CVE-2026-1912 - Citations tools <= 0.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'code' Shortcode Attribute
CVE ID : CVE-2026-1912
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1912
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1983 - SEATT: Simple Event Attendance <= 1.5.0 - Cross-Site Request Forgery to Arbitrary Event Deletion
CVE ID : CVE-2026-1983
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1983
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2027 - AMP Enhancer <= 1.0.49 - Authenticated (Administrator+) Stored Cross-Site Scripting via AMP Custom CSS Setting
CVE ID : CVE-2026-2027
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2027
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2144 - Magic Login Mail or QR Code <= 2.05 - Unauthenticated Privilege Escalation via Insecure QR Code File Storage
CVE ID : CVE-2026-2144
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2144
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2469 - Apache Directory Tree IMAP Engine Injection Vulnerability
CVE ID : CVE-2026-2469
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2469
Published : Feb. 14, 2026, 5:16 a.m. | 26 minutes ago
Description : Versions of the package directorytree/imapengine before 1.22.3 are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') via the id() function in ImapConnection.php due to improperly escaping user input before including it in IMAP ID commands. This allows attackers to read or delete victim's emails, terminate the victim's session or execute any valid IMAP command on victim's mailbox by including quote characters " or CRLF sequences \r\n in the input.
Severity: 7.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1187 - ZoomifyWP Free <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'filename' Shortcode Attribute
CVE ID : CVE-2026-1187
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filename' parameter of the 'zoomify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1187
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filename' parameter of the 'zoomify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1303 - MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection
CVE ID : CVE-2026-1303
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1303
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1306 - midi-Synth <= 1.1.0 - Unauthenticated Arbitrary File Upload via 'export' AJAX Action
CVE ID : CVE-2026-1306
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1306
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The midi-Synth plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type and file extension validation in the 'export' AJAX action in all versions up to, and including, 1.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible granted the attacker can obtain a valid nonce. The nonce is exposed in frontend JavaScript making it trivially accessible to unauthenticated attackers.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1394 - WP Quick Contact Us <= 1.0 - Cross-Site Request Forgery to Settings Update
CVE ID : CVE-2026-1394
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1394
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The WP Quick Contact Us plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1792 - Geo Widet <= 1.0 - Reflected Cross-Site Scripting
CVE ID : CVE-2026-1792
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1792
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1795 - Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting
CVE ID : CVE-2026-1795
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1795
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1796 - StyleBidet <= 1.0.0 - Reflected Cross-Site Scripting
CVE ID : CVE-2026-1796
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1796
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1901 - QuestionPro Surveys <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVE ID : CVE-2026-1901
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1901
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1903 - Ravelry Designs Widget <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sb_ravelry_designs' Shortcode 'layout' Attribute
CVE ID : CVE-2026-1903
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1903
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1905 - Sphere Manager <= 1.0.2 - Authenticated (Contributor+) Cross-Site Scripting via 'width' Shortcode Attribute
CVE ID : CVE-2026-1905
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1905
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Sphere Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in the 'show_sphere_image' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1910 - UpMenu <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'upmenu-menu' Shortcode 'lang' Attribute
CVE ID : CVE-2026-1910
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The UpMenu – Online ordering for restaurants plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lang' attribute of the 'upmenu-menu' shortcode in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1910
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The UpMenu – Online ordering for restaurants plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lang' attribute of the 'upmenu-menu' shortcode in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1915 - Simple Plyr <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute
CVE ID : CVE-2026-1915
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1915
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1939 - Percent to Infograph <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
CVE ID : CVE-2026-1939
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `percent_to_graph` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1939
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `percent_to_graph` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1944 - CallbackKiller service widget <= 1.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Update
CVE ID : CVE-2026-1944
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1944
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The CallbackKiller service widget plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the cbk_save() function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to modify the plugin's site ID settings via the 'cbk_save_v1' AJAX action.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1985 - Press3D <= 1.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Link URL Parameter in 3D Model Block
CVE ID : CVE-2026-1985
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1985
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Press3D plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 3D Model Gutenberg block in all versions up to, and including, 1.0.2. This is due to the plugin failing to sanitize and validate the URL scheme when storing link URLs for 3D model blocks, allowing `javascript:` URLs. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via the link URL parameter that will execute whenever a user clicks on the 3D model.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-1987 - Scheduler Widget <= 0.1.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Event Modification
CVE ID : CVE-2026-1987
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-1987
Published : Feb. 14, 2026, 7:16 a.m. | 2 hours, 26 minutes ago
Description : The Scheduler Widget plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 0.1.6. This is due to the `scheduler_widget_ajax_save_event()` function lacking proper authorization checks and ownership verification when updating events. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify any event in the scheduler via the `id` parameter granted they have knowledge of the event ID.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...