Skip to main content
CVE-2026-39628 MEDIUM This Month

Improper neutralization of script-related HTML tags in kutethemes DukaMarket WordPress theme version 1.3.0 and earlier allows unauthenticated remote attackers to inject malicious code via XSS, resulting in integrity compromise. The vulnerability has an EPSS score of 0.03% (percentile 8%), indicating very low real-world exploitation probability despite the moderate CVSS 5.3 rating. No evidence of active exploitation or public proof-of-concept code has been identified.

XSS Dukamarket
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39626 MEDIUM This Month

Improper neutralization of script-related HTML tags in the Armania WordPress theme (versions up to 1.4.8) allows unauthenticated remote attackers to inject arbitrary code through unvalidated input, resulting in stored XSS and arbitrary shortcode execution. The vulnerability has a low CVSS severity (5.3) with EPSS exploitation probability of 0.03% (8th percentile), but enables integrity compromise through code injection that persists in the application.

XSS Armania
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39625 MEDIUM This Month

Improper neutralization of script-related HTML tags in kutethemes TechOne WordPress theme versions up to 3.0.3 enables unauthenticated attackers to inject malicious code through basic cross-site scripting (XSS), resulting in limited information disclosure. The vulnerability has an exceptionally low EPSS score (0.03%, percentile 8%) despite the moderate CVSS rating, suggesting minimal real-world exploitation likelihood. No public exploit code or confirmed active exploitation has been identified at the time of analysis.

XSS Techone
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3477 MEDIUM This Month

PZ Frontend Manager plugin for WordPress versions up to 1.0.6 allows authenticated attackers with Subscriber-level access to delete arbitrary WordPress users, including administrators, due to missing authorization checks in the pzfm_user_request_action_callback() AJAX function. The vulnerable function lacks both capability verification and nonce validation when processing user deletion requests, enabling privilege escalation and account takeover attacks. CVSS score of 5.3 reflects the integrity impact; however, the true risk is elevated by the low privilege requirement (unauthenticated attackers can exploit this if they register a free Subscriber account) and the critical business impact of administrative account deletion.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39711 MEDIUM This Month

RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low attack complexity. The vulnerability affects the plugin's data transmission mechanisms and has an EPSS exploitation probability of 0.02%, indicating minimal real-world attack likelihood despite the moderate CVSS score.

Information Disclosure Rt Theme 18 Extensions
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39709 MEDIUM This Month

The Tribal WordPress plugin through version 1.3.4 exposes sensitive data in outbound network communications, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low complexity. The vulnerability stems from improper handling of sensitive data before transmission, classified as CWE-201 (Insertion of Sensitive Information Into Sent Data). With an EPSS score of 0.02% and no confirmed active exploitation, this represents a low real-world priority despite the network-accessible attack vector, suggesting the exposure may require specific conditions or have limited practical exploitability.

Information Disclosure The Tribal
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39686 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in bannersky BSK PDF Manager bsk-pdf-manager allows Retrieve Embedded Sensitive Data.This issue affects BSK PDF Manager: from n/a through <= 3.7.2.

Information Disclosure Bsk Pdf Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39586 MEDIUM This Month

RepairBuddy plugin for WordPress versions through 4.1132 exposes sensitive data in network transmissions due to improper handling of embedded information, allowing remote unauthenticated attackers to retrieve confidential details via passive observation of sent data. The vulnerability has a moderate CVSS score of 5.3 with low exploitability probability (0.02% EPSS), indicating real-world risk is minimal despite the information disclosure impact.

Information Disclosure Repairbuddy
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39571 MEDIUM This Month

Themefic Instantio WordPress plugin versions up to 3.3.30 expose sensitive system information to unauthenticated remote attackers via an unspecified mechanism that retrieves embedded sensitive data. The vulnerability has a CVSS score of 5.3 with no authentication required and low complexity, enabling confidentiality compromise without requiring user interaction. No public exploit code or active exploitation has been confirmed, and the EPSS score of 0.02% indicates minimal real-world exploitation probability despite the direct remote accessibility.

Information Disclosure Instantio
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39570 MEDIUM This Month

The AA Web Servant 12 Step Meeting List WordPress plugin through version 3.19.9 exposes sensitive information in sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive data with low confidentiality impact. This information disclosure vulnerability has an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite moderate CVSS scoring.

Information Disclosure 12 Step Meeting List
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39564 MEDIUM This Month

Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent data, allowing remote unauthenticated attackers to retrieve embedded sensitive data with low attack complexity. The EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability despite the moderate CVSS 5.3 rating, suggesting this is a low-priority information disclosure with limited practical impact.

Information Disclosure Sunshine Photo Cart
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39542 MEDIUM This Month

Doofinder for WooCommerce through version 2.10.13 discloses sensitive information by inserting it into sent data, allowing remote unauthenticated attackers to retrieve embedded secrets with low attack complexity. The vulnerability affects all installations of the plugin and has been reported by Patchstack, with EPSS exploitation probability at 0.02% (low real-world risk), though no KEV status or public exploit code has been identified.

Information Disclosure WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39536 MEDIUM This Month

Information disclosure in WP Chill RSVP and Event Management plugin versions up to 2.7.16 exposes sensitive system data to unauthenticated remote attackers via unprotected endpoints. The vulnerability allows retrieval of embedded sensitive information without authentication or user interaction, affecting WordPress sites using the affected plugin versions. With EPSS scoring of 0.02% and no public exploit code identified, real-world exploitation risk is minimal despite the network-accessible attack vector.

Information Disclosure Rsvp And Event Management
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39516 MEDIUM This Month

Nexter Blocks WordPress plugin versions through 4.7.0 expose sensitive system information to unauthenticated remote attackers via an information disclosure vulnerability, allowing retrieval of embedded sensitive data without authentication or user interaction. The CVSS score of 5.3 reflects moderate confidentiality impact with low attack complexity, though the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability at time of analysis.

Information Disclosure Nexter Blocks
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39473 MEDIUM This Month

Simple History WordPress plugin versions 5.24.0 and earlier expose sensitive information through embedded data in sent communications, allowing remote unauthenticated attackers to retrieve confidential details with low attack complexity. The vulnerability stems from improper handling of sensitive data in network transmissions and affects all installations of the plugin up to the stated version. EPSS score of 0.02% indicates minimal real-world exploitation likelihood despite the information disclosure nature.

Information Disclosure Simple History
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39716 MEDIUM This Month

CKThemes Flipmart theme through version 2.8 contains a missing authorization vulnerability enabling unauthenticated remote attackers to bypass access control restrictions and gain limited read access to sensitive information. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing restricted functionality. While the CVSS score of 5.3 reflects moderate severity, the EPSS score of 0.02% and SSVC assessment indicating no known exploitation suggest this is a lower-priority issue in practice, though the automatable nature of exploitation makes it a candidate for proactive remediation in shared hosting environments.

Authentication Bypass Flipmart
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39715 MEDIUM This Month

Missing authorization in AnyTrack Affiliate Link Manager plugin versions up to 1.5.5 allows unauthenticated remote attackers to modify affiliate link configurations through incorrectly configured access control, affecting data integrity with low exploitation probability despite network-accessible attack surface.

Authentication Bypass Anytrack Affiliate Link Manager
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39714 MEDIUM This Month

G5Plus April WordPress theme versions up to 6.8 contain a missing authorization vulnerability allowing unauthenticated remote attackers to access resources with restricted access control levels, resulting in limited information disclosure. The vulnerability affects the theme's broken access control mechanism and has a low exploitation probability (EPSS 0.02%, percentile 4%) with no public exploit identified at time of analysis, though CISA SSVC assessment indicates partial technical impact from non-automatable exploitation.

Authentication Bypass G5Plus April
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39713 MEDIUM This Month

Mailercloud - Integrate Webforms and Synchronize Website Contacts plugin versions up to 1.0.7 for WordPress suffers from missing authorization checks that allow unauthenticated remote attackers to modify data via incorrectly configured access control. The vulnerability (CWE-862) permits unauthorized modification of plugin functionality without proper privilege validation, affecting any WordPress installation running the vulnerable plugin version. Although EPSS probability is low (0.02%) and no active exploitation is confirmed, the remote unauthenticated attack vector and impact on data integrity warrant timely patching.

Authentication Bypass Mailercloud 8211 Integrate Webforms And Synchronize Website Contacts
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39707 MEDIUM This Month

Missing authorization in ZealousWeb's Accept PayPal Payments using Contact Form 7 plugin (versions up to 4.0.4) allows unauthenticated remote attackers to modify payment-related data through incorrectly configured access controls. The vulnerability exposes WordPress sites using this plugin to unauthorized alterations of sensitive payment information without requiring user authentication, though the EPSS score of 0.02% (4th percentile) indicates low real-world exploitation probability despite network accessibility.

Authentication Bypass Accept Paypal Payments Using Contact Form 7
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39706 MEDIUM This Month

Netro Systems Make My Trivia plugin through version 1.1.0 fails to properly enforce access controls, allowing unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured security levels. This missing authorization vulnerability (CWE-862) has a CVSS base score of 5.3 with low real-world exploitation risk (EPSS 0.02%, CISA SSVC exploitation status 'none') despite being automatable, suggesting the flaw requires specific misconfiguration to be exploitable in practice.

Authentication Bypass Make My Trivia
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39705 MEDIUM This Month

Missing authorization in Mulika Team MIPL WC Multisite Sync WordPress plugin versions 1.4.4 and earlier allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control mechanisms. The vulnerability affects all versions from initial release through 1.4.4, with an EPSS score of 0.02% indicating minimal real-world exploitation likelihood despite the moderate CVSS score of 5.3. No active exploitation or public proof-of-concept has been identified at time of analysis.

Authentication Bypass Mipl Wc Multisite Sync
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39704 MEDIUM This Month

Missing authorization in nfusionsolutions Precious Metals Automated Product Pricing Pro plugin (versions <= 4.0.5) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access controls. The vulnerability affects WordPress installations using this e-commerce plugin and enables information disclosure with low CVSS severity (5.3), though exploitation requires no authentication and is automatable according to CISA SSVC assessment. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Precious Metals Automated Product Pricing 8211 Pro
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39701 MEDIUM This Month

Missing authorization in ShopWP WordPress plugin versions up to 5.2.4 allows unauthenticated remote attackers to modify data through incorrectly configured access controls. The vulnerability exposes functionality that should be restricted to authorized users but lacks proper permission validation, enabling attackers to perform unauthorized actions over the network without authentication. EPSS score of 0.02% (4th percentile) indicates low exploitation probability despite the network-accessible attack vector.

Authentication Bypass Shopwp
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39700 MEDIUM This Month

Missing authorization in WPXPO WowOptin plugin through version 1.4.32 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control on plugin endpoints. The vulnerability carries a low CVSS score (5.3) and extremely low EPSS exploitation probability (0.02%, percentile 4%), indicating limited real-world attack incentive despite network-accessible exposure. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Wowoptin
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39699 MEDIUM This Month

Missing authorization in massiveshift AI Workflow Automation plugin (versions up to 1.4.2) allows unauthenticated remote attackers to modify data through incorrectly configured access control security levels, affecting the WordPress plugin ai-workflow-automation-lite. The vulnerability has a low EPSS score (0.02%, 4th percentile) despite CVSS 5.3, suggesting limited real-world exploitation likelihood despite network accessibility.

Authentication Bypass Ai Workflow Automation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39698 MEDIUM This Month

Missing authorization in The Publisher Desk ads.txt WordPress plugin versions 1.5.0 and earlier allows unauthenticated remote attackers to bypass access controls and read sensitive configuration data through incorrectly configured access control levels. The vulnerability has a CVSS score of 5.3 (medium) with low real-world exploitation risk (EPSS 0.02%, percentile 4%). No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass The Publisher Desk Ads Txt
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39697 MEDIUM This Month

Missing authorization in HBSS Technologies MAIO (AI GEO/SEO tool) WordPress plugin versions up to 6.2.8 allows unauthenticated remote attackers to modify data through incorrectly configured access control, resulting in integrity compromise without authentication requirements. The CVSS score of 5.3 reflects moderate risk with network-based attack vector and no user interaction needed, though EPSS exploitation probability remains very low at 0.02%.

Authentication Bypass Maio 8211 The New Ai Geo Seo Tool
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39694 MEDIUM This Month

Missing authorization in NSquared Simply Schedule Appointments WordPress plugin through version 1.6.10.2 allows unauthenticated remote attackers to read sensitive information by exploiting incorrectly configured access control security levels. The vulnerability has a CVSS score of 5.3 (low-moderate) and EPSS probability of 0.02%, placing it in the lower-risk percentile despite public awareness. No active exploitation has been confirmed, and SSVC decision data indicates the issue is automatable but non-critical due to partial technical impact.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39691 MEDIUM This Month

AdAstraCrypto Cryptocurrency Donation Box plugin for WordPress versions up to 2.2.13 allows unauthenticated remote attackers to modify cryptocurrency donation settings due to missing authorization checks on access control endpoints. The vulnerability enables unauthorized changes to donation configuration without requiring authentication or user interaction, though it does not expose sensitive data or cause denial of service. With an EPSS score of 0.02% and no evidence of active exploitation, this represents a low-probability but direct authorization bypass in a niche plugin.

Authentication Bypass Cryptocurrency Donation Box Bitcoin Crypto Donations
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39690 MEDIUM This Month

Missing authorization in Paul Bearne Author Avatars List/Block plugin (versions up to 2.1.25) allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, resulting in partial disclosure of confidential data. The vulnerability has low exploitation probability (EPSS 0.02%) and no public exploit identified, but the automatable nature and broken access control classification warrant attention for WordPress installations using this plugin.

Authentication Bypass Author Avatars List Block
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39689 MEDIUM This Month

eShipper Commerce plugin versions up to 2.16.12 allow unauthenticated attackers to modify data through missing authorization checks on access control enforcement points. The vulnerability exposes WordPress sites running this e-commerce plugin to unauthorized state changes without requiring authentication, with a low EPSS exploitation probability (0.02% percentile 4%) suggesting limited real-world attack incentive despite the network-accessible attack vector.

Authentication Bypass Eshipper Commerce
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39688 MEDIUM This Month

Missing authorization in Glowlogix WP Frontend Profile plugin through version 1.3.9 allows unauthenticated remote attackers to bypass access controls and access restricted user profile information, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control security levels in the plugin's frontend profile functionality. While CVSS is rated 5.3 (medium) and EPSS probability is very low at 0.02%, CISA SSVC assessment indicates exploitation is automatable, elevating real-world risk for affected WordPress installations running this plugin.

Authentication Bypass Wp Frontend Profile
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39687 MEDIUM This Month

Rapid Car Check Vehicle Data WordPress plugin versions through 2.0 fails to properly enforce access controls on vehicle data endpoints, allowing unauthenticated remote attackers to modify or access vehicle records through misconfigured authorization checks. The CVSS score of 5.3 reflects limited direct impact (integrity only, no confidentiality or availability breach), but the zero-authentication requirement (PR:N/UI:N) combined with EPSS score of 0.02% and lack of evidence of active exploitation suggest this is a low-priority vulnerability despite network accessibility.

Authentication Bypass Rapid Car Check Vehicle Data
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39685 MEDIUM This Month

Missing authorization in The Moneytizer WordPress plugin through version 10.0.10 allows unauthenticated remote attackers to modify content via incorrectly configured access control, enabling unauthorized data integrity changes without requiring authentication or user interaction. While CVSS scores 5.3 (medium) and EPSS exploitation probability is minimal at 0.02%, the lack of authentication requirements and network accessibility make this a persistent authorization bypass affecting all installations of vulnerable versions.

Authentication Bypass The Moneytizer
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39682 MEDIUM This Month

Unauthenticated remote attackers can access sensitive information in linkPizza-Manager WordPress plugin through incorrectly configured access controls that fail to enforce proper authorization checks. The vulnerability affects linkPizza-Manager versions up to 5.5.5 and allows an unauthenticated attacker to obtain partial confidentiality impact with no modification or availability impact. No public exploit code has been identified at time of analysis.

Authentication Bypass Linkpizza Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39680 MEDIUM This Month

Missing authorization in MWP Development Diet Calorie Calculator plugin through version 1.1.1 allows unauthenticated remote attackers to gain unauthorized read access to sensitive data via improperly configured access control. The vulnerability affects all versions from inception through 1.1.1, with a network attack vector and minimal complexity. Although the CVSS base score is 5.3 (moderate), real-world risk is substantially lower: EPSS exploitation probability is only 0.02% (fourth percentile), no public exploit code or active exploitation has been identified, and the vulnerability is limited to information disclosure without integrity or availability impact.

Authentication Bypass Diet Calorie Calculator
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39678 MEDIUM This Month

Unauthenticated remote attackers can bypass access control in DOTonPAPER Pinpoint Booking System versions up to 2.9.9.6.5 to view sensitive booking data due to missing authorization checks on API endpoints. The vulnerability allows information disclosure with low confidentiality impact, and while CVSS rates it 5.3 (medium), the 0.02% EPSS score indicates minimal real-world exploitation probability despite the straightforward network-based attack vector.

Authentication Bypass Pinpoint Booking System
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39676 MEDIUM This Month

Remote unauthenticated attackers can bypass access controls in Shahjada Download Manager through version 3.3.52, gaining unauthorized read access to restricted download content due to missing authorization checks. The vulnerability affects all versions up to and including 3.3.52, with an EPSS exploitation probability of 0.02% (4th percentile) indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.

Authentication Bypass Download Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39675 MEDIUM This Month

Webmuehle Court Reservation WordPress plugin versions up to 1.10.11 fail to properly validate user permissions, allowing unauthenticated remote attackers to modify court reservation data through incorrectly configured access control checks. The vulnerability enables integrity attacks against the reservation system despite missing confidentiality and availability impact. With EPSS score of 0.02% and no KEV confirmation, real-world exploitation risk is minimal, though the authentication bypass vector presents a foundational security gap.

Authentication Bypass Court Reservation
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39673 MEDIUM This Month

Missing authorization in iZooto web push plugin versions 3.7.20 and earlier allows unauthenticated remote attackers to modify data through incorrectly configured access control, compromised integrity without requiring authentication or user interaction. CVSS 5.3 reflects the integrity impact; EPSS 0.02% indicates extremely low real-world exploitation probability despite the straightforward attack vector (AV:N, AC:L, PR:N).

Authentication Bypass Izooto
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39672 MEDIUM This Month

Missing authorization in ShipTime: Discounted Shipping Rates WordPress plugin (versions ≤1.1.1) allows unauthenticated remote attackers to access sensitive shipping rate information and configuration via incorrectly configured access control, resulting in limited confidentiality compromise. CVSS 5.3 with 0.02% EPSS indicates low real-world exploitation probability despite network-accessible attack vector. CISA SSVC framework rates this as non-exploited with partial technical impact, suggesting this is a configuration weakness rather than an actively weaponized vulnerability.

Authentication Bypass Shiptime
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39669 MEDIUM This Month

NitroPack WordPress plugin through version 1.19.3 allows remote unauthenticated attackers to modify plugin settings via incorrectly configured access control checks, enabling unauthorized changes to website optimization and caching configurations. The vulnerability requires only network access and no user interaction, affecting default installations. Despite the CVSS 5.3 score indicating integrity impact, real-world exploitation risk is extremely low (EPSS 0.02%, 4th percentile), suggesting limited practical exploitability or narrow attack scope in production environments.

Authentication Bypass Nitropack
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39668 MEDIUM This Month

Book Previewer for WooCommerce plugin versions up to 1.0.6 fail to enforce authorization checks on sensitive functionality, allowing unauthenticated remote attackers to access restricted content with low-complexity exploitation. The vulnerability stems from missing access control validation, enabling attackers to bypass intended security boundaries without user interaction. While CVSS rates this as moderate (5.3), EPSS exploitation probability remains minimal at 0.02% percentile, and no public exploit code or active exploitation has been confirmed.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39664 MEDIUM This Month

Leadrebel plugin version 1.0.2 and earlier allows unauthenticated remote attackers to access sensitive information through incorrectly configured access control, exposing confidential data without authorization. The vulnerability stems from missing authorization checks on functionality that should be restricted, enabling attackers to bypass authentication mechanisms and retrieve non-public information. While the CVSS score is moderate (5.3) and real-world exploitation probability is low (EPSS 0.02%), the issue represents a fundamental authentication bypass in access control logic.

Authentication Bypass Leadrebel
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39663 MEDIUM This Month

TrueBooker appointment booking plugin through version 1.1.5 fails to enforce proper authorization controls, allowing unauthenticated remote attackers to modify sensitive data via incorrectly configured access control mechanisms. The vulnerability has a low CVSS score (5.3) reflecting limited direct impact, but represents a critical authentication bypass in a widely deployed WordPress plugin affecting booking system integrity.

Authentication Bypass Truebooker
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39662 MEDIUM This Month

Missing authorization in ProWCPlugins Product Price by Formula for WooCommerce plugin (versions up to 2.5.6) allows unauthenticated remote attackers to read sensitive configuration data through incorrectly configured access control. The vulnerability exposes limited information confidentiality without enabling modification or denial of service, and carries a low real-world exploitation probability (EPSS 0.02%) despite a moderate CVSS score.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39660 MEDIUM This Month

Missing authorization in Automattic WP Job Manager through version 2.4.1 allows unauthenticated remote attackers to modify plugin data through incorrectly configured access control, enabling unauthorized changes to job listings and related content without proper privilege validation. The vulnerability has a low real-world exploitation probability (EPSS 0.02%) despite the network-accessible attack vector, suggesting limited practical exploitability in typical WordPress deployments.

Authentication Bypass Wp Job Manager
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39659 MEDIUM This Month

Missing authorization in Ultimate Member WordPress plugin versions up to 2.11.3 allows unauthenticated remote attackers to bypass access controls and read sensitive information due to incorrectly configured security levels. The vulnerability has a low CVSS score (5.3) with minimal real-world exploitation risk (EPSS 0.02%), though it enables confidentiality impact through access control circumvention.

Authentication Bypass Ultimate Member
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-39658 MEDIUM This Month

Missing authorization in Coding Panda Panda Pods Repeater Field WordPress plugin versions up to 1.5.12 allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting confidentiality and integrity of plugin-managed content without requiring user interaction or elevated privileges.

Authentication Bypass Panda Pods Repeater Field
NVD
CVSS 3.1
5.3
EPSS
0.0%
Prev Page 8 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy