| CVE-2026-2263 | Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.10.2 - Missing Authorization to Unauthenticated Conversion Tracking Data Manipulation | wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups | Medium | 5.3 | 2026-04-07 23:25:27 | Deep Dive |
| CVE-2026-2002 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.50.2 - Authenticated (Administrator+) Stored Cross-Site Scripting | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.4 | 2026-02-17 04:35:45 | Deep Dive |
| CVE-2026-0911 | Hustle <= 7.8.9.2 - Authenticated (Subscriber+) Arbitrary File Upoload via Module Import | wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups | High | 7.5 | 2026-01-24 12:27:15 | Deep Dive |
| CVE-2025-14782 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorization to Authenticated (Forminator User+) CSV Export | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 5.3 | 2026-01-09 06:34:53 | Deep Dive |
| CVE-2025-14998 | Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover | wpmudev | Branda – White Label & Branding, Free Login Page Customizer | Critical | 9.8 | 2026-01-02 01:48:20 | Deep Dive |
| CVE-2025-14437 | Hummingbird <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File | wpmudev | Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN | High | 7.5 | 2025-12-18 12:22:27 | Deep Dive |
| CVE-2017-20206 | Appointments <= 2.2.1 - Unauthenticated PHP Object Injection | wpmudev | Appointments | Critical | 9.8 | 2025-10-18 03:33:24 | Deep Dive |
| CVE-2025-11163 | SmartCrawl SEO checker, analyzer & optimizer <= 3.14.3 - Missing Authorization to Plugin Settings Update | wpmudev | SmartCrawl SEO checker, analyzer & optimizer | Medium | 4.3 | 2025-09-30 05:28:53 | Deep Dive |
| CVE-2025-7638 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.45.0 - Authenticated (Administrator+) SQL Injection via `order_by` Parameter | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 4.9 | 2025-07-18 04:23:02 | Deep Dive |
| CVE-2025-6464 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated PHP Object Injection (PHAR) Triggered via Administrator Form Submission Deletion | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | High | 7.5 | 2025-07-02 05:29:17 | Deep Dive |
| CVE-2025-6463 | Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | High | 8.8 | 2025-07-02 04:24:56 | Deep Dive |
| CVE-2025-5341 | Forminator <= 1.44.1 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 6.4 | 2025-06-05 11:15:06 | Deep Dive |
| CVE-2025-4047 | Broken Link Checker <= 2.4.4 - Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View | wpmudev | Broken Link Checker | Medium | 4.3 | 2025-06-03 02:27:34 | Deep Dive |
| CVE-2025-3479 | Forminator <= 1.42.0 - Order Replay Vulnerability | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 5.3 | 2025-04-17 11:13:06 | Deep Dive |
| CVE-2025-3487 | Forminator <= 1.42.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'limit' | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 6.4 | 2025-04-17 11:13:06 | Deep Dive |
| CVE-2025-0469 | Forminator <= 1.39.2 - Authenticated (Contributor+) Stored Cross-Site Scripting | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 6.4 | 2025-02-27 04:21:44 | Deep Dive |
| CVE-2025-0470 | Forminator <= 1.38.2 - Reflected Cross-Site Scripting via Title Parameter | wpmudev | Forminator Forms – Contact Form, Payment Form & Custom Form Builder | Medium | 6.1 | 2025-01-31 03:21:29 | Deep Dive |
| CVE-2024-10580 | Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unauthorized Form Submission | wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups | Medium | 5.3 | 2024-11-27 06:41:28 | Deep Dive |
| CVE-2024-10579 | Hustle – Email Marketing, Lead Generation, Optins, Popups <= 7.8.5 - Missing Authorization to Unpublished Form Exposure | wpmudev | Hustle – Email Marketing, Lead Generation, Optins, Popups | Medium | 4.3 | 2024-11-26 11:04:32 | Deep Dive |
| CVE-2024-9371 | Branda – White Label & Branding, Custom Login Page Customizer <= 3.4.19 - Reflected Cross-Site Scripting | wpmudev | Branda – White Label & Branding, Free Login Page Customizer | Medium | 6.1 | 2024-11-21 04:24:27 | Deep Dive |