The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'create_payment_intent' and 'create_subscription_intent' functions without validating it against the form's configured price. This makes it [truncated]
A remote code execution vulnerability exists in the Spectra Gutenberg Blocks – Website Builder for the Block Editor WordPress plugin (also known as Ultimate Addons for Gutenberg). The flaw affects all versions up to and including 2.19.25. An authenticated attacker with Contributor-level access or higher can execute arbitrary code on the server by embedding a crafted two-block payload in post content. The [truncated]
CVE-2026-9065 is a critical authenticated SQL injection vulnerability affecting SureCart versions prior to 4.2.1. The vulnerability resides in the REST API endpoint `/surecart/v1/integrations/{id}` and can be exploited through multiple parameters: `model_name`, `model_id`, `integration_id`, and `provider`. The root cause is a flawed escaping bypass in the `wp-query-builder` query builder. Values passed to [truncated]