4.4
CVE-2025-13627 - Makesweat <= 0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'makesweat_clubid…
The Makesweat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'makesweat_clubid' setting in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level acces…
5.3
CVE-2025-14880 - Netcash WooCommerce Payment Gateway <= 4.1.3 - Missing Authorization to Unauthenticated Order Statu…
The Netcash WooCommerce Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_return_url function in all versions up to, and including, 4.1.3. This makes it possible for unauthenticated attackers to mark any WooCommer…
4.3
CVE-2025-14482 - Crush.pics Image Optimizer <= 1.8.7 - Missing Authorization to Authenticated (Subscriber+) Plugin S…
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Su…
4.3
CVE-2026-0635 - Responsive Accordion Slider <= 1.2.2 - Missing Authorization to Authenticated (Contributor+) Slider…
The Responsive Accordion Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'resp_accordion_silder_save_images' function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Contrib…
7.2
CVE-2025-15378 - AJS Footnotes <= 1.0 - Unauthenticated Stored Cross-Site Scripting
The AJS Footnotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'note_list_class' and 'popup_display_effect_in' parameters in all versions up to, and including, 1.0 due to missing authorization and nonce verification on settings save, as well as insufficient input saniti…
4.9
CVE-2026-0678 - Shipping Rates by City for WooCommerce <= 1.0.3 - Authenticated (Shop Manager+) SQL Injection via '…
The Flat Shipping Rate by City for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'cities' parameter in all versions up to, and including, 1.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL que…
6.4
CVE-2026-0694 - SearchWiz <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title
The SearchWiz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in search results in all versions up to, and including, 1.0.0. This is due to the plugin using `esc_attr()` instead of `esc_html()` when outputting post titles in search results. This makes it possible f…
7.2
CVE-2025-15283 - Name Directory <= 1.30.3 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' and 'name_directory_description' parameters in all versions up to, and including, 1.30.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthe…
4.4
CVE-2025-14379 - Testimonials Creator 1.6 - Authenticated (Admin+) Stored Cross-Site Scripting
The Testimonials Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in version 1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbi…
4.3
CVE-2025-15377 - Sosh Share Buttons <= 1.1.0 - Cross-Site Request Forgery
The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'admin_page_content' function. This makes it possible for unauthenticated attackers to update the plugin's settings via…