Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

stellarwp — Vulnerabilities & Security Advisories 115

Browse all 115 CVE security advisories affecting stellarwp. AI-powered Chinese analysis, POCs, and references for each vulnerability.

StellarWP primarily develops and maintains premium WordPress plugins, including the popular MemberPress platform for membership management and subscription billing. Historically, its software has been associated with a significant volume of Common Vulnerabilities and Exposures, totaling 115 recorded instances. These security issues predominantly involve cross-site scripting (XSS), SQL injection, and arbitrary file upload flaws, often stemming from insufficient input validation and weak access controls within plugin code. While the company generally responds to disclosed vulnerabilities, the high frequency of patches indicates persistent challenges in secure coding practices. Notable incidents include multiple remote code execution (RCE) vectors that allowed attackers to compromise WordPress installations without authentication. The sheer number of CVEs suggests that while the products are widely used, their security posture has frequently lagged behind industry standards, requiring users to prioritize timely updates and rigorous security auditing to mitigate risks associated with these historically common vulnerability classes.

Top products by stellarwp: GiveWP – Donation Plugin and Fundraising Platform Kadence Blocks — Page Builder Toolkit for Gutenberg Editor The Events Calendar GiveWP Membership Plugin – Restrict Content LearnDash LMS Event Tickets and Registration Gutenberg Blocks by Kadence Blocks WPComplete Kadence WooCommerce Email Designer Event Tickets Bookit — Booking & Appointment Calendar Restrict Content LearnDash LMS – Reports Give – Divi Donation Modules Virtue iThemes Sync Image Widget
CVE IDTitleCVSSSeverityPublished
CVE-2026-42643 WordPress Image Widget plugin <= 4.4.11 - Cross Site Scripting (XSS) vulnerability — Image WidgetCWE-79 5.9 Medium2026-04-29
CVE-2026-42642 WordPress GiveWP plugin <= 4.14.5 - Broken Access Control vulnerability — GiveWPCWE-862 5.3 Medium2026-04-29
CVE-2026-2826 Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-862 4.3 Medium2026-04-04
CVE-2026-32546 WordPress Restrict Content plugin <= 3.2.22 - Broken Access Control vulnerability — Restrict ContentCWE-862 7.5 High2026-03-25
CVE-2026-3079 LearnDash LMS <= 5.0.3 - Authenticated (Contributor+) SQL Injection via 'filters[orderby_order]' Parameter — LearnDash LMSCWE-89 6.5 Medium2026-03-24
CVE-2026-4136 Membership Plugin – Restrict Content <= 3.2.24 - Unvalidated Redirect in Password Reset Flow via rcp_redirect — Membership Plugin – Restrict ContentCWE-640 4.3 Medium2026-03-20
CVE-2026-3585 The Events Calendar <= 6.15.17 - Authenticated (Author+) Arbitrary File Read via ajax_create_import — The Events CalendarCWE-22 7.5 High2026-03-10
CVE-2026-1321 Membership Plugin – Restrict Content <= 3.2.20 - Unauthenticated Privilege Escalation via 'rcp_level' — Membership Plugin – Restrict ContentCWE-862 8.1 High2026-03-05
CVE-2026-2694 The Events Calendar <= 6.15.16 - Improper Authorization to Authenticated (Contributor+) Event/Organizer/Venue Update/Trash via REST API — The Events CalendarCWE-285 5.4 Medium2026-02-25
CVE-2026-27056 WordPress iThemes Sync plugin <= 3.2.8 - Broken Access Control vulnerability — iThemes SyncCWE-862 4.3 Medium2026-02-19
CVE-2026-2633 Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-862 4.3 Medium2026-02-18
CVE-2026-1857 Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-918 4.3 Medium2026-02-18
CVE-2026-1304 Membership Plugin – Restrict Content <= 3.2.18 - Authenticated (Administrator+) Stored Cross-Site Scripting via Invoice Settings — Membership Plugin – Restrict ContentCWE-79 4.4 Medium2026-02-18
CVE-2026-2608 Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization — Kadence Blocks — Page Builder Toolkit for Gutenberg EditorCWE-862 4.3 Medium2026-02-17
CVE-2025-15043 The Events Calendar <= 6.15.13 - Missing Authorization to Authenticated (Subscriber+) Data Migration Control — The Events CalendarCWE-862 5.4 Medium2026-01-20
CVE-2025-14844 Membership Plugin – Restrict Content <= 3.2.16 - Missing Authentication to Insecure Direct Object Reference and Sensitive Information Exposure — Membership Plugin – Restrict ContentCWE-639 8.2 High2026-01-16
CVE-2025-69352 WordPress The Events Calendar plugin <= 6.15.12.2 - Broken Access Control vulnerability — The Events CalendarCWE-862 5.4 Medium2026-01-06
CVE-2025-14000 Membership Plugin – Restrict Content <= 3.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes — Membership Plugin – Restrict ContentCWE-79 6.4 Medium2025-12-23
CVE-2025-67467 WordPress GiveWP plugin <= 4.13.1 - Cross Site Request Forgery (CSRF) vulnerability — GiveWPCWE-352 5.4 Medium2025-12-09
CVE-2025-66533 WordPress GiveWP plugin <= 4.13.1 - Arbitrary Shortocde Execution vulnerability — GiveWPCWE-94 6.5 Medium2025-12-09
CVE-2025-13387 Kadence WooCommerce Email Designer <= 1.5.17 - Unauthenticated Stored Cross-Site Scripting — Kadence WooCommerce Email DesignerCWE-79 7.2 High2025-12-02
CVE-2025-13206 GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name' — GiveWP – Donation Plugin and Fundraising PlatformCWE-79 7.2 High2025-11-19
CVE-2025-12633 Booking Calendar | Appointment Booking | Bookit <= 2.5.0 - Missing Authorization to Unauthenticated Stripe Connection — Bookit — Booking & Appointment CalendarCWE-862 7.5 High2025-11-12
CVE-2025-12192 The Events Calendar <= 6.15.9 - Sysinfo Key Incorrect Comparison to Unauthenticated Sensitive Information Exposure — The Events CalendarCWE-697 5.3 Medium2025-11-05
CVE-2025-12197 The Events Calendar 6.15.1.1 - 6.15.9 - Unauthenticated SQL Injection via s — The Events CalendarCWE-89 7.5 High2025-11-05
CVE-2025-12175 The Events Calendar <= 6.15.9 - Missing Authorization to Authenticated (Subscriber+) Draft Event Title/QR Code Exposure — The Events CalendarCWE-862 4.3 Medium2025-10-31
CVE-2025-62027 WordPress Event Tickets plugin <= 5.26.3 - Broken Access Control vulnerability — Event TicketsCWE-862 5.4 Medium2025-10-22
CVE-2025-49906 WordPress WPComplete plugin <= 2.9.5.3 - Broken Access Control vulnerability — WPCompleteCWE-862 5.3 Medium2025-10-22
CVE-2025-11517 Event Tickets and Registration <= 5.26.5 - Unauthenticated Ticket Payment Bypass — Event Tickets and RegistrationCWE-639 7.5 High2025-10-18
CVE-2025-11228 GiveWP – Donation Plugin and Fundraising Platform <= 4.10.0 - Missing Authorization to Unauthenticated Forms-Campaign Association — GiveWP – Donation Plugin and Fundraising PlatformCWE-862 5.3 Medium2025-10-04

This page lists every published CVE security advisory associated with stellarwp. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.