THREAT ALERT

EMERGENCY CVE-2026-24423 9.8 SmarterTools SmarterMail prior to build 9511 contains a second critical vulnerability (CVE-2026-24423) — an unauthenticated remote code execution flaw in the ConnectToHub API method. An attacker can redirect the SmarterMail server to connect to a malicious HTTP endpoint that serves OS commands for execution. KEV-listed with EPSS 29%, this is chainable with CVE-2026-23760 for complete server compromise. | EMERGENCY CVE-2026-23760 9.8 SmarterTools SmarterMail prior to build 9511 contains a critical authentication bypass in the password reset API (CVE-2026-23760) that allows unauthenticated attackers to reset system administrator passwords without verification. With EPSS 65% and KEV listing, this trivially exploitable vulnerability enables complete email server takeover, compromising all hosted mailboxes and organizational communications. | ACT NOW CVE-2026-20045 8.2 Cisco Unified Communications Manager and related products contain a code injection vulnerability (CVE-2026-20045) that allows unauthenticated remote attackers to execute arbitrary code. This KEV-listed vulnerability affects the core enterprise voice/video infrastructure including Unified CM, IM&P, Unity Connection, and Webex Calling Dedicated Instance, making it a high-priority threat for organizations dependent on Cisco collaboration tools. | ACT NOW CVE-2026-24061 9.8 GNU Inetutils telnetd through version 2.7 contains a critical authentication bypass that allows remote attackers to gain root access by setting the USER environment variable to '-f root' during TELNET negotiation. With EPSS 75% and KEV listing, this trivially exploitable vulnerability (CVE-2026-24061) has been widely weaponized. Public PoC is available and patches exist. | EMERGENCY CVE-2026-20963 9.8 Microsoft Office SharePoint contains a deserialization vulnerability (CVE-2026-20963) that allows authenticated users to execute arbitrary code over the network through crafted serialized objects. KEV-listed with public PoC, this CVSS 8.8 vulnerability enables any SharePoint user to escalate to server-level code execution, making it a critical threat for organizations relying on SharePoint for document management and collaboration. | ACT NOW CVE-2026-22200 7.5 Arbitrary file disclosure in osTicket 1.18.x before 1.18.3 and 1.17.x before 1.17.7 allows unauthenticated attackers to read sensitive server files by injecting malicious PHP filter expressions into ticket descriptions that are processed during PDF export. The vulnerability exploits insufficient sanitization in the mPDF library integration, enabling attackers to embed arbitrary file contents as images in generated PDFs when exporting tickets. Public exploit code exists and the issue affects default configurations where guest ticket creation is enabled. | EMERGENCY CVE-2026-21891 9.4 ZimaOS (fork of CasaOS) through 1.5.0 has an authentication bypass where passwords for system service accounts are not properly validated during login. Attackers can access the system using known service account names with any password. PoC available, EPSS 13.6%. | ACT NOW CVE-2025-66376 7.2 Zimbra Collaboration Suite (ZCS) 10.x contains a stored XSS vulnerability in the Classic UI that allows attackers to execute arbitrary JavaScript through CSS @import directives in HTML emails. KEV-listed, this vulnerability (CVE-2025-66376) enables session hijacking and account takeover when administrators or users view malicious emails, making it a high-value target for email-based espionage campaigns. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — January 24, 2026

70 CVEs tracked today. 7 Critical, 15 High, 45 Medium, 2 Low.

CVE-2026-24399 CRITICAL CVSS 9.3
Stored XSS in ChatterMate AI chatbot framework versions 1.0.8 and below. The chatbot accepts and renders malicious HTML/JavaScript from user input. PoC and patch available.

XSS AI / ML Chattermate
CVE-2026-22586 CRITICAL CVSS 9.8
Hardcoded cryptographic key in Salesforce Marketing Cloud Engagement used across CloudPages, Forward to a Friend, Profile Center, and Subscription Center. Fourth critical Salesforce CVE.

Information Disclosure Marketing Cloud Engagement
CVE-2026-22585 CRITICAL CVSS 9.8
Use of broken/risky cryptographic algorithm in Salesforce Marketing Cloud Engagement affecting CloudPages, Forward to a Friend, Profile Center, and Subscription Center components.

Information Disclosure Marketing Cloud Engagement
CVE-2026-22583 CRITICAL CVSS 9.8
Argument injection in Salesforce Marketing Cloud Engagement CloudPagesURL component. Second Salesforce Marketing Cloud CVE with same root cause.

Code Injection Marketing Cloud Engagement
CVE-2026-22582 CRITICAL CVSS 9.8
Argument injection in Salesforce Marketing Cloud Engagement MicrositeURL component allows command execution. First of four critical Salesforce Marketing Cloud CVEs.

Code Injection Marketing Cloud Engagement
CVE-2025-13952 CRITICAL CVSS 9.8
Write-after-free crash in GPU compiler process triggered by unusual GPU shader code loaded from the web. Browser vulnerability through WebGPU shader compilation.

Use After Free Denial Of Service Ddk
CVE-2025-13374 CRITICAL CVSS 9.8
Arbitrary file upload in Kalrav AI Agent WordPress plugin due to missing file type validation in the kalrav_upload_file AJAX action.

WordPress RCE AI / ML PHP
CVE-2026-24469 HIGH CVSS 7.5
C++ HTTP Server versions 1.0 and below suffer from a path traversal vulnerability in the RequestHandler::handleRequest method that permits unauthenticated remote attackers to read arbitrary files from the server filesystem through malicious HTTP GET requests containing directory traversal sequences. The vulnerability stems from insufficient input validation on the URL path, which is directly concatenated to the base directory without sanitization. No patch is currently available.

Path Traversal
CVE-2026-24412 HIGH CVSS 8.8
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution through maliciously crafted ICC color profile data submitted to the CIccTagXmlSegmentedCurve::ToXml() function. Public exploit code exists for this vulnerability, enabling attackers to achieve denial of service, data manipulation, and arbitrary code execution with no authentication required. The vulnerability affects all users of the vulnerable iccDEV library versions and has been resolved in version 2.3.1.2.

Buffer Overflow Iccdev
CVE-2026-24411 HIGH CVSS 7.1
iccDEV versions 2.3.1.1 and earlier contain unsafe handling of user-supplied input in the CIccTagXmlSegmentedCurve::ToXml() function, enabling remote attackers to trigger undefined behavior in ICC profile parsing. Public exploit code exists for this vulnerability, which can lead to denial of service, data manipulation, or arbitrary code execution. Upgrade to version 2.3.1.2 to remediate.

Denial Of Service RCE Code Injection Iccdev
CVE-2026-24410 HIGH CVSS 7.1
iccDEV versions 2.3.1.1 and below are vulnerable to null pointer dereference in CIccProfileXml::ParseBasic() when processing maliciously crafted ICC color profiles, allowing remote attackers to trigger denial of service or data manipulation without user interaction. Public exploit code exists for this vulnerability, which affects applications using the iccDEV libraries for color profile handling. The vulnerability has been patched in version 2.3.1.2.

Null Pointer Dereference Iccdev
CVE-2026-24409 HIGH CVSS 7.1
Null pointer dereference in iccDEV versions 2.3.1.1 and below allows remote attackers to trigger denial of service or data manipulation via maliciously crafted ICC color profile data, with public exploit code currently available. The vulnerability stems from unsafe handling of user-controllable input in the CIccTagXmlFloatNum<>::ParseXml() function and may enable code execution depending on application context. Upgrade to version 2.3.1.2 to remediate.

Null Pointer Dereference Iccdev
CVE-2026-24407 HIGH CVSS 7.1
iccDEV versions 2.3.1.1 and earlier allow remote attackers to trigger undefined behavior in the icSigCalcOp() function through malicious ICC color profiles, enabling denial of service, data manipulation, or potential code execution. The vulnerability stems from unsafe handling of user-controllable input in binary profile data, and public exploit code exists. Affected organizations should upgrade to version 2.3.1.2 or later.

Denial Of Service RCE Code Injection Iccdev
CVE-2026-24406 HIGH CVSS 8.8
Heap buffer overflow in iccDEV versions 2.3.1.1 and below allows remote code execution when processing maliciously crafted ICC color profiles, with public exploit code currently available. An unauthenticated attacker can trigger the vulnerability through user-supplied input to the CIccTagNamedColor2::SetSize() function, enabling arbitrary code execution, denial of service, or data manipulation. The vulnerability has been patched in version 2.3.1.2.

Buffer Overflow Iccdev
CVE-2026-24405 HIGH CVSS 8.8
Heap buffer overflow in iccDEV versions 2.3.1.1 and earlier allows remote code execution through maliciously crafted ICC color profiles when user input is processed by CIccMpeCalculator::Read(). Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary code, cause denial of service, or manipulate application data. The vulnerability is fixed in version 2.3.1.2.

Buffer Overflow Iccdev
CVE-2026-24404 HIGH CVSS 7.1
iccDEV versions 2.3.1.1 and below contain a null pointer dereference in the CIccXmlArrayType() function that allows remote attackers to trigger denial of service, data manipulation, or potentially achieve code execution through crafted ICC profile data. The vulnerability stems from unsafe handling of user-controlled input in binary structured data and has public exploit code available. Upgrade to version 2.3.1.2 or later to remediate.

Null Pointer Dereference Iccdev
CVE-2026-24403 HIGH CVSS 7.1
Integer overflow in iccDEV's ICC profile parsing (versions 2.3.1.1 and below) allows remote attackers to corrupt memory or trigger denial of service by crafting malicious profile headers with tampered tag tables or offset fields, with public exploit code available. The vulnerability can potentially enable arbitrary code execution or bypass security checks in applications using affected iccDEV libraries. Users should upgrade to version 2.3.1.2 or later to remediate this risk.

Integer Overflow Memory Corruption Iccdev
CVE-2026-24136 HIGH CVSS 7.5
Unauthenticated attackers can exploit an insecure direct object reference vulnerability in Saleor e-commerce platform versions 3.2.0-3.22.28 to retrieve sensitive customer information including personally identifiable data in plain text through the order() GraphQL query. This high-severity vulnerability (CVSS 7.5) affects orders across multiple version branches and has been patched in releases 3.20.110, 3.21.45, and 3.22.29. Organizations unable to patch immediately should implement WAF rules to restrict non-staff access to order queries.

Authentication Bypass Saleor
CVE-2026-1257 HIGH CVSS 7.5
The Administrative Shortcodes plugin for WordPress through version 0.3.4 allows authenticated contributors and above to execute arbitrary PHP code via insufficient path validation in the get_template shortcode's slug parameter. An attacker with contributor-level permissions can exploit this local file inclusion vulnerability to include malicious files, bypass access controls, and achieve remote code execution on the affected server. A patch is not currently available for this vulnerability.

WordPress PHP Lfi
CVE-2026-0911 HIGH CVSS 7.5
Arbitrary file uploads in the Hustle WordPress plugin (versions up to 7.8.9.2) allow authenticated low-privileged users with granted module permissions to bypass file type validation and upload malicious files, potentially enabling remote code execution. An attacker with Subscriber-level access or higher can exploit improper validation in the action_import_module() function if an administrator grants them Hustle module editing capabilities. No patch is currently available, leaving affected WordPress installations vulnerable until an update is released.

WordPress RCE
CVE-2026-0807 HIGH CVSS 7.2
Unauthenticated attackers can exploit a Server-Side Request Forgery vulnerability in the WordPress Frontis Blocks plugin (versions up to 1.1.6) through unvalidated URL parameters in the template proxy endpoints to perform arbitrary web requests from the affected server. This allows an attacker to scan internal networks, access local services, or exfiltrate sensitive data without authentication. No patch is currently available.

WordPress SSRF
CVE-2026-0800 HIGH CVSS 7.2
Stored cross-site scripting in the User Submitted Posts WordPress plugin through version 20251210 allows unauthenticated attackers to inject malicious scripts via custom fields due to inadequate input sanitization. The injected scripts execute in the browsers of any user viewing affected pages, potentially compromising user sessions and data. No patch is currently available.

WordPress XSS
CVE-2026-24422 MEDIUM CVSS 5.3
Insufficient access controls in phpMyFAQ 4.0.16 and below expose sensitive information including user email addresses and non-public content through multiple API endpoints, allowing unauthenticated attackers to harvest data for phishing or access private records. Public exploit code exists for this vulnerability, and no patch is currently available. Upgrading to version 4.0.17 or later is required to remediate the exposure.

Information Disclosure Phpmyfaq
CVE-2026-24421 MEDIUM CVSS 6.5
phpMyFAQ versions 4.0.16 and below allow authenticated users to access the backup API endpoint without proper authorization checks, enabling them to download configuration files containing sensitive data. The vulnerability stems from incomplete authorization validation in SetupController.php, which only verifies authentication rather than admin permissions. Public exploit code exists for this issue, and no patch is currently available.

PHP Phpmyfaq
CVE-2026-24420 MEDIUM CVSS 6.5
Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Phpmyfaq
CVE-2026-24401 MEDIUM CVSS 6.5
Avahi daemon versions 0.9rc2 and below can be remotely crashed through a denial of service attack by sending a specially crafted mDNS response with a recursive CNAME record pointing to itself, triggering unbounded recursion and stack exhaustion. This vulnerability affects systems using multicast record browsers, including those relying on nss-mdns for service discovery. A patch is available for affected installations.

Denial Of Service Avahi Redhat Suse
CVE-2026-24139 MEDIUM CVSS 6.5
MyTube versions 1.7.78 and earlier allow authenticated users to bypass authorization controls and export the complete application database without proper permission validation. An attacker with guest-level access can retrieve sensitive data they are not authorized to access through the unprotected database export endpoint. A patch is available to address this authorization bypass vulnerability.

Authentication Bypass Information Disclosure Mytube
CVE-2026-24128 MEDIUM CVSS 6.1
Reflected XSS in XWiki Platform versions 7.0 through 17.7.0 enables attackers to craft malicious URLs that execute arbitrary actions with victim privileges, potentially leading to full installation compromise if the victim holds administrative or programming rights. The vulnerability requires user interaction to trigger and affects multiple version branches across the XWiki and XWiki Rendering products. Patches are available for affected versions, and a manual workaround exists that requires modification of a single line in the logging_macros.vm template without requiring a restart.

XSS Xwiki Xwiki Rendering
CVE-2026-1302 MEDIUM CVSS 4.4
Stored XSS in Meta-box GalleryMeta plugin through WordPress admin settings allows authenticated editors and higher-privileged users to inject malicious scripts that execute for site visitors, affecting only multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in plugin versions up to 3.0.1, with no patch currently available.

WordPress XSS
CVE-2026-1300 MEDIUM CVSS 4.4
Stored XSS in the WordPress Responsive Header plugin through version 1.0 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all users viewing affected pages. This impacts multi-site WordPress installations or those with unfiltered_html disabled, requiring high privilege access and manual user interaction to trigger exploitation. No patch is currently available.

WordPress XSS
CVE-2026-1266 MEDIUM CVSS 4.4
Stored XSS in WordPress Postalicious plugin through version 3.0.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
CVE-2026-1208 MEDIUM CVSS 4.3
Friendly Functions for Welcart (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
CVE-2026-1191 MEDIUM CVSS 4.4
Stored cross-site scripting in the JavaScript Notifier WordPress plugin through version 1.2.8 allows administrators to inject malicious scripts into website pages due to improper input sanitization in plugin settings. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. This requires administrator-level access to exploit but affects all website visitors who view the compromised pages.

WordPress XSS
CVE-2026-1189 MEDIUM CVSS 6.4
Stored XSS in WordPress LeadBI Plugin versions through 1.7 allows authenticated contributors and above to inject malicious scripts through the 'form_id' shortcode parameter due to missing input sanitization, enabling attackers to execute arbitrary code in pages viewed by other users. The vulnerability requires user authentication and currently lacks a vendor patch.

WordPress XSS
CVE-2026-1127 MEDIUM CVSS 6.1
Reflected XSS in WordPress Timeline Event History plugin (versions up to 3.2) allows unauthenticated attackers to inject arbitrary JavaScript through the unvalidated `id` parameter. An attacker can craft a malicious link to execute scripts in a victim's browser if they click it, potentially leading to session hijacking or credential theft. No patch is currently available.

WordPress XSS
CVE-2026-1103 MEDIUM CVSS 5.4
AIKTP plugin for WordPress versions up to 5.0.04 allows authenticated subscribers to retrieve administrator access tokens through an insufficiently protected REST API endpoint, enabling attackers to create posts, upload files, and access private content with admin privileges. The vulnerability stems from missing authorization checks that only verify user login status rather than administrative capabilities. No patch is currently available.

WordPress
CVE-2026-1099 MEDIUM CVSS 6.4
Stored cross-site scripting in WordPress Administrative Shortcodes plugin through version 0.3.4 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via insufficiently sanitized shortcode attributes, executing arbitrary code when other users visit affected pages. The vulnerability requires user interaction and authenticated access but can impact site visitors through persistent payload injection. No patch is currently available.

WordPress XSS
CVE-2026-1098 MEDIUM CVSS 6.4
Stored cross-site scripting in CM CSS Columns plugin for WordPress through version 1.2.1 allows authenticated contributors and higher-privileged users to inject malicious scripts via improperly sanitized shortcode attributes. When other users view pages containing the injected content, the malicious scripts execute in their browsers, potentially compromising their accounts or stealing sensitive information. No patch is currently available.

WordPress XSS
CVE-2026-1097 MEDIUM CVSS 6.4
Stored XSS in the ThemeRuby Multi Authors WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts via unescaped shortcode attributes that execute in other users' browsers. The vulnerability stems from insufficient input sanitization on the 'before' and 'after' parameters, enabling attackers to compromise page content viewed by site visitors. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
CVE-2026-1095 MEDIUM CVSS 6.4
Stored XSS in the Canto Testimonials WordPress plugin through the 'fx' shortcode attribute allows authenticated users with Contributor access or higher to inject malicious scripts that persist in pages and execute for all visitors. The vulnerability stems from inadequate input sanitization and output escaping in versions up to 1.0, requiring an authenticated attacker but no user interaction. No patch is currently available.

WordPress XSS
CVE-2026-1088 MEDIUM CVSS 4.3
WordPress Login Page Editor plugin through version 1.2 lacks CSRF protections on its AJAX settings handler, allowing attackers to modify login page configuration by tricking administrators into visiting malicious links. An unauthenticated attacker can exploit this to alter plugin settings without direct authorization, potentially affecting site security or functionality. No patch is currently available.

WordPress CSRF
CVE-2026-1084 MEDIUM CVSS 4.4
Cookie consent for developers (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
CVE-2026-1081 MEDIUM CVSS 4.3
Set Bulk Post Categories (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
CVE-2026-1076 MEDIUM CVSS 4.3
The Star Review Manager WordPress plugin through version 1.2.2 lacks CSRF protections on its settings page, allowing unauthenticated attackers to modify CSS settings by tricking administrators into clicking a malicious link. Site administrators are at risk of unwanted plugin configuration changes that could alter site appearance or functionality. No patch is currently available for this vulnerability.

WordPress CSRF
CVE-2026-1075 MEDIUM CVSS 4.3
The ZT Captcha plugin for WordPress through version 1.0.4 contains a cross-site request forgery vulnerability due to insufficient nonce validation that can be bypassed with an empty token. An unauthenticated attacker can exploit this to modify plugin settings by tricking an administrator into clicking a malicious link. No patch is currently available.

WordPress CSRF
CVE-2026-1070 MEDIUM CVSS 4.3
The Alex User Counter WordPress plugin through version 6.0 contains a cross-site request forgery vulnerability in its settings function due to missing nonce validation, allowing unauthenticated attackers to modify plugin configuration if they can socially engineer site administrators into clicking a malicious link. The vulnerability has a low barrier to exploitation since it requires only network access and user interaction, though it cannot directly compromise confidentiality or availability. No patch is currently available for this issue.

WordPress CSRF
CVE-2026-0862 MEDIUM CVSS 6.1
Save as PDF Plugin by PDFCrowd (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
CVE-2026-0806 MEDIUM CVSS 4.9
SQL injection in the WP-ClanWars WordPress plugin through version 2.0.1 allows authenticated administrators to execute arbitrary SQL queries via an unescaped 'orderby' parameter, enabling extraction of sensitive database information. The vulnerability requires high-level administrative privileges and does not allow data modification or system availability impacts. No patch is currently available for this issue.

WordPress SQLi
CVE-2026-0687 MEDIUM CVSS 4.3
The Meta Box GalleryMeta WordPress plugin through version 3.0.1 fails to enforce proper capability checks on the 'mb_gallery' custom post type, allowing authenticated users with Author-level or higher privileges to create and publish galleries without authorization. This insufficient access control could enable low-privileged attackers to modify gallery content and bypass intended editorial workflows.

WordPress
CVE-2026-0593 MEDIUM CVSS 5.3
WP Go Maps plugin for WordPress through version 10.0.04 lacks proper capability validation in the processBackgroundAction() function, allowing authenticated Subscriber-level users to modify global map engine settings. This insufficient access control enables low-privileged attackers to alter critical plugin configurations without proper authorization. No patch is currently available for this vulnerability.

WordPress Golang
CVE-2025-15516 MEDIUM CVSS 4.3
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
CVE-2025-14985 MEDIUM CVSS 6.4
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
CVE-2025-14941 MEDIUM CVSS 6.4
The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. [CVSS 6.4 MEDIUM]

WordPress XSS
CVE-2025-14907 MEDIUM CVSS 4.3
Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
CVE-2025-14906 MEDIUM CVSS 4.3
WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
CVE-2025-14903 MEDIUM CVSS 4.3
Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
CVE-2025-14843 MEDIUM CVSS 5.3
Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).

WordPress PHP
CVE-2025-14797 MEDIUM CVSS 5.4
The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]

WordPress XSS PHP
CVE-2025-14630 MEDIUM CVSS 4.3
The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
CVE-2025-14629 MEDIUM CVSS 5.3
The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]

WordPress PHP
CVE-2025-14609 MEDIUM CVSS 5.3
Wise Analytics (WordPress plugin) versions up to 1.1.9. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
CVE-2025-13920 MEDIUM CVSS 5.3
WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure PHP
CVE-2025-13676 MEDIUM CVSS 6.1
The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
CVE-2025-13205 MEDIUM CVSS 4.3
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
CVE-2025-13194 MEDIUM CVSS 4.3
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
CVE-2025-13139 MEDIUM CVSS 4.3
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. [CVSS 4.3 MEDIUM]

WordPress CSRF
CVE-2025-12836 MEDIUM CVSS 6.4
VK Google Job Posting Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS Google
CVE-2026-24474 None
Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied.

RCE Code Injection
CVE-2026-24140 LOW CVSS 2.7
MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized propertie...

Code Injection
CVE-2026-0633 LOW CVSS 3.7
The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minu...

WordPress Information Disclosure

Today's Vulnerabilities Vulnerabilities