Skip to main content
CVE-2026-27073 HIGH This Week

A hard-coded credentials vulnerability exists in the Addi buy-now-pay-later WordPress plugin (versions up to 2.0.4) that enables password recovery exploitation and authentication bypass attacks. Attackers can leverage embedded credentials to gain unauthorized access to user accounts and potentially escalate privileges within the plugin's functionality. This vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and has been reported by Patchstack; no CVSS score, EPSS data, or active KEV status is currently available, though the authentication bypass nature suggests active exploitation risk.

Authentication Bypass Addi 8211 Cuotas Que Se Adaptan A Ti
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25401 HIGH This Week

A missing authorization vulnerability exists in Arni Cinco WPCargo Track & Trace WordPress plugin through version 8.0.2, where incorrectly configured access control allows attackers to bypass authentication mechanisms and exploit sensitive functionality. This broken access control flaw (CWE-862) affects all installations of the plugin up to and including version 8.0.2, enabling unauthenticated or low-privileged attackers to access resources or perform actions they should not be permitted to execute. The vulnerability was reported by Patchstack and has been tracked under ENISA EUVD ID EUVD-2026-15715.

Authentication Bypass Wpcargo Track Trace
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25396 HIGH This Week

A Missing Authorization vulnerability (CWE-862) exists in CoderPress Commerce Coinbase For WooCommerce plugin versions up to and including 1.6.6, allowing attackers to bypass access control mechanisms and perform unauthorized actions through incorrectly configured security levels. An attacker can exploit this broken access control to manipulate commerce functions or access restricted administrative features without proper authentication. No CVSS score, EPSS data, or active KEV status is currently available, but the vulnerability was reported by Patchstack and assigned EUVD ID EUVD-2026-15707.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25317 HIGH This Week

A missing authorization vulnerability exists in the Print Invoice & Delivery Notes for WooCommerce plugin (tychesoftwares) through version 5.9.0, allowing attackers to exploit incorrectly configured access control to bypass authentication mechanisms and gain unauthorized access to sensitive functionality. The vulnerability is classified as a broken access control issue (CWE-862) affecting all versions up to and including 5.9.0. Attackers can leverage this flaw to access restricted operations without proper authorization, potentially exfiltrating invoice and delivery note data or manipulating order information.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25309 HIGH This Week

A missing authorization vulnerability in PublishPress Authors plugin versions up to 4.10.1 allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms. This vulnerability affects WordPress installations using the PublishPress Authors plugin and could enable unauthorized users to perform actions they should not be permitted to execute. The vulnerability is classified as an authentication bypass issue with CWE-862 (Missing Authorization), though specific CVSS scoring and exploitation data are not yet published.

Authentication Bypass Publishpress Authors
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-25026 HIGH This Week

A missing authorization vulnerability exists in RadiusTheme Team plugin (versions up to 5.0.11) that allows attackers to exploit incorrectly configured access control security levels. This broken access control issue (CWE-862) enables unauthorized users to access or manipulate resources they should not have permission to access. The vulnerability affects the WordPress plugin tlp-team and has been documented by Patchstack as an authentication bypass vector, though no CVSS score, EPSS probability, or KEV status is currently available to assess active exploitation.

Authentication Bypass Team
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24382 HIGH This Week

A missing authorization vulnerability in the WordPress News Magazine X theme (versions up to 1.2.50) allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels. This broken access control issue, classified under CWE-862, enables unauthorized users to access restricted functionality or resources that should require proper authentication or authorization. The vulnerability affects all installations of News Magazine X theme through version 1.2.50, and remediation requires immediate theme updates to patched versions.

Authentication Bypass News Magazine X
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24363 HIGH PATCH This Week

A missing authorization vulnerability exists in the loopus WP Cost Estimation & Payment Forms Builder WordPress plugin (versions prior to 10.3.0) that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized users to access or manipulate form data and cost estimation functionality that should be restricted. While no CVSS score or EPSS data is currently available, the authentication bypass nature of this vulnerability and its inclusion in vulnerability databases like ENISA EUVD-2026-15559 suggests moderate-to-high real-world exploitability.

Authentication Bypass Wp Cost Estimation Payment Forms Builder
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23977 HIGH This Week

A missing authorization vulnerability exists in WPFactory's Helpdesk Support Ticket System for WooCommerce plugin (versions up to 2.1.2) that allows attackers to exploit incorrectly configured access control security levels to bypass authentication mechanisms. The vulnerability, classified as CWE-862 (Missing Authorization), enables unauthorized access to sensitive helpdesk support ticket functionality through broken access control. This affects WordPress installations using the vulnerable plugin, potentially exposing customer support interactions and sensitive information handled through the ticketing system.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23806 HIGH This Week

A missing authorization vulnerability exists in BlueGlass Interactive AG's Jobs for WordPress plugin (versions up to 2.8) that allows attackers to bypass access control mechanisms through incorrectly configured security levels. This vulnerability (CWE-862: Missing Authorization) could permit unauthenticated or low-privileged attackers to access job posting functionality intended to be restricted to authorized users. While no CVSS score, EPSS data, or confirmed public exploit has been published, the straightforward nature of authorization bypass flaws and the plugin's widespread WordPress deployment make this a moderate-to-high priority for administrators managing job posting systems.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-69358 HIGH This Week

A missing authorization vulnerability exists in the Metagauss EventPrime event calendar management plugin for WordPress, classified as CWE-862 (Missing Authorization), that allows attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability affects EventPrime versions up to and including 4.2.6.0, enabling exploitation through incorrectly configured access control security levels. While no CVSS score or EPSS data is currently published, the vulnerability has been documented by Patchstack and assigned ENISA EUVD ID EUVD-2025-209001, suggesting active security community awareness, though KEV status and proof-of-concept availability remain unconfirmed from available intelligence.

Authentication Bypass Eventprime
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20701 HIGH PATCH This Week

An access control vulnerability in macOS allows applications to connect to network shares without explicit user consent, bypassing the sandbox restrictions designed to prevent unauthorized network access. This affects macOS Sequoia 15.7.5, macOS Sonoma 14.8.5, and macOS Tahoe 26.4, where a malicious or compromised application could silently establish connections to network resources. Apple has addressed this issue through additional sandbox restrictions in the specified patch versions; no public exploit code or active exploitation via KEV has been reported, but the nature of the vulnerability suggests moderate real-world risk due to the ease with which local applications could abuse this capability.

Apple Information Disclosure macOS
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-20639 HIGH PATCH This Week

Integer overflow vulnerability in Apple macOS (Sequoia 15.7.4 and earlier, Sonoma 14.8.4 and earlier, Tahoe 26.2 and earlier) allows remote attackers to trigger heap corruption by processing a specially crafted string without requiring user interaction or privileges. The vulnerability results in denial of service and potential memory corruption but currently lacks a public patch. No active exploitation has been reported.

Apple Integer Overflow Buffer Overflow macOS
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3608 HIGH PATCH This Week

Denial of service in Kea DHCP daemons (versions 2.6.0-2.6.4 and 3.0.0-3.0.2) allows unauthenticated remote attackers to crash affected services by sending maliciously crafted messages to API sockets or HA listeners, triggering a stack overflow. Vulnerable Kea installations across Ubuntu, Red Hat, SUSE, and Debian are susceptible to service interruption attacks with no authentication required. A patch is available for affected distributions.

Buffer Overflow Kea
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28855 HIGH PATCH This Week

A permissions enforcement vulnerability in Apple's operating systems allows applications to bypass access controls and read protected user data without proper authorization. The issue affects iOS and iPadOS versions prior to 26.3, and macOS Tahoe prior to 26.3. An attacker with a malicious app could exploit insufficient permission restrictions to access sensitive user information such as contacts, location data, photos, or other protected resources that should require explicit user consent.

Apple Authentication Bypass macOS iOS
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23364 HIGH PATCH This Week

The Linux kernel's ksmbd (SMB server implementation) component uses the non-constant-time memcmp() function to compare Message Authentication Codes (MACs) instead of the cryptographically-secure crypto_memneq() function, enabling timing-based attacks to leak authentication credentials. All Linux kernel versions with ksmbd are affected, allowing attackers to potentially forge authentication by measuring response time differences during MAC validation. While no public exploit code is confirmed, multiple stable kernel branches have received patches addressing this vulnerability, indicating kernel maintainers treated this as a legitimate information disclosure risk.

Linux Information Disclosure
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-20004 HIGH This Week

Memory exhaustion in Cisco IOS XE and Apple devices via improper TLS resource handling allows adjacent attackers to trigger denial of service by repeatedly initiating failed authentication or manipulating TLS connections. An unauthenticated attacker can exploit this by resetting TLS sessions or abusing EAP authentication mechanisms to deplete device memory without requiring network access from the internet. Successful exploitation renders affected devices unresponsive, with no patch currently available.

Cisco Denial Of Service Apple
NVD VulDB
CVSS 3.1
7.4
EPSS
0.0%
CVE-2026-25456 HIGH This Week

Unauthenticated access control bypass in Aarsiv Groups' a2z-fedex-shipping WordPress plugin (versions ≤5.1.8) allows remote attackers to exploit incorrectly configured authorization checks, enabling unauthorized viewing, modification, or disruption of FedEx shipping data and label generation. The vulnerability is categorized as automatable with partial technical impact per SSVC framework, though EPSS scoring indicates low observed exploitation probability (0.02%, 4th percentile). Patchstack reported this CWE-862 missing authorization flaw; no active exploitation confirmed via CISA KEV at time of analysis.

Authentication Bypass Automated Fedex Live Manual Rates With Shipping Labels
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-27260 HIGH PATCH This Week

Ericsson Indoor Connect 8855 prior to version 2025.Q3 contains an Improper Filtering of Special Elements vulnerability (CWE-790) that allows attackers to bypass input validation controls and achieve unauthorized modification of sensitive information. This vulnerability affects all versions of the Indoor Connect 8855 product line below the 2025.Q3 release. No CVSS score, CVSS vector, EPSS data, or active exploitation status is currently available in public sources, limiting quantitative risk assessment, though the CWE-790 classification suggests the vulnerability involves inadequate sanitization of special characters or metacharacters in user input.

Ericsson Authentication Bypass
NVD VulDB
CVSS 4.0
7.2
EPSS
0.0%
CVE-2026-27602 HIGH PATCH This Week

Modoboa, an open-source mail server management platform, contains a command injection vulnerability in its subprocess execution handler that allows authenticated Reseller or SuperAdmin users to execute arbitrary operating system commands. A proof-of-concept exploit exists demonstrating how shell metacharacters in domain names can achieve code execution, typically as root in standard deployments. The vulnerability affects modoboa versions up to and including 2.7.0, with patches available in version 2.7.1.

Python Command Injection OpenSSL
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2024-51347 HIGH POC This Week

A buffer overflow vulnerability in the dgiot binary in LSC Smart Indoor IP Camera V7.6.32. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33914 HIGH This Week

A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR, a widely-used open source electronic health records system. Versions prior to 8.0.0.3 are affected, allowing authenticated administrators to execute arbitrary SQL commands through the categoriesUpdate function's dels parameter. The vulnerability requires high privileges (PR:H) but is network-accessible and has no attack complexity, enabling attackers to extract sensitive patient data, modify health records, or disrupt medical operations.

SQLi Openemr
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-33910 HIGH This Week

OpenEMR versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability stems from insufficient input validation and can lead to complete compromise of confidentiality, integrity, and availability of the healthcare database. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept is currently available.

SQLi Openemr
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-22480 HIGH This Week

The WebToffee Product Feed for WooCommerce plugin contains a PHP object injection vulnerability stemming from insecure deserialization of untrusted data (CWE-502), affecting versions up to and including 2.3.3. An attacker can exploit this vulnerability to inject arbitrary objects into the application, potentially leading to remote code execution or data manipulation depending on available gadget chains in the WordPress/PHP environment. No CVSS score or EPSS data is currently published, and active exploitation status is unknown, but the vulnerability has been documented by Patchstack and assigned an ENISA EUVD ID (EUVD-2026-15487), indicating coordinated disclosure tracking.

WordPress Deserialization
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-32545 HIGH This Week

Taboola Pixel versions up to and including 1.1.4 contain a Reflected Cross-Site Scripting (XSS) vulnerability that allows attackers to inject malicious scripts into web pages during generation. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, causing the injected code to execute in the victim's browser with their session privileges. This vulnerability affects the Taboola Pixel WordPress plugin and has been identified by Patchstack; no CVSS score or EPSS data is currently available, but the reflected XSS classification and WordPress plugin distribution suggest moderate to high real-world risk given the plugin's widespread usage.

XSS Taboola Pixel
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32544 HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the OOPSpam Anti-Spam WordPress plugin through version 1.2.62, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of authenticated users and administrators. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to compromise user sessions, steal credentials, or perform actions on behalf of affected users. No CVSS score, EPSS probability, or active exploitation data (KEV status) are currently available, but the Stored XSS classification and WordPress plugin distribution indicate moderate to high real-world risk given the plugin's accessibility and widespread WordPress ecosystem deployment.

XSS Oopspam Anti Spam
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32542 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in ThemeFusion Fusion Builder, a WordPress page builder plugin, affecting all versions prior to 3.15.0. An unauthenticated attacker can inject malicious JavaScript into web pages through improper input sanitization, allowing them to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score, EPSS data, or public proof-of-concept have been officially published, but the vulnerability has been documented by Patchstack and assigned EUVD-2026-15919; patch availability is confirmed via the vendor advisory.

XSS Fusion Builder
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32540 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Bookly, a WordPress appointment booking plugin, affecting versions up to and including 26.7. Attackers can inject malicious scripts into web requests that execute in the victim's browser when the vulnerable page is rendered, allowing session hijacking, credential theft, or malware distribution. While no CVSS score or EPSS data is currently available, the vulnerability has been formally tracked by ENISA (EUVD-2026-15915) and reported via Patchstack, indicating active awareness in the security community.

XSS Bookly
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32532 HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in ThemeHunk's Contact Form & Lead Form Elementor Builder plugin for WordPress, affecting all versions through 2.0.1. An attacker can inject malicious scripts into form fields that are stored in the database and executed in the browsers of administrators or other users who view the submitted data, potentially leading to account takeover, data theft, or malware distribution. No CVSS score or EPSS data is currently available, and active exploitation status is unknown; however, the vulnerability is confirmed by Patchstack and tracked under ENISA EUVD-2026-15903.

XSS Contact Form Lead Form Elementor Builder Elementor
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32529 HIGH PATCH This Week

A reflected Cross-Site Scripting (XSS) vulnerability exists in the don-themes Molla WordPress theme through version 1.5.18, allowing attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of affected users' browsers. An attacker can craft a malicious URL containing XSS payload and trick users into clicking it, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation in the wild has been confirmed via KEV status, and CVSS/EPSS scores are not available, but the vulnerability is documented by Patchstack with a confirmed patch available in version 1.5.19 or later.

XSS Molla
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32528 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in don-themes Riode WordPress theme versions prior to 1.6.29, allowing attackers to inject malicious JavaScript code that executes in users' browsers when they click on crafted links. This CWE-79 vulnerability affects the Riode multi-purpose WooCommerce theme and enables attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No CVSS score, EPSS data, or formal KEV status is currently available, but the vulnerability was reported by Patchstack with a confirmed patch available in version 1.6.29 and later.

XSS Riode
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32526 HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in VillaTheme's Abandoned Cart Recovery for WooCommerce plugin affecting versions up to and including 1.1.10. The vulnerability allows attackers to inject malicious JavaScript code that persists in the application and executes in the browsers of administrators and customers when vulnerable pages are viewed. An attacker with appropriate access can compromise user sessions, steal sensitive data, or perform unauthorized actions on behalf of legitimate users.

XSS WordPress
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32518 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the imithemes Gaea WordPress theme affecting versions prior to 3.8, allowing attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform actions on behalf of users, or redirect visitors to malicious sites. No CVSS score or EPSS data is currently available, and active exploitation status via KEV has not been confirmed, but the XSS classification and public disclosure via Patchstack suggest this represents a moderate to significant risk for WordPress installations using affected Gaea theme versions.

XSS Gaea
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32517 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Kleor Contact Manager through version 9.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability affects the Contact Manager plugin and can be exploited via reflected XSS attacks where user input is improperly neutralized during web page generation. An attacker can craft a malicious URL containing JavaScript payloads that execute in the victim's browser, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or active KEV status is currently available; however, the confirmed presence of the vulnerability through Patchstack indicates a legitimate security concern requiring immediate attention.

XSS Contact Manager
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-32494 HIGH This Week

A Cross-site Scripting (XSS) vulnerability exists in the Ays Pro Image Slider WordPress plugin (versions up to and including 2.7.1) due to improper input neutralization during web page generation, combined with incorrectly configured access control security levels. Attackers can inject malicious scripts that execute in the context of other users' browsers, potentially stealing session tokens, redirecting users, or performing unauthorized actions on behalf of victims. No CVSS score, EPSS data, or active exploitation signals (KEV status) are currently available, but the vulnerability is confirmed by Patchstack and assigned EUVD-2026-15837.

XSS Image Slider By Ays
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27088 HIGH This Week

A reflected cross-site scripting (XSS) vulnerability exists in G5Theme's Darna Framework through version 2.9, allowing attackers to inject malicious scripts that execute in users' browsers when crafted URLs are visited. The vulnerability affects the Darna Framework WordPress plugin and stems from improper input neutralization during web page generation. While no CVSS score or EPSS data is currently published, the CWE-79 classification indicates this is a classic reflected XSS with potential for credential theft, session hijacking, and malware distribution depending on the attack vector's accessibility.

XSS Darna Framework
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27087 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in G5Theme's Wolverine Framework through version 1.9, enabling attackers to inject malicious scripts into web pages generated by the framework. This vulnerability affects all installations of Wolverine Framework up to and including version 1.9, allowing attackers to execute arbitrary JavaScript in the context of victim browsers when they visit a maliciously crafted URL. While no CVSS score or EPSS data is currently available, the vulnerability has been reported by Patchstack and assigned ENISA EUVD ID EUVD-2026-15797, indicating it has undergone standardized review.

XSS Wolverine Framework
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-27054 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in PenciDesign's Penci Soledad Data Migrator plugin through version 1.3.1, allowing attackers to inject malicious scripts that execute in users' browsers when they visit a crafted URL. The vulnerability affects all versions up to and including 1.3.1 of the WordPress plugin. An attacker can exploit this to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites, with the attack requiring only that a victim click a malicious link-no special privileges or interaction with the application itself required.

XSS Penci Soledad Data Migrator
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25461 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the purethemes Listeo Core WordPress plugin through version 2.0.21, allowing attackers to inject malicious scripts into web pages viewed by victims. An attacker can craft a malicious URL containing JavaScript payload that executes in the victim's browser when they visit the link, potentially stealing session cookies, credentials, or performing actions on behalf of the user. No CVSS score, EPSS data, or active KEV status is currently published, but the vulnerability is documented by Patchstack with a direct reference to the affected plugin version.

XSS Listeo Core
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25452 HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the WPDO Remoji WordPress plugin through version 2.2, allowing attackers to inject malicious JavaScript code that persists in the database and executes in the browsers of site visitors. This vulnerability affects all installations of Remoji up to and including version 2.2, enabling authenticated or unauthenticated attackers (depending on plugin configuration) to compromise website visitors' sessions, steal credentials, or redirect users to malicious sites. While CVSS and EPSS scores are not publicly available, the vulnerability's classification as Stored XSS and reporting through Patchstack indicate moderate-to-high real-world severity.

XSS Remoji
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25435 HIGH This Week

A Stored Cross-Site Scripting (XSS) vulnerability exists in the wpdevart Booking Calendar and Appointment Booking System WordPress plugin through version 3.2.36, allowing attackers to inject and execute malicious JavaScript code that persists in the application database. An authenticated or unauthenticated attacker can exploit this vulnerability to steal session cookies, perform actions on behalf of legitimate users, or redirect visitors to malicious sites. No CVSS score, EPSS probability, or active exploitation in the wild (KEV status) are currently available, but the vulnerability affects a widely-used booking plugin and likely represents a significant risk given the prevalence of WordPress installations.

XSS Booking Calendar Appointment Booking System
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25383 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through version 3.6.16, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, enabling session hijacking, credential theft, or unauthorized actions within the clinic management system. No CVSS score, EPSS probability, or KEV status are available, though the vulnerability was publicly disclosed by Patchstack and is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

XSS Kivicare
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25376 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the eyecix Addon Jobsearch Chat plugin for WordPress, affecting versions up to and including 3.0. An attacker can inject malicious scripts into user-controlled input that is reflected back in the web page without proper sanitization, allowing them to steal session cookies, perform actions on behalf of authenticated users, or redirect users to malicious sites. No CVSS score, EPSS probability, or active KEV designation is available; however, the vulnerability is confirmed via Patchstack and carries a European vulnerability database entry (EUVD-2026-15694).

XSS Addon Jobsearch Chat
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25373 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the ProgressionStudios Vayvo WordPress theme (versions prior to 6.8) that allows attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing unsanitized input and trick users into clicking it, causing arbitrary JavaScript to execute in the victim's browser within the context of the Vayvo-powered site. No CVSS score, EPSS probability, or KEV confirmation is currently available, but the reflected XSS classification and Patchstack reporting indicate this is a known, credible vulnerability with patch availability.

XSS Vayvo
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25361 HIGH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WpEvently WordPress plugin (mage-eventpress) affecting versions up to and including 5.1.4, allowing attackers to inject malicious scripts that execute in users' browsers when they visit crafted URLs. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious sites. No CVSS score or EPSS data is currently available, but the Patchstack reporting and EUVD tracking indicate this is a documented and confirmed vulnerability requiring prompt patching.

XSS Wpevently
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25356 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the Skygroup Yobazar WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Yobazar versions prior to 1.6.7 and allows attackers to inject malicious scripts that execute in the browsers of users who visit crafted URLs. The vulnerability has been reported by Patchstack and is classified as CWE-79; while no CVSS score or EPSS data is currently available, the reflected XSS vector typically enables session hijacking, credential theft, and malware distribution.

XSS Yobazar
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25354 HIGH PATCH This Week

A reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Reebox WordPress theme due to improper neutralization of user input during web page generation. This vulnerability affects Reebox versions prior to 1.4.8, allowing attackers to inject malicious scripts that execute in the context of a victim's browser when they click a crafted link. While CVSS and EPSS scores are not publicly available, the CWE-79 classification and Patchstack reporting indicate this is a confirmed, real vulnerability with active disclosure through the EUVD database (EUVD-2026-15671).

XSS Reebox
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25353 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup Nooni theme affecting versions prior to 1.5.1, allowing attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during web page generation, classified as CWE-79. Attackers can craft malicious URLs containing JavaScript payloads that execute in the context of a victim's browser when the link is visited, potentially leading to session hijacking, credential theft, or malware distribution.

XSS Nooni
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25352 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyDecor WordPress theme affecting versions prior to 1.5.9. An unauthenticated attacker can inject malicious JavaScript code through unvalidated user input parameters in web requests, which is then reflected back to victims in the HTTP response without proper sanitization or encoding. This allows attackers to execute arbitrary JavaScript in a victim's browser within the context of the affected website, potentially leading to session hijacking, credential theft, or malware distribution.

XSS Mydecor
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-25351 HIGH PATCH This Week

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the skygroup MyMedi WordPress theme that allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects MyMedi versions prior to 1.7.7, and an attacker can leverage reflected XSS to steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim. No active exploitation in the wild has been confirmed, but the vulnerability was publicly disclosed via Patchstack with technical details available.

XSS Mymedi
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 6 of 13 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy