6.4
CVE-2026-0555 - Premmerce <= 1.3.20 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'premmerce_wizard…
The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premmerce_wizard_actions' AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. T…
6.4
CVE-2026-1608 - Video Onclick <= 0.4.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `youtube` shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attac…
6.1
CVE-2026-1634 - Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject …
5.3
CVE-2026-1675 - Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secre…
The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for un…
6.1
CVE-2026-1643 - MP-Ukagaka <= 1.5.2 - Reflected Cross-Site Scripting
The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if t…
6.4
CVE-2026-1570 - Simple Bible Verse via Shortcode <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting …
The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `verse` shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth…
5.3
CVE-2026-2078 - yeqifu warehouse Permission Management PermissionController.java deletePermission improper authoriz…
A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\PermissionController.java of the component Permissio…
5.3
CVE-2026-2077 - yeqifu warehouse Role Management RoleController.java deleteRole improper authorization
A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\RoleController.java of the component Role M…
5.3
CVE-2026-2076 - yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization
A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\UserController.java of the component User Manag…
5.5
CVE-2025-15491 - Post Slides <= 1.0.1 - Contributor+ Local File Inclusion
The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks