CVE Notify
19.4K subscribers
4 photos
206K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
🚨 CVE-2026-15283
The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

πŸŽ–@cveNotify
🚨 CVE-2026-15284
The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_page_id' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the add_to_submissions() function, which applies sanitize_text_field() (which preserves double-quote characters) before storing the value in post meta, combined with missing output escaping in the king_addons_submissions_custom_column_content() function, which concatenates the stored value into an HTML href attribute via admin_url() without wrapping the result in esc_url(). This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

πŸŽ–@cveNotify
🚨 CVE-2026-15285
The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated (Contributor+) Stored Cross-Site Scripting via the Button widget's `custom_attributes` setting in versions up to and including 6.4.11. The `render` function in `modules/widgets/tp_button.php` passed the raw `custom_attributes` string through `tp_senitize_js_input()`. This filter is bypassable. The issue is patched in version 6.4.12.

πŸŽ–@cveNotify
🚨 CVE-2026-15286
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'get_items_permission_check' function permission callback of the 'process_pattern' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and immediately publish posts of any type (including pages), bypassing the standard WordPress review workflow where contributors must submit posts for administrator approval.

πŸŽ–@cveNotify
🚨 CVE-2026-15287
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to time-based SQL Injection via the order_by parameter in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

πŸŽ–@cveNotify
🚨 CVE-2026-15289
The Booking calendar, Appointment Booking System plugin for WordPress is vulnerable to time-based SQL Injection via the β€˜wpdevart_id’ parameter in all versions up to, and including, 3.2.17 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. In order to exploit the vulnerability, the Pro version of the plugin must be installed and activated, with the 'Delete previous dates' option checked.

πŸŽ–@cveNotify
🚨 CVE-2026-15290
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to blind SQL Injection via the search parameter in all versions up to, and including, 2.10.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This vulnerability was partially patched in version 2.9.2 when initially addressing CVE-2025-0308.

πŸŽ–@cveNotify
🚨 CVE-2026-15291
The Chat Help – Click to Chat Button & Form plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the REST API endpoints /wp-json/chat-help/v1/leads and /wp-json/chat-help/v1/leads/{id}. This is due to the plugin not performing any authentication and authorization checks. This makes it possible for unauthenticated attackers to extract sensitive data including customer names, email addresses, phone numbers, WhatsApp messages, complete geolocation data (IP addresses, city, country, ISP, coordinates), device fingerprinting information (browser, OS, screen resolution), and WordPress account credentials (user IDs, usernames, emails, names) for logged-in users who submit forms.

πŸŽ–@cveNotify
🚨 CVE-2026-15292
The Sudoku Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'background' parameter in the 'sudoku-sc' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

πŸŽ–@cveNotify
🚨 CVE-2026-15293
The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.2.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify stored SQL queries, which can lead to privilege escalation via arbitrary SQL execution when the modified query is viewed by an administrator.

πŸŽ–@cveNotify
🚨 CVE-2026-15296
The affiliate-toolkit – WP Affiliate Plugin with Amazon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'atkp_product' shortcode in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is a bypass to CVE-2024-10227.

πŸŽ–@cveNotify
🚨 CVE-2026-15297
The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.1.77 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

πŸŽ–@cveNotify
🚨 CVE-2026-15298
The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the "Tested" button.

πŸŽ–@cveNotify
🚨 CVE-2026-15299
The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weather_style' and 'move_direction' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render() function at widgets/weather.php:1246, where both settings values are placed into an HTML class attribute without esc_attr(). Elementor does not server-side validate widget SELECT control values against allowed options on save, so an authenticated attacker with Contributor-level access or above can submit a crafted save_builder AJAX request storing arbitrary values in the _elementor_data post meta. The stored payload renders unescaped on every frontend visit to the affected page (the Weather widget requires an OpenWeatherMap API key to reach the vulnerable output, which is the normal operational state for sites using this widget).

πŸŽ–@cveNotify
🚨 CVE-2026-15300
The GEO my WP plugin for WordPress was vulnerable to SQL Injection via the 'distance', 'lat', and 'lng' parameters in versions up to, and including, 4.5.4. The values were read from $_SERVER['QUERY_STRING'] via parse_str() (bypassing wp_magic_quotes, which does not cover $_SERVER), then passed through bare esc_sql() before being interpolated into unquoted numeric positions in the proximity-search query (HAVING/SELECT clause distance math, BETWEEN bounding-box pre-filter) built by gmw_locations_query() in plugins/posts-locator/includes/class-gmw-wp-query.php. Because esc_sql() only escapes string delimiters and these positions are numeric, payloads such as `1 OR SLEEP(3)` survived sanitization. Fixed in 4.5.5 by adding an upstream is_numeric() guard that short-circuits the WHERE clause to `AND 1 = 0` when either coordinate is non-numeric, and by replacing the three esc_sql() calls with (float) casts.

πŸŽ–@cveNotify
🚨 CVE-2026-15301
The BuddyHolis TableSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜placeholder’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

πŸŽ–@cveNotify
🚨 CVE-2026-15302
The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the 'X-FILENAME' HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files (e.g., CSS) to directories outside the 'wp-content/uploads/armember' directory.

πŸŽ–@cveNotify
🚨 CVE-2026-15330
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. Impacted is the function _build_image_content/_download_to_data_url of the file agent/tools/vision/vision.py of the component Vision Tool. Executing a manipulation of the argument image can lead to server-side request forgery. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is recommended to address this issue. This patch is called e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. Upgrading the affected component is advised.

πŸŽ–@cveNotify
🚨 CVE-2026-15331
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function _add_url/_add_package of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated remotely. Upgrading to version 2.1.2 is sufficient to fix this issue. The identifier of the patch is e85290cddcbb5ffc9c235927f4c92e5b4c3ec264. It is advisable to upgrade the affected component.

πŸŽ–@cveNotify
🚨 CVE-2026-15332
A security flaw has been discovered in zhayujie CowAgent up to 2.1.0. The impacted element is an unknown function of the file channel/channel.py of the component Message Endpoint. The manipulation results in missing authorization. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

πŸŽ–@cveNotify
🚨 CVE-2026-21039
Improper access control in Settings prior to SMR Jul-2026 Release 1 allows local attackers to configure Theft protection settings.

πŸŽ–@cveNotify