CMS

In the JavaScript Notifier plugin for WordPress versions up to and including 1.2.8 a medium severity vulnerability CVE-2026-1191 was detected. This vulnerability allows authenticated attackers with administrator-level access to inject arbitrary web scripts via plugin settings, which are rendered through the wp_footer action, due to insufficient input sanitization and output escaping of user-supplied attributes. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1191.

In the Meta-box GalleryMeta plugin for WordPress versions up to and including 3.0.1 a medium severity vulnerability CVE-2026-1302 was detected. This vulnerability allows authenticated attackers with editor-level permissions or higher to inject arbitrary malicious scripts via the admin settings, leading to stored cross-site scripting (XSS) that executes whenever a user accesses the affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1302.

In the Responsive Header plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2026-1300 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to inject arbitrary web scripts via multiple plugin settings parameters, which are stored and executed when users access affected pages, due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1300.

In the Postalicious plugin for WordPress versions up to and including 3.0.1 a medium severity vulnerability CVE-2026-1266 was detected. This vulnerability allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts via admin settings, which are stored and executed when users access affected pages, due to insufficient input sanitization and output escaping. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1266.

In the Administrative Shortcodes plugin for WordPress versions up to, and including, 0.3.4 a high severity vulnerability CVE-2026-1257 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to include and execute arbitrary files on the server via the slug attribute of the get_template shortcode, due to insufficient path validation of user-supplied input passed to the get_template_part() function. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1257.

In the LeadBI plugin for WordPress versions up to and including 1.7 a medium severity vulnerability CVE-2026-1189 was detected. This vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts via the form_id parameter of the leadbi_form shortcode, due to insufficient input sanitization and output escaping of user-supplied attributes. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1189.

In the WP Duplicate Page plugin for WordPress versions up to and including 1.8 a medium severity vulnerability CVE-2025-14001 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to duplicate arbitrary posts, pages, and WooCommerce HPOS orders due to missing capability checks in the duplicateBulkHandle and duplicateBulkHandleHPOS functions, even when their role is explicitly excluded in the plugin’s Allowed User Roles settings. To address this issue, users should upgrade the WP Duplicate Page plugin to version 1.8.1 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14001.