CVSS: 9.9EPSS: 0%CPEs: -EXPL: 0CVE-2026-25366 – WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2026-25366
25 Mar 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in Themeisle Woody ad snippets insert-php allows Code Injection.This issue affects Woody ad snippets: from n/a through <= 2.7.1. • https://patchstack.com/database/Wordpress/Plugin/insert-php/vulnerability/wordpress-woody-ad-snippets-plugin-2-7-1-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: -EXPL: 0CVE-2026-25001 – WordPress Post Snippets plugin <= 4.0.12 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2026-25001
25 Mar 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion.This issue affects Post Snippets: from n/a through <= 4.0.12. • https://patchstack.com/database/Wordpress/Plugin/post-snippets/vulnerability/wordpress-post-snippets-plugin-4-0-12-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3533 – JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import
https://notcve.org/view.php?id=CVE-2026-3533
23 Mar 2026 — This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration El plugin Jupiter X Core para WordPress es vulnerable a cargas de archivos limitadas debido a la falta de autorización en la función import_popup_... • https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/control-panel-2/includes/class-popup.php?rev=3430169#138 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4001 – Woocommerce Custom Product Addons Pro <= 5.4.1 - Unauthenticated Remote Code Execution via Custom Pricing Formula
https://notcve.org/view.php?id=CVE-2026-4001
23 Mar 2026 — The Woocommerce Custom Product Addons Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.4.1 via the custom pricing formula eval() in the process_custom_formula() function within includes/process/price.php. ... This makes it possible for unauthenticated attackers to execute arbitrary code on the server by submitting a crafted value to a WCPA text field configured with custom pricing formula (pricingType: "custom" with {this.value}). E... • https://acowebs.com/woo-custom-product-addons • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10679 – ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More <= 2.2.12 - Unauthenticated Limited Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-10679
23 Mar 2026 — The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to arbitrary method calls in all versions up to, and including, 2.2.12. ... This makes it possible for unauthenticated attackers to call arbitrary PHP class methods that take no inputs or have default values, potentially leading to information disclosure or remote code execution depending on available methods and server configuration. El plugin Review... • https://plugins.trac.wordpress.org/browser/reviewx/tags/2.2.7/app/Rest/Controllers/ReviewController.php#L426 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1648 – Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
https://notcve.org/view.php?id=CVE-2026-1648
21 Mar 2026 — The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. ... This can be exploited to achieve Remote Code Execution by chaining with services like Redis. El plugin Performance Monitor para WordPress es vulnerable a la Falsificación de Petición del Lado del Servidor en todas las versiones hasta la 1.0.6, inclusive. • https://github.com/assetnote/blind-ssrf-chains • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3584 – Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
https://notcve.org/view.php?id=CVE-2026-3584
20 Mar 2026 — The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. ... El plugin Kali Forms para WordPress es vulnerable a ejecución remota de código en todas las versiones hasta la 2.4.9, inclusive, a través de la función 'form_process'. • https://plugins.trac.wordpress.org/browser/kali-forms/tags/2.4.9/Inc/Frontend/class-form-processor.php#L697 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-2421 – ilGhera Carta Docente for WooCommerce <= 1.5.0 - Authenticated (Administrator+) Path Traversal to Arbitrary File Deletion via 'cert' Parameter
https://notcve.org/view.php?id=CVE-2026-2421
20 Mar 2026 — The ilGhera Carta Docente for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.5.0 via the 'cert' parameter of the 'wccd-delete-certificate' AJAX action. ... This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, such as wp-config.php, which can make site takeover and remote code execution possible. El plugin ilGhera Carta Docente para WooCommerce para Wor... • https://plugins.trac.wordpress.org/browser/wc-carta-docente/tags/1.4.7/includes/class-wccd-admin.php#L88 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-32414 – WordPress Advanced Woo Labels plugin <= 2.36 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2026-32414
13 Mar 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a through <= 2.36. Control inadecuado de la generación de código ('Inyección de código') vulnerabilidad en ILLID Advanced Woo Labels advanced-woo-labels permite la Inclusión remota de código. Este problema afecta a Advanced Woo Labels: desde n/a hasta <= 2.36. • https://patchstack.com/database/Wordpress/Plugin/advanced-woo-labels/vulnerability/wordpress-advanced-woo-labels-plugin-2-36-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-32367 – WordPress Modal Dialog plugin <= 3.5.16 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2026-32367
13 Mar 2026 — Improper Control of Generation of Code ('Code Injection') vulnerability in Yannick Lefebvre Modal Dialog modal-dialog allows Remote Code Inclusion.This issue affects Modal Dialog: from n/a through <= 3.5.16. • https://patchstack.com/database/Wordpress/Plugin/modal-dialog/vulnerability/wordpress-modal-dialog-plugin-3-5-16-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •