Skip to main content
CVE-2026-3376 HIGH POC This Week

Remote code execution in Tenda F453 firmware (v1.0.0.3) via a buffer overflow in the SafeMacFilter function allows authenticated attackers to execute arbitrary code with full system privileges. The vulnerability stems from insufficient input validation on the page parameter in the /goform/SafeMacFilter endpoint and can be exploited remotely over the network. Public exploit code exists and no patch is currently available.

Buffer Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-28562 HIGH This Week

Unauthenticated SQL injection in wpForo 2.4.14 allows remote attackers to extract sensitive data from WordPress databases through the wpfob parameter via blind boolean-based attacks. The vulnerability exploits inadequate sanitization of ORDER BY clause identifiers, enabling credential theft without authentication. No patch is currently available for affected installations.

WordPress SQLi Wpforo Forum
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-13673 HIGH This Week

The Tutor LMS - eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 7.5 HIGH]

WordPress SQLi PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2844 HIGH This Week

Timepictra versions up to 11.3 is affected by missing authentication for critical function (CVSS 7.5).

Authentication Bypass Timepictra
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-2471 HIGH This Week

Unauthenticated attackers can inject malicious serialized PHP objects into the WP Mail Logging plugin (versions up to 1.15.0) through email forms, exploiting unsafe deserialization in the BaseModel class. When administrators view the logged emails, the injected payload deserializes into arbitrary PHP objects, potentially enabling code execution if leveraged with gadget chains from other installed plugins or themes. No patch is currently available.

WordPress PHP Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1542 MEDIUM This Month

Super Stage WP WordPre versions up to 1.0.1 is affected by deserialization of untrusted data (CVSS 6.5).

WordPress PHP Deserialization
NVD WPScan
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-28557 MEDIUM This Month

Unauthorized usergroup reassignment in wpForo Forum 2.4.14 allows any authenticated user to remap all forum usergroups to arbitrary WordPress roles through a missing capability check in the wpforo_synch_roles AJAX handler. An attacker can obtain a valid nonce from the publicly accessible usergroups admin page and execute bulk privilege escalation affecting all forum users. No patch is currently available for this vulnerability.

WordPress Wpforo Forum
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-28558 MEDIUM This Month

Stored XSS in wpForo Forum 2.4.14 allows authenticated users to inject malicious code through SVG profile avatars, which executes when other users view the attacker's profile. An authenticated attacker can leverage this to steal session tokens, redirect victims, or perform actions on their behalf with no user interaction required. No patch is currently available for this vulnerability.

XSS Wpforo Forum
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-3010 MEDIUM This Month

Microchip TimePictra versions 11.0 through 11.3 SP2 contain a reflected cross-site scripting (XSS) vulnerability that allows unauthenticated attackers to inject malicious scripts through query parameters. Successful exploitation requires user interaction and can result in session hijacking, credential theft, or unauthorized information disclosure. No patch is currently available.

XSS Timepictra
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-28561 MEDIUM This Month

wpForo Forum 2.4.14 fails to properly sanitize forum description fields, enabling authenticated administrators to store malicious JavaScript that executes in the browsers of all users viewing forum listings. On multisite installations or when admin credentials are compromised, attackers can leverage this stored XSS to conduct persistent attacks against forum users. No patch is currently available for this vulnerability.

XSS Wpforo Forum
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-28560 MEDIUM This Month

Stored XSS in wpForo Forum 2.4.14 allows authenticated administrators to inject malicious scripts into forum slugs that execute in all visitors' browsers due to improper JSON encoding. An attacker with high-level privileges can craft a forum URL containing unescaped characters to break out of JavaScript context and achieve arbitrary script execution. No patch is currently available for this vulnerability.

XSS Wpforo Forum
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-28556 MEDIUM This Month

wpForo Forum 2.4.14 fails to properly authorize topic management operations, allowing authenticated users to move, merge, or split any forum topic regardless of their moderator status. Attackers with valid subscriber accounts can reorganize forum content and relocate discussions to restricted areas without appropriate permissions. No patch is currently available for this medium-severity vulnerability.

Industrial Wpforo Forum
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-28559 MEDIUM This Month

wpForo Forum 2.4.14 fails to properly enforce access controls on its RSS feed endpoint, enabling unauthenticated attackers to enumerate and access private or unapproved forum topics. By omitting the forum ID parameter in RSS feed requests, attackers bypass privacy filters that would normally restrict visibility of sensitive content. This information disclosure vulnerability affects forum administrators and users who rely on topic privacy settings to protect sensitive discussions.

Industrial Information Disclosure Wpforo Forum
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-28555 MEDIUM This Month

Authenticated users in wpForo Forum 2.4.14 can manipulate forum topic states by exploiting improper authorization checks in the wpforo_close_ajax handler, allowing them to close or reopen discussions they should not have permission to modify. An attacker with subscriber privileges can craft requests with valid nonces to bypass moderator permission validation and disrupt forum operations. No patch is currently available for this vulnerability.

Authentication Bypass Wpforo Forum
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-28554 MEDIUM This Month

Insufficient authorization controls in wpForo Forum 2.4.14 enable authenticated users to manipulate forum post moderation status through the wpforo_approve_ajax handler, allowing them to approve or reject posts outside their assigned permissions. The vulnerability relies on a weak nonce-only validation that fails to verify user role authorization before processing moderation actions. While patches are not currently available, this impacts forum administrators' ability to maintain content moderation integrity on affected installations.

Authentication Bypass Wpforo Forum
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy