| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jun 08, 2026, 02:06:28 | ||||
|
Event Monster – Event Management, Tickets Booking, Upcoming Event
vulnerable
|
Jun 08, 2026, 03:06:33 |
Min -
Max 2.2.0
|
The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capture_payment() AJAX handler (registered via wp_ajax_nopriv_em_capture_payment) trusting client-supplied payment data — including transaction ID, amount, and payment status — without performing any server-side verification against the PayPal API or any other payment gateway, and without nonce or capab... | |
|
Click to Chat – HoliThemes
vulnerable
|
Jun 07, 2026, 21:06:38 |
Min -
Max 4.40
|
The Click to Chat – WA Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [chat] shortcode 'num' parameter in all versions up to, and including, 4.38. This is due to insufficient escaping when embedding user-supplied shortcode attribute values inside JavaScript string literals that are then placed in HTML event-handler attributes. The CCW_Shortcode::shortcode() function applies esc_attr() to the 'num' parameter (line 157), which converts single quotes to the HTML entity '.... | |
|
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress
vulnerable
|
Jun 07, 2026, 20:06:48 |
Min -
Max 11.1.3
|
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with admin-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive ... | |
|
RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator
vulnerable
|
Jun 07, 2026, 19:06:41 |
Min -
Max 5.1.8
|
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and execute RSS import jobs, purge (force-delete) all posts associated with any import job, clear import error ... | |
|
vulnerable
|
Jun 07, 2026, 19:06:13 |
Min -
Max 4.5.4
|
The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the block 'url' attribute in all versions up to, and including, 4.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page | |
|
Backup, Restore and Migrate WordPress Sites With the XCloner Plugin
vulnerable
|
Jun 07, 2026, 16:06:11 |
Min -
Max 4.8.7
|
Backup, Restore and Migrate your sites with XCloner [xcloner-backup-and-restore] < 4.8.7 CVE-2026-48965 | |
|
WP User Manager – User Profile Builder & Membership
vulnerable
|
Jun 07, 2026, 16:06:00 |
Min -
Max 2.9.18
|
The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the (profile template scope) function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded an... | |
|
vulnerable
|
Jun 07, 2026, 15:06:50 |
Min -
Max 6.3
|
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelist_unqprfx_ext_shortcode() function (the [pagelist_ext] / [pagelistext] shortcode) accepting attacker-controlled post_status, post_type, and show_meta_key attributes and passing them directly into get_pages() and get_post_meta() with no capability check verifying that the rendering user is permitted to read the matched objects. When the current post has no child pages... | |
|
vulnerable
|
Jun 07, 2026, 15:06:35 |
Min -
Max 1.7.8.4
|
The MDJM Event Management plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7.8.3 via the mdjm_send_comm_email function. This is due to no file type, extension, or MIME type validation being performed on uploaded files. This makes it possible for authenticated attackers, with administrator-level access and above, to upload files that may be executable, which makes remote code execution possible. | |
|
vulnerable
|
Jun 07, 2026, 15:06:34 |
Min -
Max 1.28.2
|
The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the [stripe-express] shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value, which is concatenated into an HTML attribute in the rendered output of the register_shortcode() function without being passed through esc_attr() or any other escaping function. This makes it possible for authentic... | |