| CVE-2026-2386 | The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type' | posimyththemes | The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce | Medium | 4.3 | 2026-02-18 12:28:35 | Deep Dive |
| CVE-2026-2633 | Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload | stellarwp | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor | Medium | 4.3 | 2026-02-18 06:42:43 | Deep Dive |
| CVE-2026-1857 | Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter | stellarwp | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor | Medium | 4.3 | 2026-02-18 06:42:40 | Deep Dive |
| CVE-2026-2608 | Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization | stellarwp | Kadence Blocks — Page Builder Toolkit for Gutenberg Editor | Medium | 4.3 | 2026-02-17 11:20:37 | Deep Dive |
| CVE-2026-1843 | Super Page Cache <= 5.2.2 - Unauthenticated Stored Cross-Site Scripting via Activity Log | optimole | Super Page Cache | High | 7.2 | 2026-02-14 08:26:47 | Deep Dive |
| CVE-2026-0751 | Payment Page | Payment Form for Stripe <= 1.4.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'pricing_plan_select_text_font_family' Parameter | brandonfire | Payment Page | Payment Form for Stripe | Medium | 6.4 | 2026-02-14 06:42:26 | Deep Dive |
| CVE-2026-1231 | Beaver Builder Page Builder – Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Missing Authorization to Stored Cross-Site Scripting via Global Settings | beaverbuilder | Beaver Builder Page Builder – Drag and Drop Website Builder | Medium | 6.4 | 2026-02-11 01:23:34 | Deep Dive |
| CVE-2025-14895 | PopupKit <= 2.2.0 - Missing Authorization to Sensitive Information Disclosure and Data Deletion | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | Medium | 5.4 | 2026-02-10 09:26:06 | Deep Dive |
| CVE-2025-12159 | Bold Page Builder <= 5.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | boldthemes | Bold Page Builder | Medium | 6.4 | 2026-02-07 05:52:41 | Deep Dive |
| CVE-2025-13463 | Bold Page Builder <= 5.5.3 - Authenticated (Author+) Stored DOM-based Cross-Site Scripting in Post Grid | boldthemes | Bold Page Builder | Medium | 6.4 | 2026-02-07 05:52:40 | Deep Dive |
| CVE-2025-12803 | Bold Builder <= 5.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_tabs Shortcode | boldthemes | Bold Page Builder | Medium | 6.4 | 2026-02-07 05:52:39 | Deep Dive |
| CVE-2025-15267 | Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode | boldthemes | Bold Page Builder | Medium | 6.4 | 2026-02-07 05:52:38 | Deep Dive |
| CVE-2026-1927 | GreenShift - Animation and Page Builder Blocks <= 12.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure of AI API Keys and Stored Cross-Site Scripting via custom_css | wpsoul | Greenshift – animation and page builder blocks | Medium | 5.4 | 2026-02-05 13:27:38 | Deep Dive |
| CVE-2025-13192 | Popup builder with Gamification <= 2.2.0 - Unauthenticated SQL Injection via Multiple REST API Endpoints | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | High | 8.2 | 2026-02-04 23:22:57 | Deep Dive |
| CVE-2025-14975 | Custom Login Page Customizer < 2.5.4 - Unauthenticated Arbitrary Password Reset | Unknown | Custom Login Page Customizer | - | - | 2026-01-29 06:00:02 | Deep Dive |
| CVE-2025-13986 | Disable Login Page - Critical - Access bypass - SA-CONTRIB-2025-124 | Drupal | Disable Login Page | - | - | 2026-01-28 20:02:54 | Deep Dive |
| CVE-2025-14283 | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.14 - Authenticated (Contributor+) Stored Cross-Site Scripting | wpblockart | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | Medium | 6.4 | 2026-01-28 11:23:41 | Deep Dive |
| CVE-2025-9082 | WPBITS Addons For Elementor <= 1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting | wpbits | WPBITS Addons For Elementor Page Builder | Medium | 6.4 | 2026-01-28 06:43:44 | Deep Dive |
| CVE-2026-1088 | Login Page Editor <= 1.2 - Cross-Site Request Forgery to Settings Update | zero1zerouk | Login Page Editor | Medium | 4.3 | 2026-01-24 07:26:49 | Deep Dive |
| CVE-2026-24620 | WordPress Landing Page Builder plugin <= 1.5.3.4 - Cross Site Scripting (XSS) vulnerability | PluginOps | Landing Page Builder | 中危 | - | 2026-01-23 14:29:06 | Deep Dive |