Publish Advisories

GHSA-26cj-h8gp-hcf9
GHSA-335p-m75m-6r4h
GHSA-3fvr-9rw3-q3hc
GHSA-6v8j-fjm8-rx99
GHSA-7254-7x79-hj7p
GHSA-72q5-4qh8-7556
GHSA-7vxf-c7r5-6293
GHSA-9pqx-6794-4f2c
GHSA-9xq4-wg7p-wrhx
GHSA-c9mq-hmrx-pjr6
GHSA-gjxr-jc3p-683p
GHSA-jf9w-ph66-r34h
GHSA-mq9w-94xx-6xxh
GHSA-mx27-m68w-fph6
GHSA-pxrw-3687-548v
GHSA-qrpm-ph3r-w26w
GHSA-rfmq-rw5v-3vw4
GHSA-rfq9-4wcm-64gh
GHSA-v88q-2f34-49rp
GHSA-w5rw-6rc6-433j
GHSA-w8xp-8wjp-8rcf
GHSA-xh3r-gpf9-2v95
GHSA-xv85-h7cp-9wff

Author: advisory-database[bot]

advisories/unreviewed/2026/02/GHSA-26cj-h8gp-hcf9/GHSA-26cj-h8gp-hcf9.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-26cj-h8gp-hcf9",
+  "modified": "2026-02-14T06:30:58Z",
+  "published": "2026-02-14T06:30:58Z",
+  "aliases": [
+    "CVE-2026-2027"
+  ],
+  "details": "The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2027"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/indonumberone/b373b970da88e87a218aed58d92ccfb2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/amp-enhancer/tags/1.0.49/admin/amp-enhancer-custom-css/amp-enhancer-custom-css.php#L13"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/amp-enhancer/trunk/admin/amp-enhancer-custom-css/amp-enhancer-custom-css.php#L13"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/14014260-e872-48d8-8788-f89dbeec2080?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T05:16:21Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-335p-m75m-6r4h/GHSA-335p-m75m-6r4h.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-335p-m75m-6r4h",
+  "modified": "2026-02-14T06:30:58Z",
+  "published": "2026-02-14T06:30:58Z",
+  "aliases": [
+    "CVE-2026-1754"
+  ],
+  "details": "The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1754"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/personal-authors-category/trunk/personal-authors-category.php#L169"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/personal-authors-category/trunk/personal-authors-category.php#L233"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6f57d5ec-bc2d-4dc4-b1b2-c5919986d198?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T05:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-3fvr-9rw3-q3hc/GHSA-3fvr-9rw3-q3hc.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3fvr-9rw3-q3hc",
+  "modified": "2026-02-14T06:30:58Z",
+  "published": "2026-02-14T06:30:58Z",
+  "aliases": [
+    "CVE-2026-1912"
+  ],
+  "details": "The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1912"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/citations-tools/tags/0.3.2/citations-tools.php#L28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1ee155a-3b4d-4b32-a1ec-86e0575e0ad8?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T05:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-6v8j-fjm8-rx99/GHSA-6v8j-fjm8-rx99.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6v8j-fjm8-rx99",
+  "modified": "2026-02-14T06:30:57Z",
+  "published": "2026-02-14T06:30:57Z",
+  "aliases": [
+    "CVE-2026-26300"
+  ],
+  "details": "Rejected reason: Not used",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26300"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T04:15:57Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7254-7x79-hj7p/GHSA-7254-7x79-hj7p.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7254-7x79-hj7p",
+  "modified": "2026-02-14T06:30:56Z",
+  "published": "2026-02-14T06:30:56Z",
+  "aliases": [
+    "CVE-2025-13681"
+  ],
+  "details": "The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files and directories outside the intended `/wp-content/plugins/` directory, which can contain sensitive information such as wp-config.php.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13681"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/tags/1.0.7/bfg-tools-extension-zipper.php#L290"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/bfg-tools-extension-zipper/trunk/bfg-tools-extension-zipper.php#L290"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3412948%40bfg-tools-extension-zipper&new=3412948%40bfg-tools-extension-zipper"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5bd95df9-4355-4d57-ba44-59280463e284?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T04:15:56Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-72q5-4qh8-7556/GHSA-72q5-4qh8-7556.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-72q5-4qh8-7556",
+  "modified": "2026-02-14T06:30:58Z",
+  "published": "2026-02-14T06:30:58Z",
+  "aliases": [
+    "CVE-2026-1164"
+  ],
+  "details": "The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1164"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/easy-voice-mail/tags/1.2.5/admin/easy-voice-mail-admin.php#L149"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/easy-voice-mail/tags/1.2.5/public/easy-voice-mail-public.php#L44"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c7adf1fc-5123-49f8-92e5-b187b74f0e35?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T05:16:17Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-7vxf-c7r5-6293/GHSA-7vxf-c7r5-6293.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7vxf-c7r5-6293",
+  "modified": "2026-02-14T06:30:58Z",
+  "published": "2026-02-14T06:30:58Z",
+  "aliases": [
+    "CVE-2026-1904"
+  ],
+  "details": "The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1904"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/tags/1.0/Simple-Wp-colorfull-Accordion.php#L60"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/simple-wp-colorfull-accordion/trunk/Simple-Wp-colorfull-Accordion.php#L60"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8444743c-ba57-4a51-990c-eb9058829d09?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T05:16:19Z"
+  }
+}

advisories/unreviewed/2026/02/GHSA-9pqx-6794-4f2c/GHSA-9pqx-6794-4f2c.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9pqx-6794-4f2c",
+  "modified": "2026-02-14T06:30:58Z",
+  "published": "2026-02-14T06:30:58Z",
+  "aliases": [
+    "CVE-2026-2144"
+  ],
+  "details": "The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2144"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/magic-login-mail/trunk/lib/class-magicloginmail.php#L250"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/magic-login-mail/trunk/lib/class-magicloginmail.php#L325"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65066a17-653b-4444-9bd0-894ea8c1acb1?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-02-14T05:16:21Z"
+  }
+}