CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-0740 – Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-0740
07 Apr 2026 — The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://ninjaforms.com/extensions/file-uploads • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-5032 – W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header
https://notcve.org/view.php?id=CVE-2026-5032
02 Apr 2026 — The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. ... The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. ... With the leaked W3TC_DYNAMIC_SECURITY token, an attacker can craft valid mfunc tags to execute arbitrary PHP code on the server, achieving remote code execution. • https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.9.3/Generic_Plugin.php#L1016 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2026-1540 – Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution
https://notcve.org/view.php?id=CVE-2026-1540
02 Apr 2026 — The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header • https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4347 – MW WP Form <= 5.1.0 - Unauthenticated Arbitrary File Move via move_temp_file_to_upload_dir
https://notcve.org/view.php?id=CVE-2026-4347
02 Apr 2026 — The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/mw-wp-form/tags/5.1.0/classes/controllers/class.main.php#L271 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3300 – Everest Forms Pro <= 1.9.12 - Unauthenticated Remote Code Execution via Calculation Field
https://notcve.org/view.php?id=CVE-2026-3300
31 Mar 2026 — The Everest Forms Pro plugin for WordPress is vulnerable to Remote Code Execution via PHP Code Injection in all versions up to, and including, 1.9.12. ... El plugin Everest Forms Pro para WordPress es vulnerable a ejecución remota de código a través de inyección de código PHP en todas las versiones hasta la 1.9.12, inclusive. • https://everestforms.net/changelog • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 19%CPEs: 1EXPL: 0CVE-2026-4257 – Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
https://notcve.org/view.php?id=CVE-2026-4257
30 Mar 2026 — The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. ... El plugin Contact Form by Supsystic para WordPress es vulnerable a la inyección de plantillas del lado del servidor (SSTI) lo que lleva a la ejecución remota de código (RCE) en todas las versiones hasta la 1.7.36, inclusive. • https://plugins.trac.wordpress.org/browser/contact-form-by-supsystic/tags/1.7.36/modules/forms/views/forms.php#L323 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3328 – Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts
https://notcve.org/view.php?id=CVE-2026-3328
26 Mar 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's `maybe_unserialize()` function without class restrictions on user-controllable content stored in admin_form post content. ... The additional presence of a POP chain allows attackers to achieve remote code execution. • https://plugins.trac.wordpress.org/browser/acf-frontend-form-element/tags/3.28.27/main/admin/admin-pages/forms/settings.php#L419 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4758 – WP Job Portal <= 2.4.9 - Authenticated (Subscriber+) Arbitrary File Deletion via Resume Custom File Field
https://notcve.org/view.php?id=CVE-2026-4758
25 Mar 2026 — The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/wp-job-portal/tags/2.4.9/includes/classes/customfields.php#L1558 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2026-32573 – WordPress Nelio AB Testing plugin <= 8.2.7 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2026-32573
25 Mar 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.7. • https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-2-7-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: -EXPL: 0CVE-2026-32525 – WordPress JetFormBuilder plugin <= 3.5.6.1 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2026-32525
25 Mar 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1. • https://patchstack.com/database/Wordpress/Plugin/jetformbuilder/vulnerability/wordpress-jetformbuilder-plugin-3-5-6-1-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •