| CVE-2026-2559 | Post SMTP <= 3.8.0 - Missing Authorization to Authenticated (Subscriber+) Office 365 OAuth Configuration Overwrite | saadiqbal | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | Medium | 5.3 | 2026-03-18 15:28:28 | Deep Dive |
| CVE-2026-1217 | Yoast Duplicate Post <= 4.5 - Authenticated (Contributor+) Missing Authorization to Arbitrary Post Duplication and Overwrite | yoast | Yoast Duplicate Post | Medium | 5.4 | 2026-03-18 09:28:29 | Deep Dive |
| CVE-2026-1883 | Wicked Folders <= 4.1.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Folder Deletion | wickedplugins | Wicked Folders – Folder Organizer for Pages, Posts, and Custom Post Types | Medium | 4.3 | 2026-03-15 01:19:06 | Deep Dive |
| CVE-2026-32449 | WordPress Themify Event Post plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability | themifyme | Themify Event Post | 中危 | - | 2026-03-13 11:42:21 | Deep Dive |
| CVE-2026-32421 | WordPress Post Timeline plugin <= 2.4.1 - Broken Access Control vulnerability | Agile Logix | Post Timeline | 中危 | - | 2026-03-13 11:42:16 | Deep Dive |
| CVE-2026-31916 | WordPress Latest Post Shortcode plugin <= 14.2.1 - Broken Access Control vulnerability | Iulia Cazan | Latest Post Shortcode | 中危 | - | 2026-03-13 11:41:54 | Deep Dive |
| CVE-2026-2433 | RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.11 - Unauthenticated DOM-Based Reflected Cross-Site Scripting via postMessage | rebelcode | RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging | Medium | 6.1 | 2026-03-07 07:22:04 | Deep Dive |
| CVE-2026-2893 | Page and Post Clone <= 6.3 - Authenticated (Contributor+) SQL Injection via 'meta_key' Parameter | carlosfazenda | Fast Page & Post Duplicator | Medium | 6.5 | 2026-03-05 07:30:55 | Deep Dive |
| CVE-2026-22479 | WordPress Easy Post Submission plugin <= 2.4.0 - Broken Access Control vulnerability | ThemeRuby | Easy Post Submission | High | 7.5 | 2026-03-05 05:53:48 | Deep Dive |
| CVE-2026-1651 | Email Subscribers & Newsletters <= 5.9.16 - Authenticated (Administrator+) SQL Injection via 'workflow_ids' Parameter | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 6.5 | 2026-03-04 01:22:00 | Deep Dive |
| CVE-2026-1273 | PostX <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints | wpxpo | Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX | High | 7.2 | 2026-03-04 01:21:59 | Deep Dive |
| CVE-2026-2301 | Post Duplicator <= 3.0.8 - Missing Authorization to Authenticated (Contributor+) Protected Post Meta Insertion via 'customMetaData' Parameter | metaphorcreations | Post Duplicator | Medium | 4.3 | 2026-02-25 09:26:51 | Deep Dive |
| CVE-2025-14167 | Remove Post Type Slug <= 1.0.2 - Cross-Site Request Forgery to Settings Update | akshayshah5189 | Remove Post Type Slug | Medium | 4.3 | 2026-02-19 04:36:22 | Deep Dive |
| CVE-2026-1942 | Blog2Social: Social Media Auto Post & Scheduler <= 8.7.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification | pr-gateway | Blog2Social: Social Media Auto Post & Scheduler | Medium | 6.5 | 2026-02-18 10:20:49 | Deep Dive |
| CVE-2025-12037 | WP 404 Auto Redirect <= 1.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting | hwk-fr | WP 404 Auto Redirect to Similar Post | Medium | 4.4 | 2026-02-18 04:35:45 | Deep Dive |
| CVE-2026-1296 | Frontend Post Submission Manager Lite <= 1.2.7 - Unauthenticated Open Redirect via 'requested_page' Parameter | wpshuffle | Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin | Medium | 6.1 | 2026-02-18 04:35:44 | Deep Dive |
| CVE-2026-1216 | RSS Aggregator <= 5.0.10 - Reflected Cross-Site Scripting via 'template' Parameter | rebelcode | RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging | High | 7.2 | 2026-02-17 09:26:22 | Deep Dive |
| CVE-2026-1258 | Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints | getwpfunnels | Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | Medium | 4.9 | 2026-02-14 08:26:48 | Deep Dive |
| CVE-2019-25314 | Duplicate-Post 3.2.3 - Persistent Cross-Site Scripting | Yoast | Duplicate-Post | Medium | 5.5 | 2026-02-11 14:56:53 | Deep Dive |
| CVE-2025-15491 | Post Slides <= 1.0.1 - Contributor+ Local File Inclusion | Unknown | Post Slides | - | - | 2026-02-07 06:00:07 | Deep Dive |