Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 5.3 CVE-2026-12120

FireBox Popups <= 3.1.7 - Unauthenticated Sensitive Information Exposure in 'form_id' Parameter_CVE-2026-12120

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions u...

fireplugins FireBox Popups – Increase Sales and Grow Your Email List CVE
MEDIUM 5.3 CVE-2026-12093

Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Account Deactivation via Forged Stripe 'charge.refunded' Webhook_CVE-2026-12093

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the pl...

wpinsider-1 Simple Membership CVE
MEDIUM 4.3 CVE-2026-11784

Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action_CVE-2026-11784

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Reques...

optimole Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization CVE
MEDIUM 4.9 CVE-2026-11777

Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter_CVE-2026-11777

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'nam...

10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE
MEDIUM 4.9 CVE-2026-11776

Form Maker by 10Web <= 1.15.43 - Authenticated (Adminsitrator+) SQL Injection via 'groupids' Parameter_CVE-2026-11776

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'gro...

10web Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder CVE
MEDIUM 6.4 CVE-2026-11402

Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'link' Block Attribute_CVE-2026-11402

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'lin...

bplugins Services Section Block – Showcase Service Details in Grid or Columns CVE
MEDIUM 4.9 CVE-2026-11360

Advanced Order Export For WooCommerce <= 4.0.10 - Authenticated (Shop Manager+) SQL Injection via 'sort_direction' Parameter_CVE-2026-11360

The Advanced Order Export For WooCommerce plugin for WordPress is vulnerable to generic SQL Injection via the 'sort_direction' parameter in all ver...

algolplus Advanced Order Export For WooCommerce CVE
MEDIUM 4.4 CVE-2026-11358

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter_CVE-2026-11358

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site ...

themeisle Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More CVE
MEDIUM 4.3 CVE-2026-11357

Kadence Blocks <= 3.7.5 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor proData Localization_CVE-2026-11357

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions...

stellarwp Kadence Blocks — Page Builder Toolkit for Gutenberg Editor CVE
MEDIUM 4.9 CVE-2026-10736

Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter_CVE-2026-10736

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all ve...

themeum Tutor LMS – eLearning and online course solution CVE