| CVE-2026-4003 | Users manager – PN <= 1.1.15 - Unauthenticated Privilege Escalation via Account Takeover via 'userspn_form_save' AJAX Action | felixmartinez | Users manager – PN | Critical | 9.8 | 2026-04-08 03:36:08 | Deep Dive |
| CVE-2026-3629 | Import and export users and customers <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields | carazo | Import and export users and customers | High | 8.1 | 2026-03-21 22:24:18 | Deep Dive |
| CVE-2026-4261 | Expire Users <= 1.2.2 - Authenticated (Subscriber+) Privilege Escalation to Administrator via save_extra_user_profile_fields | husobj | Expire Users | High | 8.8 | 2026-03-21 03:27:07 | Deep Dive |
| CVE-2026-0722 | Shield Security <= 21.0.8 - Cross-Site Request Forgery to SQL Injection | paultgoodchild | Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | Medium | 6.5 | 2026-02-19 04:36:28 | Deep Dive |
| CVE-2026-0561 | Shield Security <= 21.0.8 - Unauthenticated Reflected Cross-Site Scripting via 'message' Parameter | paultgoodchild | Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | Medium | 6.1 | 2026-02-19 04:36:24 | Deep Dive |
| CVE-2025-14427 | Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches <= 21.0.9 - Missing Authorization to Authenticated (Subscriber+) Email MFA Update | paultgoodchild | Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | Medium | 4.3 | 2026-02-19 04:36:19 | Deep Dive |
| CVE-2026-2126 | User Submitted Posts <= 20260113 - Incorrect Authorization to Unauthenticated Category Restriction Bypass via 'user-submitted-category' Parameter | specialk | User Submitted Posts – Enable Users to Submit Posts from the Front End | Medium | 5.3 | 2026-02-18 09:25:51 | Deep Dive |
| CVE-2026-0800 | User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20251210 - Unauthenticated Stored Cross-Site Scripting via Custom Field | specialk | User Submitted Posts – Enable Users to Submit Posts from the Front End | High | 7.2 | 2026-01-24 08:26:32 | Deep Dive |
| CVE-2026-0913 | User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usp_access' Shortcode | specialk | User Submitted Posts – Enable Users to Submit Posts from the Front End | Medium | 6.4 | 2026-01-16 08:23:38 | Deep Dive |
| CVE-2025-15370 | Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disable Google Authenticator | paultgoodchild | Shield: Blocks Bots, Protects Users, and Prevents Security Breaches | Medium | 4.3 | 2026-01-16 04:44:35 | Deep Dive |
| CVE-2025-13493 | Latest Registered Users <= 1.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via User Data Export | webrndexperts | Latest Registered Users | High | 7.5 | 2026-01-07 08:21:55 | Deep Dive |
| CVE-2025-13619 | Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation | CMSSuperHeroes | Flex Store Users | Critical | 9.8 | 2025-12-20 06:22:03 | Deep Dive |
| CVE-2025-68481 | FastAPI Users Vulnerable to 1-click Account Takeover in Apps Using FastAPI SSO | fastapi-users | fastapi-users | Medium | 5.9 | 2025-12-19 20:14:08 | Deep Dive |
| CVE-2025-14354 | Resource Library for Logged In Users <= 1.5 - Cross-Site Request Forgery to Multiple Administrative Actions | doubledome | Resource Library for Logged In Users | Medium | 4.3 | 2025-12-12 03:20:49 | Deep Dive |
| CVE-2025-13606 | Export All Posts, Products, Orders, Refunds & Users <= 2.19 - Cross-Site Request Forgery to Sensitive Information Exposure | smackcoders | Export All Posts, Products, Orders, Refunds & Users | Medium | 6.5 | 2025-12-02 04:37:14 | Deep Dive |
| CVE-2025-62072 | WordPress Front End Users plugin <= 3.2.33 - Broken Access Control vulnerability | Rustaurius | Front End Users | Medium | 4.3 | 2025-10-22 14:32:54 | Deep Dive |
| CVE-2025-10745 | Banhammer – Monitor Site Traffic, Block Bad Users and Bots <= 3.4.8 - Unauthenticated Protection Mechanism Bypass | specialk | Banhammer – Monitor Site Traffic, Block Bad Users and Bots | Medium | 5.3 | 2025-09-26 03:25:34 | Deep Dive |
| CVE-2025-58235 | WordPress Front End Users plugin <= 3.2.35 - Cross Site Scripting (XSS) vulnerability | Rustaurius | Front End Users | Medium | 6.5 | 2025-09-22 18:23:39 | Deep Dive |
| CVE-2025-6755 | Game Users Share Buttons <= 1.3.0 - Authenticated (Subscriber+) Arbitrary File Deletion via themeNameId Parameter | gameusers | Game Users Share Buttons | High | 8.8 | 2025-06-28 05:29:52 | Deep Dive |
| CVE-2025-2935 | Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 - Cross-Site Request Forgery to Multiple Administrative Actions | webguyio | Stop Spammers Classic | Medium | 5.4 | 2025-06-06 06:42:53 | Deep Dive |