| CVE-2026-22490 | WordPress Bulk Landing Page Creator for WordPress LPagery plugin <= 2.4.9 - Broken Access Control vulnerability | niklaslindemann | Bulk Landing Page Creator for WordPress LPagery | Medium | 5.4 | 2026-01-08 16:24:38 | Deep Dive |
| CVE-2026-22517 | WordPress GA4WP: Google Analytics for WordPress plugin <= 2.10.0 - Broken Access Control vulnerability | Passionate Brains | GA4WP: Google Analytics for WordPress | Medium | 5.4 | 2026-01-08 16:22:10 | Deep Dive |
| CVE-2026-0674 | WordPress Campaign Monitor for WordPress plugin <= 2.9.1 - Broken Access Control vulnerability | Campaign Monitor | Campaign Monitor for WordPress | Medium | 4.3 | 2026-01-08 09:17:55 | Deep Dive |
| CVE-2025-68887 | WordPress WP-BusinessDirectory plugin <= 4.0.1 - Cross Site Scripting (XSS) vulnerability | CMSJunkie - WordPress Business Directory Plugins | WP-BusinessDirectory | 中危 | - | 2026-01-08 09:17:54 | Deep Dive |
| CVE-2025-27004 | WordPress Famous - Responsive Image And Video Grid Gallery WordPress Plugin plugin <= 1.4 - Reflected Cross Site Scripting (XSS) vulnerability | LambertGroup | Famous - Responsive Image And Video Grid Gallery WordPress Plugin | High | 7.1 | 2026-01-08 09:17:42 | Deep Dive |
| CVE-2025-14275 | Jeg Elementor Kit <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Widget | jegtheme | Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress | Medium | 6.4 | 2026-01-08 02:21:16 | Deep Dive |
| CVE-2025-13887 | AI BotKit <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | wisdmlabs | AI ChatBot for WordPress by AI BotKit – Live in 2 Minutes, No Code | Medium | 6.4 | 2026-01-07 09:20:56 | Deep Dive |
| CVE-2025-14128 | Stumble! for WordPress <= 1.1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] | mitchoyoshitaka | Stumble! for WordPress | Medium | 6.1 | 2026-01-07 09:20:53 | Deep Dive |
| CVE-2025-13520 | MTCaptcha WordPress Plugin <= 2.7.2 - Cross-Site Request Forgery to Settings Update | mtcaptcha | MTCaptcha WordPress Plugin | Medium | 4.3 | 2026-01-07 08:21:55 | Deep Dive |
| CVE-2025-12449 | aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification | kodezen | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | Medium | 5.4 | 2026-01-07 07:17:34 | Deep Dive |
| CVE-2025-14802 | LearnPress – WordPress LMS Plugin <= 4.3.2.2 - Insecure Direct Object Reference to Authenticated (Instructor+) Teacher Material Deletion | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.4 | 2026-01-07 07:17:33 | Deep Dive |
| CVE-2025-14867 | Flashcard Plugin for WordPress <= 0.9 - Authenticated (Contributor+) Arbitrary File Read via Path Traversal | liangshao | Flashcard Plugin for WordPress | Medium | 6.5 | 2026-01-07 06:36:04 | Deep Dive |
| CVE-2025-14887 | twinklesmtp – Email Service Provider For WordPress <= 1.03 - Authenticated (Administrator+) Stored Cross-Site Scripting via Sender Settings | wpcommerz | twinklesmtp – Email Service Provider For WordPress | Medium | 4.4 | 2026-01-07 06:35:59 | Deep Dive |
| CVE-2025-31051 | WordPress Plant - Gardening & Houseplants WordPress Theme <= 1.0.0 - Sensitive Data Exposure Vulnerability | EngoTheme | Plant - Gardening & Houseplants WordPress Theme | Medium | 5.3 | 2026-01-06 21:13:03 | Deep Dive |
| CVE-2025-29004 | WordPress Responsive Coming Soon Landing Page / Holding Page for WordPress plugin <= 3.0 - Privilege Escalation Vulnerability | AA-Team | Responsive Coming Soon Landing Page / Holding Page for WordPress | High | 8.8 | 2026-01-06 20:25:59 | Deep Dive |
| CVE-2025-69331 | WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability | Jeroen Schmit | Theater for WordPress | 中危 | - | 2026-01-06 16:36:38 | Deep Dive |
| CVE-2025-13964 | LearnPress – WordPress LMS Plugin <= 4.3.2 - Missing Authentication to Unauthenticated Course Modification | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.3 | 2026-01-06 08:21:49 | Deep Dive |
| CVE-2025-13766 | MasterStudy LMS WordPress Plugin – for Online Courses and Education <= 3.7.6 Missing Authorization to Authenticated (Subscriber+) Posts and Media Creation, Modification and Deletion | stylemix | MasterStudy LMS WordPress Plugin – for Online Courses and Education | Medium | 5.4 | 2026-01-06 08:21:48 | Deep Dive |
| CVE-2025-13812 | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress <= 7.6.1 - Missing Authorization to Authenticated (Subscriber+) Information Exposure | rubengc | GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress | Medium | 4.3 | 2026-01-06 07:22:13 | Deep Dive |
| CVE-2025-14153 | Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute | vikasratudi | Page Expire Popup/Redirection for WordPress | Medium | 6.5 | 2026-01-06 03:21:40 | Deep Dive |