Skip to main content
CVE-2026-39362 MEDIUM PATCH This Month

Server-side request forgery (SSRF) in InvenTree prior to versions 1.2.7 and 1.3.0 allows authenticated users to request arbitrary internal URLs when the INVENTREE_DOWNLOAD_FROM_URL feature is enabled, bypassing URL validation through HTTP redirect chains. An attacker with valid credentials can probe internal networks, access cloud metadata endpoints, or interact with backend services not exposed to the public internet by supplying crafted remote_image URLs that are fetched server-side without IP-range restrictions.

SSRF Python
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34837 MEDIUM PATCH This Month

Zammad versions prior to 7.0.1 fail to validate user authorization for context data supplied to the REST endpoint POST /api/v1/ai_assistance/text_tools/:id, allowing authenticated agents to access and leak unauthorized information (such as group or organization data) through AI prompt injection. The vulnerability requires the attacker to possess ticket.agent permission but does not require additional user interaction; no public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass Zammad
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-34782 MEDIUM PATCH This Month

Bypass of access controls in Zammad REST API endpoint POST /api/v1/ai_assistance/text_tools/:id allows authenticated users to utilize AI text tools without proper privilege verification in versions prior to 7.0.1 and 6.5.4. An authenticated attacker can invoke AI assistance features regardless of their assigned permissions, leading to unauthorized consumption of text tool functionality and potential information disclosure through unrestricted tool access.

Authentication Bypass Zammad
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-35023 MEDIUM PATCH This Month

Wimi Teamwork On-Premises versions before 8.2.0 allow authenticated attackers to enumerate sequential item_id values in the preview.php endpoint to bypass authorization checks and access image previews from other users' private or group conversations, resulting in unauthorized information disclosure. The vulnerability requires valid user credentials (CVSS PR:L) but enables horizontal privilege escalation to retrieve sensitive conversation data. No public exploit code has been identified, though the IDOR vulnerability pattern is straightforward to exploit.

Authentication Bypass PHP
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-39406 MEDIUM PATCH GHSA This Month

Path normalization inconsistency in Hono's node-server serveStatic middleware allows unauthenticated attackers to bypass route-based authorization middleware by using repeated slashes (e.g., //admin/secret.txt) to access protected static files, exposing sensitive information with low confidentiality impact (CVSS 5.3).

Path Traversal Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2263 MEDIUM This Month

Unauthenticated attackers can forge conversion tracking events in The Hustle WordPress plugin (versions up to 7.8.10.2) by exploiting a missing capability check on the 'hustle_module_converted' AJAX action, allowing manipulation of marketing analytics and conversion statistics for any module including unpublished drafts. The vulnerability has a CVSS score of 5.3 (medium severity) with network-based attack vector and no authentication required, confirmed by Wordfence research with public code references available.

WordPress Authentication Bypass
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-40087 MEDIUM PATCH GHSA This Month

LangChain's f-string prompt-template validation allows information disclosure through attribute access and nested format-specifier injection in DictPromptTemplate and ImagePromptTemplate classes. Unauthenticated remote attackers can craft malicious template strings to expose internal object state, model context, or logs when templates are formatted with rich Python objects. Practical impact is limited to applications that accept untrusted template strings (not just variable values) and pass complex objects into template formatting; hardcoded templates and value-only user input are unaffected. Vendor-released patch available in langchain-core 0.3.84 and 1.2.28.

Python Deserialization Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5808 MEDIUM PATCH This Month

Reflected cross-site scripting (XSS) in openstatusHQ openstatus allows unauthenticated remote attackers to inject malicious scripts via the callbackURL parameter in the Onboarding Endpoint component. The vulnerability affects the onboarding client functionality and requires user interaction to exploit. Vendor has released a patched version (commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb), and no public exploit code is currently identified.

XSS Openstatus
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-4654 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Awesome Support WordPress plugin up to version 6.3.7 allows authenticated subscribers and above to access sensitive information from all support tickets by manipulating the ticket_id parameter in the wpas_get_ticket_replies_ajax() function. The vulnerability fails to verify user permissions before returning ticket data, enabling unauthorized disclosure of potentially sensitive helpdesk information across the entire system. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4299 MEDIUM This Month

Authenticated attackers with Subscriber-level access can extract MainWP Child Reports activity logs including action summaries, user information, IP addresses, and contextual data from WordPress sites running the MainWP Child Reports plugin up to version 2.2.6 by exploiting a missing authorization check in the WordPress Heartbeat API handler. The vulnerability (CVSS 5.3) affects information disclosure only and requires network access but no user interaction; no public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5886 MEDIUM PATCH This Month

Out-of-bounds read in Google Chrome WebAudio (Mac) prior to version 147.0.7727.55 enables remote information disclosure via crafted HTML. Unauthenticated network-based attacker can extract sensitive process memory without user interaction. CVSS 7.5 (High confidentiality impact). No public exploit identified at time of analysis. Low observed exploitation activity (EPSS <1%). Patch available from vendor.

Information Disclosure Google Buffer Overflow Red Hat Suse +1
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5890 MEDIUM PATCH This Month

Race in WebCodecs in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Race Condition Google Chrome
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39412 MEDIUM PATCH GHSA This Month

LiquidJS `sort_natural` and `sort` filters bypass the `ownPropertyOnly` security option, enabling prototype property extraction through a sorting side-channel attack. Applications using LiquidJS with `ownPropertyOnly: true` (default since v10.x) where untrusted users write templates are vulnerable to information disclosure of sensitive prototype-inherited properties such as API keys and tokens. A working proof-of-concept demonstrates extraction of prototype secrets via binary search on filter-induced sort ordering.

Information Disclosure
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39712 MEDIUM This Month

Improper neutralization of HTML script tags in tagDiv Composer plugin versions up to 5.4.3 allows unauthenticated remote attackers to inject arbitrary code through shortcode execution, resulting in stored cross-site scripting (XSS). The vulnerability exploits insufficient input sanitization in the plugin's composer functionality, enabling attackers to inject malicious scripts that execute in the context of affected web pages. While EPSS scoring indicates low real-world exploitation probability (0.03%, 8th percentile), the CISA SSVC framework notes the attack is automatable and results in partial technical impact; no public exploit code or active exploitation has been identified at time of analysis.

XSS Tagdiv Composer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39629 MEDIUM This Month

Improper neutralization of script-related HTML tags in the kutethemes Uminex WordPress theme version 1.0.9 and earlier enables unauthenticated remote attackers to inject arbitrary code via cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an EPSS score of 0.03% (8th percentile), indicating minimal real-world exploitation probability despite a CVSS base score of 5.3; no public exploit code or active exploitation has been identified.

XSS Uminex
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39628 MEDIUM This Month

Improper neutralization of script-related HTML tags in kutethemes DukaMarket WordPress theme version 1.3.0 and earlier allows unauthenticated remote attackers to inject malicious code via XSS, resulting in integrity compromise. The vulnerability has an EPSS score of 0.03% (percentile 8%), indicating very low real-world exploitation probability despite the moderate CVSS 5.3 rating. No evidence of active exploitation or public proof-of-concept code has been identified.

XSS Dukamarket
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39626 MEDIUM This Month

Improper neutralization of script-related HTML tags in the Armania WordPress theme (versions up to 1.4.8) allows unauthenticated remote attackers to inject arbitrary code through unvalidated input, resulting in stored XSS and arbitrary shortcode execution. The vulnerability has a low CVSS severity (5.3) with EPSS exploitation probability of 0.03% (8th percentile), but enables integrity compromise through code injection that persists in the application.

XSS Armania
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39625 MEDIUM This Month

Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

XSS Techone
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3477 MEDIUM This Month

PZ Frontend Manager plugin for WordPress versions up to 1.0.6 allows authenticated attackers with Subscriber-level access to delete arbitrary WordPress users, including administrators, due to missing authorization checks in the pzfm_user_request_action_callback() AJAX function. The vulnerable function lacks both capability verification and nonce validation when processing user deletion requests, enabling privilege escalation and account takeover attacks. CVSS score of 5.3 reflects the integrity impact; however, the true risk is elevated by the low privilege requirement (unauthenticated attackers can exploit this if they register a free Subscriber account) and the critical business impact of administrative account deletion.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39711 MEDIUM This Month

RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low attack complexity. The vulnerability affects the plugin's data transmission mechanisms and has an EPSS exploitation probability of 0.02%, indicating minimal real-world attack likelihood despite the moderate CVSS score.

Information Disclosure Rt Theme 18 Extensions
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39709 MEDIUM This Month

The Tribal WordPress plugin through version 1.3.4 exposes sensitive data in outbound network communications, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low complexity. The vulnerability stems from improper handling of sensitive data before transmission, classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). With an EPSS score of 0.02% and no confirmed active exploitation, this represents a low real-world priority despite the network-accessible attack vector, suggesting the exposure may require specific conditions or have limited practical exploitability.

Information Disclosure The Tribal
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39686 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2.

Information Disclosure Bsk Pdf Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39586 MEDIUM This Month

RepairBuddy plugin for WordPress versions through 4.1132 exposes sensitive data in network transmissions due to improper handling of embedded information, allowing remote unauthenticated attackers to retrieve confidential details via passive observation of sent data. The vulnerability has a moderate CVSS score of 5.3 with low exploitability probability (0.02% EPSS), indicating real-world risk is minimal despite the information disclosure impact.

Information Disclosure Repairbuddy
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39571 MEDIUM This Month

Themefic Instantio WordPress plugin versions up to 3.3.30 expose sensitive system information to unauthenticated remote attackers via an unspecified mechanism that retrieves embedded sensitive data. The vulnerability has a CVSS score of 5.3 with no authentication required and low complexity, enabling confidentiality compromise without requiring user interaction. No public exploit code or active exploitation has been confirmed, and the EPSS score of 0.02% indicates minimal real-world exploitation probability despite the direct remote accessibility.

Information Disclosure Instantio
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39570 MEDIUM This Month

The AA Web Servant 12 Step Meeting List WordPress plugin through version 3.19.9 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive data with low confidentiality impact. This information disclosure vulnerability has an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite moderate CVSS scoring.

Information Disclosure 12 Step Meeting List
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39564 MEDIUM This Month

Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent data, allowing remote unauthenticated attackers to retrieve embedded sensitive data with low attack complexity. The EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability despite the moderate CVSS 5.3 rating, suggesting this is a low-priority information disclosure with limited practical impact.

Information Disclosure Sunshine Photo Cart
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39542 MEDIUM This Month

Doofinder for WooCommerce through version 2.10.13 discloses sensitive information by inserting it into sent data, allowing remote unauthenticated attackers to retrieve embedded secrets with low attack complexity. The vulnerability affects all installations of the plugin and has been reported by Patchstack, with EPSS exploitation probability at 0.02% (low real-world risk), though no KEV status or public exploit code has been identified.

Information Disclosure WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39536 MEDIUM This Month

Information disclosure in WP Chill RSVP and Event Management plugin versions up to 2.7.16 exposes sensitive system data to unauthenticated remote attackers via unprotected endpoints. The vulnerability allows retrieval of embedded sensitive information without authentication or user interaction, affecting WordPress sites using the affected plugin versions. With EPSS scoring of 0.02% and no public exploit code identified, real-world exploitation risk is minimal despite the network-accessible attack vector.

Information Disclosure Rsvp And Event Management
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39516 MEDIUM This Month

Nexter Blocks WordPress plugin versions through 4.7.0 expose sensitive system information to unauthenticated remote attackers via an information disclosure vulnerability, allowing retrieval of embedded sensitive data without authentication or user interaction. The CVSS score of 5.3 reflects moderate confidentiality impact with low attack complexity, though the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability at time of analysis.

Information Disclosure Nexter Blocks
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39473 MEDIUM This Month

Simple History WordPress plugin versions 5.24.0 and earlier expose sensitive information through embedded data in sent communications, allowing remote unauthenticated attackers to retrieve confidential details with low attack complexity. The vulnerability stems from improper handling of sensitive data in network transmissions and affects all installations of the plugin up to the stated version. EPSS score of 0.02% indicates minimal real-world exploitation likelihood despite the information disclosure nature.

Information Disclosure Simple History
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39716 MEDIUM This Month

CKThemes Flipmart theme through version 2.8 contains a missing authorization vulnerability enabling unauthenticated remote attackers to bypass access control restrictions and gain limited read access to sensitive information. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing restricted functionality. While the CVSS score of 5.3 reflects moderate severity, the EPSS score of 0.02% and SSVC assessment indicating no known exploitation suggest this is a lower-priority issue in practice, though the automatable nature of exploitation makes it a candidate for proactive remediation in shared hosting environments.

Authentication Bypass Flipmart
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39715 MEDIUM This Month

Missing authorization in AnyTrack Affiliate Link Manager plugin versions up to 1.5.5 allows unauthenticated remote attackers to modify affiliate link configurations through incorrectly configured access control, affecting data integrity with low exploitation probability despite network-accessible attack surface.

Authentication Bypass Anytrack Affiliate Link Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39714 MEDIUM This Month

G5Plus April WordPress theme versions up to 6.8 contain a missing authorization vulnerability allowing unauthenticated remote attackers to access resources with restricted access control levels, resulting in limited information disclosure. The vulnerability affects the theme's broken access control mechanism and has a low exploitation probability (EPSS 0.02%, percentile 4%) with no public exploit identified at time of analysis, though CISA SSVC assessment indicates partial technical impact from non-automatable exploitation.

Authentication Bypass G5Plus April
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39713 MEDIUM This Month

Mailercloud - Integrate Webforms and Synchronize Website Contacts plugin versions up to 1.0.7 for WordPress suffers from missing authorization checks that allow unauthenticated remote attackers to modify data via incorrectly configured access control. The vulnerability (CWE-862) permits unauthorized modification of plugin functionality without proper privilege validation, affecting any WordPress installation running the vulnerable plugin version. Although EPSS probability is low (0.02%) and no active exploitation is confirmed, the remote unauthenticated attack vector and impact on data integrity warrant timely patching.

Authentication Bypass Mailercloud 8211 Integrate Webforms And Synchronize Website Contacts
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39707 MEDIUM This Month

Missing authorization in ZealousWeb's Accept PayPal Payments using Contact Form 7 plugin (versions up to 4.0.4) allows unauthenticated remote attackers to modify payment-related data through incorrectly configured access controls. The vulnerability exposes WordPress sites using this plugin to unauthorized alterations of sensitive payment information without requiring user authentication, though the EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability despite network accessibility.

Authentication Bypass Accept Paypal Payments Using Contact Form 7
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39706 MEDIUM This Month

Netro Systems Make My Trivia plugin through version 1.1.0 fails to properly enforce access controls, allowing unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured security levels. This missing authorization vulnerability (CWE-862) has a CVSS base score of 5.3 with low real-world exploitation risk (EPSS 0.02%, CISA SSVC exploitation status 'none') despite being automatable, suggesting the flaw requires specific misconfiguration to be exploitable in practice.

Authentication Bypass Make My Trivia
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39705 MEDIUM This Month

Missing authorization in Mulika Team MIPL WC Multisite Sync WordPress plugin versions 1.4.4 and earlier allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control mechanisms. The vulnerability affects all versions from initial release through 1.4.4, with an EPSS score of 0.02% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 5.3. No active exploitation or public proof-of-concept has been identified at time of analysis.

Authentication Bypass Mipl Wc Multisite Sync
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39704 MEDIUM This Month

Missing authorization in nfusionsolutions Precious Metals Automated Product Pricing Pro plugin (versions <= 4.0.5) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability affects WordPress installations using this e-commerce plugin and enables information disclosure with low CVSS severity (5.3), though exploitation requires no authentication and is automatable according to CISA SSVC assessment. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Precious Metals Automated Product Pricing 8211 Pro
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39701 MEDIUM This Month

Missing authorization in ShopWP WordPress plugin versions up to 5.2.4 allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability exposes functionality that should be restricted to authorized users but lacks proper permission validation, enabling attackers to perform unauthorized actions over the network without authentication. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite the network-accessible attack vector.

Authentication Bypass Shopwp
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39700 MEDIUM This Month

Missing authorization in WPXPO WowOptin plugin through version 1.4.32 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control on plugin endpoints. The vulnerability carries a low CVSS score (5.3) and extremely low EPSS exploitation probability (0.02%, percentile 4%), indicating limited real-world attack incentive despite network-accessible exposure. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Wowoptin
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39699 MEDIUM This Month

Missing authorization in massiveshift AI Workflow Automation plugin (versions up to 1.4.2) allows unauthenticated remote attackers to modify data through incorrectly configured access control security levels, affecting the WordPress plugin ai-workflow-automation-lite. The vulnerability has a low EPSS score (0.02%, 4th percentile) despite CVSS 5.3, suggesting limited real-world exploitation likelihood despite network accessibility.

Authentication Bypass Ai Workflow Automation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39698 MEDIUM This Month

Missing authorization in The Publisher Desk ads.txt WordPress plugin versions 1.5.0 and earlier allows unauthenticated remote attackers to bypass access controls and read sensitive configuration data through incorrectly configured access control levels. The vulnerability has a CVSS score of 5.3 (medium) with low real-world exploitation risk (EPSS 0.02%, percentile 4%). No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass The Publisher Desk Ads Txt
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39697 MEDIUM This Month

Missing authorization in HBSS Technologies MAIO (AI GEO/SEO tool) WordPress plugin versions up to 6.2.8 allows unauthenticated remote attackers to modify data through incorrectly configured access control, resulting in integrity compromise without authentication requirements. The CVSS score of 5.3 reflects moderate risk with network-based attack vector and no user interaction needed, though EPSS exploitation probability remains very low at 0.02%.

Authentication Bypass Maio 8211 The New Ai Geo Seo Tool
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39694 MEDIUM This Month

Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39691 MEDIUM This Month

AdAstraCrypto Cryptocurrency Donation Box plugin for WordPress versions up to 2.2.13 allows unauthenticated remote attackers to modify cryptocurrency donation settings due to missing authorization checks on access control endpoints. The vulnerability enables unauthorized changes to donation configuration without requiring authentication or user interaction, though it does not expose sensitive data or cause denial of service. With an EPSS score of 0.02% and no evidence of active exploitation, this represents a low-probability but direct authorization bypass in a niche plugin.

Authentication Bypass Cryptocurrency Donation Box Bitcoin Crypto Donations
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39690 MEDIUM This Month

Missing authorization in Paul Bearne Author Avatars List/Block plugin (versions up to 2.1.25) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, resulting in partial disclosure of confidential data. The vulnerability has low exploitation probability (EPSS 0.02%) and no public exploit identified, but the automatable nature and broken access control classification warrant attention for WordPress installations using this plugin.

Authentication Bypass Author Avatars List Block
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39689 MEDIUM This Month

eShipper Commerce plugin versions up to 2.16.12 allow unauthenticated attackers to modify data through missing authorization checks on access control enforcement points. The vulnerability exposes WordPress sites running this e-commerce plugin to unauthorized state changes without requiring authentication, with a low EPSS exploitation probability (0.02% percentile 4%) suggesting limited real-world attack incentive despite the network-accessible attack vector.

Authentication Bypass Eshipper Commerce
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39688 MEDIUM This Month

Missing authorization in Glowlogix WP Frontend Profile plugin through version 1.3.9 allows unauthenticated remote attackers to bypass access controls and access restricted user profile information, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control security levels in the plugin's frontend profile functionality. While CVSS is rated 5.3 (medium) and EPSS probability is very low at 0.02%, CISA SSVC assessment indicates exploitation is automatable, elevating real-world risk for affected WordPress installations running this plugin.

Authentication Bypass Wp Frontend Profile
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39687 MEDIUM This Month

Rapid Car Check Vehicle Data WordPress plugin versions through 2.0 fails to properly enforce access controls on vehicle data endpoints, allowing unauthenticated remote attackers to modify or access vehicle records through misconfigured authorization checks. The CVSS score of 5.3 reflects limited direct impact (integrity only, no confidentiality or availability breach), but the zero-authentication requirement (PR:N/UI:N) combined with EPSS score of 0.02% and lack of evidence of active exploitation suggest this is a low-priority vulnerability despite network accessibility.

Authentication Bypass Rapid Car Check Vehicle Data
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39685 MEDIUM This Month

Missing authorization in The Moneytizer WordPress plugin through version 10.0.10 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity changes without requiring authentication or user interaction. While CVSS scores 5.3 (medium) and EPSS exploitation probability is minimal at 0.02%, the lack of authentication requirements and network accessibility make this a persistent authorization bypass affecting all installations of vulnerable versions.

Authentication Bypass The Moneytizer
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 4 of 7 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy