6.1
CVE-2026-1654 - Peter's Date Countdown <= 2.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Peter's Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inβ¦
7.2
CVE-2026-1294 - All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxβ¦
The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requβ¦
5.3
CVE-2026-1271 - ProfileGrid <= 5.9.7.2 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary β¦
The ProfileGrid β User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the 'pm_upload_image' and 'pm_upload_cover_image' AJAX actions. This is due to the update_user_meta() function being calleβ¦
5.3
CVE-2025-14079 - ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.5 - Missing Authorization to Authenticatβ¦
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileβ¦
0.0
CVE-2026-25698 -
Not used
0.0
CVE-2026-25696 -
Not used
0.0
CVE-2026-25695 -
Not used
0.0
CVE-2026-25697 -
Not used
0.0
CVE-2026-25694 -
Not used
0.0
CVE-2026-25692 -
Not used