CVE Tools

smub

Web & CMS Pluginscommercial

37

Cumulative CVEs

7

Monthly snapshots

#125

Peak rank

Top products

athemes addons for elementor1 charitable – donation plugin for wordpress – fundraising with recurring donations & more1 wpforms – easy form builder for wordpress – contact forms, payment forms, surveys, & more1

Latest CVEs

The 15 most recently published vulnerabilities affecting smub.

CVE-2026-8613aThemes Addons for Elementor <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title_tag' Widget Setting6.4Jun 10, 2026
CVE-2026-7792WPForms <= 1.10.0.4 - Unauthenticated Insufficient Verification of Data Authenticity via PayPal Commerce Webhook Endpoint5.3Jun 6, 2026
CVE-2026-10038Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter4.3Jun 5, 2026
CVE-2026-7526PDF Embedder <= 4.9.3 - Authenticated (Contributor+) Information Exposure via Block Editor Page4.3May 28, 2026
CVE-2026-7533Easy Digital Downloads <= 3.6.7 - Cross-Site Request Forgery to Payment Account Hijacking via 'square_tokens' Parameter4.3May 28, 2026
CVE-2026-8832WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost8.8May 27, 2026
CVE-2026-7636Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint4.3May 22, 2026
CVE-2026-6566Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API4.3May 20, 2026
CVE-2026-5075All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data4.3May 20, 2026
CVE-2026-5361Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter6.4May 14, 2026
CVE-2026-6177Custom Twitter Feeds <= 2.5.4 - Unauthenticated Stored Cross-Site Scripting via Cached Tweet Text7.2May 13, 2026
CVE-2026-7619Charitable <= 1.8.10.4 - Authenticated (Custom+) SQL Injection via 's' Search Parameter6.5May 13, 2026
CVE-2026-5488ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'5.3Apr 24, 2026
CVE-2026-5464ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process7.2Apr 23, 2026
CVE-2026-3177Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook5.3Apr 7, 2026