CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1830 – Quick Playground <= 1.3.1 - Missing Authorization to Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-1830
09 Apr 2026 — The Quick Playground plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.1. ... This makes it possible for unauthenticated attackers to retrieve the sync code, upload PHP files with path traversal, and achieve remote code execution on the server. • https://plugins.trac.wordpress.org/browser/quick-playground/trunk/api.php#L39 • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2026-5436 – MW WP Form <= 5.1.1 - Unauthenticated Arbitrary File Move via regenerate_upload_file_keys
https://notcve.org/view.php?id=CVE-2026-5436
08 Apr 2026 — The MW WP Form plugin for WordPress is vulnerable to Arbitrary File Move/Read in all versions up to and including 5.1.1. This is due to insufficient validation of the $name parameter (upload field key) passed to the generate_user_file_dirpath() function, which uses WordPress's path_join() — a function that returns absolute paths unchanged, discarding the intended base directory. ... This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lea... • https://github.com/web-soudan/mw-wp-form/commit/f872ab18ca670f5867b2241745daa30cd0fab861 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-2942 – ProSolution WP Client <= 1.9.9 - Unauthenticated Arbitrary File Upload via proSol_fileUploadProcess
https://notcve.org/view.php?id=CVE-2026-2942
08 Apr 2026 — The ProSolution WP Client plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'proSol_fileUploadProcess' function in all versions up to, and including, 1.9.9. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/prosolution-wp-client/trunk/public/class-prosolwpclient-public.php?rev=3331282#L993 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3243 – Advanced Members for ACF <= 1.2.5 - Authenticated (Subscriber+) Arbitrary File Deletion via Path Traversal
https://notcve.org/view.php?id=CVE-2026-3243
08 Apr 2026 — The Advanced Members for ACF plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the create_crop function in all versions up to, and including, 1.2.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/advanced-members/tags/1.2.4/core/modules/class-avatar.php#L266 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2026-39640 – WordPress Theme Editor plugin <= 3.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2026-39640
08 Apr 2026 — Cross-Site Request Forgery (CSRF) vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through <= 3.2. • https://patchstack.com/database/Wordpress/Plugin/theme-editor/vulnerability/wordpress-theme-editor-plugin-3-2-cross-site-request-forgery-csrf-to-remote-code-execution-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2026-4808 – Gerador de Certificados – DevApps <= 1.3.6 - Authenticated (Administrator+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-4808
08 Apr 2026 — The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and including, 1.3.6. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/gerador-de-certificados-devapps/trunk/admin/class-devapps-certificate-generator-admin.php#L346 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2026-3535 – DSGVO Google Web Fonts GDPR <= 1.1 - Unauthenticated Arbitrary File Upload via 'fonturl' Parameter
https://notcve.org/view.php?id=CVE-2026-3535
08 Apr 2026 — The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, and including, 1.1. ... This makes it possible for unauthenticated attackers to upload arbitrary files including PHP webshells, leading to remote code execution. • https://plugins.trac.wordpress.org/browser/dsgvo-google-web-fonts-gdpr/tags/1.1/dsgvo-google-web-fonts-gdpr.php#L159 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 16%CPEs: 1EXPL: 1CVE-2026-0740 – Ninja Forms - File Upload <= 3.3.26 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-0740
07 Apr 2026 — The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'NF_FU_AJAX_Controllers_Uploads::handle_upload' function in all versions up to, and including, 3.3.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.exploit-db.com/exploits/52560 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-5032 – W3 Total Cache <= 2.9.3 - Unauthenticated Security Token Exposure via User-Agent Header
https://notcve.org/view.php?id=CVE-2026-5032
02 Apr 2026 — The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. ... The W3 Total Cache plugin for WordPress is vulnerable to information exposure in all versions up to, and including, 2.9.3. ... With the leaked W3TC_DYNAMIC_SECURITY token, an attacker can craft valid mfunc tags to execute arbitrary PHP code on the server, achieving remote code execution. • https://plugins.trac.wordpress.org/browser/w3-total-cache/tags/2.9.3/Generic_Plugin.php#L1016 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2026-1540 – Spam Protect for Contact Form 7 < 1.2.10 - Editor+ Remote Code Execution
https://notcve.org/view.php?id=CVE-2026-1540
02 Apr 2026 — The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header • https://wpscan.com/vulnerability/ad00d1bb-ea8d-44a3-9064-6412804d9e95 • CWE-94: Improper Control of Generation of Code ('Code Injection') •