smub
Web & CMS Pluginscommercial
Latest CVEs
The 15 most recently published vulnerabilities affecting smub.
- CVE-2026-10038Charitable <= 1.8.11.1 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Attachment Deletion via 'avatar' Parameter4.3
- CVE-2026-5075All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data4.3
- CVE-2026-5361Envira Gallery <= 1.12.4 - Authenticated (Author+) Stored Cross-Site Scripting via 'arrows' Parameter6.4
- CVE-2026-5488ExactMetrics <= 9.1.2 - Authenticated (Subscriber+) Missing Authorization to Google Ads Access Token Retrieval via AJAX Action 'exactmetrics_ads_get_token'5.3
- CVE-2026-5464ExactMetrics <= 9.1.2 - Authenticated (Editor+) Arbitrary Plugin Installation/Activation via exactmetrics_connect_process7.2
- CVE-2026-3177Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.9.7 - Insufficient Verification of Data Authenticity to Unauthenticated Donation Status Forgery via Stripe Webhook5.3
- CVE-2026-1463Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 4.0.4 - Authenticated (Author+) Local File Inclusion8.8
- CVE-2026-1992ExactMetrics 8.6.0 - 9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation8.8
- CVE-2026-1993ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update8.8
- CVE-2026-1236Envira Gallery for WordPress <= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'justified_gallery_theme' Parameter via REST API6.4
- CVE-2026-2471WP Mail Logging <= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Field7.5
- CVE-2025-4577Smash Balloon Custom Facebook Feed <= 4.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-color` Attribute6.4
- CVE-2025-4670Easy Digital Downloads <= 3.3.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via edd_receipt Shortcode6.4
- CVE-2025-4583Smash Balloon Instagram Feed <= 6.9.0 (Free) & <= 6.8.0 (Pro) - Authenticated (Contributor+) Stored Cross-Site Scripting via `data-plugin` Attribute5.4
- CVE-2024-3554All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic <= 4.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode6.4