20, 2026, 09:06:52

Min -

Max 3.9.2

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogo_rest_create_post_translation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt, and password of any private, draft, or password-protected post by triggering its duplication via the translation endpoint and reading the returned title.raw, content.raw, and excerpt.raw fields of the duplicated...

CVE-2026-56007

Ocean Product Sharing

vulnerable

Jun 20, 2026, 09:06:39

Min -

Max 2.2.3

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Product Sharing allows Stored XSS. This issue affects Ocean Product Sharing: from n/a through 2.2.2.

CVE-2026-11775

User Admin Simplifier

vulnerable

Jun 20, 2026, 09:06:23

Min -

Max 3.0.1

The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This makes it possible for unauthenticated attackers to reset and permanently delete any user's stored menu and admin-bar configuration via a forged request that triggers uas_save_admin_options() and overwrites the useradminsimplifier_options database entry via a forged re...

CVE-2026-7850

WP Magnific Popup

vulnerable

Jun 20, 2026, 09:06:03

Min -

Max 1.0

The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks against any visiting user.

CVE-2026-2021

Slideshow Gallery LITE

vulnerable

Jun 20, 2026, 09:06:01

Min -

Max 1.8.6

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Recent vulnerability researches