Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 6.4 CVE-2026-2387

Event Organiser <= 3.12.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via eo_events Shortcode_CVE-2026-2387

The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to ...

stephenharris Event Organiser CVE
HIGH 7.2 CVE-2026-13731

WPBot <= 8.4.9 - Unauthenticated Stored Cross-Site Scripting via 'conversation' Parameter_CVE-2026-13731

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'co...

quantumcloud WPBot – AI ChatBot for Live Support, Lead Generation, AI Services CVE
HIGH 7.5 CVE-2026-13468

Visualizer <= 4.0.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via /visualizer/v1/action/{chart}/{type}/ REST Endpoint_CVE-2026-13468

The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up t...

themeisle Visualizer – Tables & Charts Manager with Built-in AI Generator CVE
MEDIUM 6.4 CVE-2026-13443

Tutor LMS <= 3.9.13 - Authenticated (Author+) Stored Cross-Site Scripting via Lesson Attachment Title_CVE-2026-13443

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title ...

themeum Tutor LMS – eLearning and online course solution CVE
MEDIUM 6.4 CVE-2026-13246

GiveWP <= 4.16.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'block_id' Shortcode Attribute_CVE-2026-13246

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and oth...

stellarwp GiveWP – Donation Plugin and Fundraising Platform CVE
MEDIUM 6.1 CVE-2026-13015

WP Google Review Slider <= 18.1 - Reflected Cross-Site Scripting via 'place' Parameter_CVE-2026-13015

The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to...

jgwhite33 WP Google Review Slider CVE
HIGH 7.5 CVE-2026-12923

Video Gallery <= 4.0.3 - Authenticated (Subscriber+) Arbitrary Function Call via 'path' Parameter_CVE-2026-12923

The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficie...

emarket-design Video Gallery – YouTube Gallery, Playlist & Video Grid CVE
MEDIUM 4.3 CVE-2026-12904

Kadence Blocks <= 3.7.7 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary Optimizer Data Deletion/Read/Modification via 'post_path' Parameter_CVE-2026-12904

The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions ...

stellarwp Kadence Blocks — Page Builder Toolkit for Gutenberg Editor CVE
MEDIUM 4.3 CVE-2026-12902

Kadence Blocks <= 3.7.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Attachment Creation via kadence_import_process_pattern/kadence_import_process_data AJAX Actions_CVE-2026-12902

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, an...

stellarwp Kadence Blocks — Page Builder Toolkit for Gutenberg Editor CVE
MEDIUM 6.4 CVE-2026-12135

FV Flowplayer Video Player <= 7.5.51.7212 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'video_player' Shortcode_CVE-2026-12135

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute...

foliovision FV Flowplayer Video Player CVE