8 vulnerabilities across 8 products scored HIGH or above on June 06, 2026.
[MODERATE] davidanderson/all-in-one_security_(aios)_–_security_and_firewall
1 CVE | CVSS 3.1: 7.2 | AAS 8.5
The All-In-One Security (AIOS) – Security and Firewall WordPress plugin versions through 5.4.7 are vulnerable to Stored Cross-Site Scripting (CVE-2026-8438, CVSS 7.2) due to insufficient input sanitization and missing output escaping in REST API and debug logging functions. The vulnerability is exploitable when both the REST API restriction and debug logging features are enabled. WordPress site administrators should update to a patched version immediately, or disable the affected debug logging feature if updates cannot be deployed promptly.
- CVE-2026-8438 (CVSS 3.1: 7.2)
[MODERATE] clash_verge_rev/clash-verge-service-ipc
1 CVE | CVSS 3.1: 8.4 | AAS 7.7
clash-verge-service-ipc versions before 2.3.0 are vulnerable to local privilege escalation (CVE-2026-26422, CVSS 8.4) due to an IPC endpoint that is world-reachable and allows unprivileged local users to escalate privileges. The vulnerability affects users of Clash Verge Rev who have the service running on their systems. Users should update to version 2.3.0 or later immediately.
- CVE-2026-26422 (CVSS 3.1: 8.4)
[MODERATE] plugcrux/integration_for_freshsales_–_contact_form_7,_wpforms,_elementor,_gravity_forms_and_more
1 CVE | CVSS 3.1: 7.2 | AAS 7.5
The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More WordPress plugin versions up to and including 1.0.15 are vulnerable to Stored Cross-Site Scripting (CVE-2026-8901, CVSS 7.2) due to insufficient input sanitization and output escaping in form submission handling. Unauthenticated attackers can inject malicious scripts through form submissions that will execute when administrators or users view the affected pages. WordPress site administrators should update to a patched version immediately.
- CVE-2026-8901 (CVSS 3.1: 7.2)
[MODERATE] 10web/photo_gallery_by_10web_–_mobile-friendly_image_gallery
1 CVE | CVSS 3.1: 6.5 | AAS 7.3
The Photo Gallery by 10Web – Mobile-Friendly Image Gallery WordPress plugin versions up to and including 1.8.41 are vulnerable to SQL Injection (CVE-2026-9829, CVSS 6.5) via the ‘compact_album_order_by’ shortcode parameter due to insufficient escaping and lack of prepared SQL statements. Authenticated attackers with contributor-level access or higher can exploit this vulnerability to execute arbitrary SQL queries and potentially access or modify sensitive database information. WordPress site administrators should update to a patched version immediately.
- CVE-2026-9829 (CVSS 3.1: 6.5)
[MODERATE] wpusermanager/wp_user_manager_–user_profile_builder&_membership
1 CVE | CVSS 3.1: 7.5 | AAS 7.3
The WP User Manager – User Profile Builder & Membership WordPress plugin versions up to and including 2.9.17 are vulnerable to Local File Inclusion (CVE-2026-9290, CVSS 7.5) via the profile template scope function, allowing unauthenticated attackers to include and execute arbitrary PHP files on the server. This vulnerability can be leveraged to bypass access controls, obtain sensitive information, or achieve remote code execution. WordPress site administrators should update to a patched version immediately and review server logs for exploitation attempts.
- CVE-2026-9290 (CVSS 3.1: 7.5)
[MODERATE] holithemes/click_to_chat_–_holithemes
1 CVE | CVSS 3.1: 6.4 | AAS 7.2
The Click to Chat – WA Widget WordPress plugin versions up to and including 4.38 are vulnerable to Stored Cross-Site Scripting (CVE-2026-7795, CVSS 6.4) via the [chat] shortcode ’num’ parameter due to insufficient escaping of user-supplied values when embedded in JavaScript string literals within HTML event handlers. Attackers can inject malicious scripts through the shortcode parameter that will execute when pages containing the shortcode are viewed. WordPress site administrators should update to a patched version immediately.
- CVE-2026-7795 (CVSS 3.1: 6.4)
[MODERATE] wpdevteam/embedpress_–_pdf_embedder,_embed_pdf_viewer,_youtube_videos,_3d_flipbook,social_feeds&_more
1 CVE | CVSS 3.1: 6.4 | AAS 7.2
The EmbedPress – PDF Embedder, Embed PDF viewer, YouTube Videos, 3D FlipBook, Social feeds & more WordPress plugin versions up to and including 4.5.3 are vulnerable to Stored Cross-Site Scripting (CVE-2026-7796, CVSS 6.4) via the block ‘url’ attribute due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access or above can inject malicious scripts that will execute when users view the affected pages. WordPress site administrators should update to a patched version immediately.
- CVE-2026-7796 (CVSS 3.1: 6.4)
[MODERATE] masaakitanaka/booking_package
1 CVE | CVSS 3.1: 7.2 | AAS 7.0
The Booking Package WordPress plugin versions up to and including 1.7.16 are vulnerable to Privilege Escalation and Account Takeover (CVE-2026-9851, CVSS 7.2) due to a missing capability check on the ‘updateUser’ AJAX endpoint that allows attackers to elevate user privileges. An attacker can exploit this vulnerability to take over user accounts and escalate their own privileges to administrator level. WordPress site administrators should update to a patched version immediately.
- CVE-2026-9851 (CVSS 3.1: 7.2)