Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 4.3 CVE-2026-11784

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action_CVE-2026-11784

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Reques...

optimole Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization CVE
MEDIUM 4.9 CVE-2026-11777

Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter_CVE-2026-11777

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'nam...

10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE
MEDIUM 4.9 CVE-2026-11776

Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter_CVE-2026-11776

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'gro...

10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE
MEDIUM 6.4 CVE-2026-11402

Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Block Attribute_CVE-2026-11402

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'lin...

bplugins Services Section Block – Showcase Service Details in Grid or Columns CVE
MEDIUM 4.9 CVE-2026-11360

Advanced Order Export For WooCommerce <= 4.0.10 - Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter_CVE-2026-11360

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all ver...

algolplus Advanced Order Export For WooCommerce CVE
MEDIUM 4.4 CVE-2026-11358

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter_CVE-2026-11358

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site ...

themeisle Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More CVE
MEDIUM 4.3 CVE-2026-11357

Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization_CVE-2026-11357

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions...

stellarwp Kadence Blocks — Page Builder Toolkit for Gutenberg Editor CVE
MEDIUM 4.9 CVE-2026-10736

Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter_CVE-2026-10736

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all ve...

themeum Tutor LMS – eLearning and online course solution CVE
MEDIUM 4.3 CVE-2026-10623

PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification via 'quiz_id', 'item_id', and 'rule_id' Parameters_CVE-2026-10623

The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference i...

pressprimer PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin CVE
MEDIUM 5.3 CVE-2026-10029

Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via REST API Endpoints_CVE-2026-10029

The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in a...

eventkoi Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets CVE