| CVE-2026-4119 | Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php | jppreus | Create DB Tables | Critical | 9.1 | 2026-04-22 07:45:41 | Deep Dive |
| CVE-2026-4365 | LearnPress <= 4.3.2.8 - Missing Authorization to Unauthenticated Arbitrary Quiz Answer Deletion | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Critical | 9.1 | 2026-04-14 01:25:00 | Deep Dive |
| CVE-2026-3568 | MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update | inspireui | MStore API – Create Native Android & iOS Apps On The Cloud | Medium | 4.3 | 2026-04-09 02:25:07 | Deep Dive |
| CVE-2026-4333 | LearnPress <= 4.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'skin' Shortcode Attribute | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 6.4 | 2026-04-08 03:36:08 | Deep Dive |
| CVE-2026-3225 | LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 4.3 | 2026-03-23 22:25:41 | Deep Dive |
| CVE-2026-2375 | App Builder – Create Native Android & iOS Apps On The Flight <= 5.5.10 - Unauthenticated Privilege Escalation via 'role' Parameter | appcheap | App Builder – Create Native Android & iOS Apps On The Flight | Medium | 6.5 | 2026-03-21 03:26:32 | Deep Dive |
| CVE-2026-4302 | WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery via 'link' Parameter in REST API | wpxpo | WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation | High | 7.2 | 2026-03-21 01:24:38 | Deep Dive |
| CVE-2026-3226 | LearnPress <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Notification Triggering | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 4.3 | 2026-03-12 02:22:37 | Deep Dive |
| CVE-2026-1720 | WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation | wpxpo | WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation | High | 8.8 | 2026-03-05 13:24:01 | Deep Dive |
| CVE-2025-13079 | Popup Builder - Create highly converting, mobile friendly marketing popups. <= 4.4.2 - Improper Authorization to Unauthenticated Subscriber Removal via Predictable Tokens | popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. | Medium | 5.3 | 2026-02-19 03:25:15 | Deep Dive |
| CVE-2025-12122 | Popup Box – Easily Create WordPress Popups <= 3.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting | wpcalc | Popup Box – Easily Create WordPress Popups | Medium | 6.4 | 2026-02-18 05:29:18 | Deep Dive |
| CVE-2026-1294 | All In One Image Viewer Block <= 1.0.2 - Unauthenticated Server-Side Request Forgery via image-proxy Endpoint | bplugins | All In One Image Viewer Block – Gutenberg block to create image viewer with hyperlink | High | 7.2 | 2026-02-05 09:13:46 | Deep Dive |
| CVE-2026-1165 | Popup Box <= 6.1.1 - Cross-Site Request Forgery to Popup Status Change | ays-pro | Popup Box – Create Countdown, Coupon, Video, Contact Form Popups | Medium | 4.3 | 2026-01-31 14:22:29 | Deep Dive |
| CVE-2025-12709 | Interactions – Create Interactive Experiences in the Block Editor <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | bfintal | Interactions – Create Interactive Experiences in the Block Editor | Medium | 6.4 | 2026-01-28 06:43:44 | Deep Dive |
| CVE-2025-14798 | LearnPress – WordPress LMS Plugin <= 4.3.2.4 - Missing Authorization to Unauthenticated Sensitive User Information Disclosure via REST API | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.3 | 2026-01-20 03:25:18 | Deep Dive |
| CVE-2025-9856 | Popup Builder – Create highly converting, mobile friendly marketing popups. <= 4.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | popupbuilder | Popup Builder – Create highly converting, mobile friendly marketing popups. | Medium | 6.4 | 2025-12-13 08:21:15 | Deep Dive |
| CVE-2025-11693 | Export WP Page to Static HTML & PDF <= 4.3.4 - Unauthenticated Cookie Exposure via Log File | recorp | Export WordPress Pages to Static HTML & PDF — Static Site Export | Critical | 9.8 | 2025-12-13 04:31:34 | Deep Dive |
| CVE-2025-49351 | WordPress Create Posts & Terms plugin <= 1.3.1 - Cross Site Request Forgery (CSRF) vulnerability | Valentin Agachi | Create Posts & Terms | - | - | 2025-12-09 14:52:18 | Deep Dive |
| CVE-2025-13140 | SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 - Cross-Site Request Forgery to Survey Deletion | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | Medium | 4.3 | 2025-12-02 06:40:25 | Deep Dive |
| CVE-2025-49394 | WordPress Image Gallery block – Create and display photo gallery/photo album. plugin <= 1.0.7 - Broken Authentication vulnerability | bPlugins | Image Gallery block – Create and display photo gallery/photo album. | High | 7.1 | 2025-11-06 15:53:53 | Deep Dive |