Skip to main content
CVE-2026-4853 MEDIUM This Month

JetBackup plugin for WordPress versions up to 3.1.19.8 allows authenticated administrators to delete arbitrary directories via path traversal in the file upload handler. The vulnerability stems from insufficient input validation on the fileName parameter, which is sanitized using sanitize_text_field() but still permits path traversal sequences like '../'. When combined with the recursive directory deletion logic in the cleanup routine, attackers can traverse outside the intended upload directory and delete critical WordPress directories such as wp-content/plugins, completely disabling all plugins and severely disrupting the WordPress installation.

File Upload Path Traversal WordPress
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-3330 MEDIUM This Month

SQL injection in Form Maker by 10Web WordPress plugin (versions ≤1.15.40) allows authenticated administrators to extract sensitive database information via unsanitized parameters (ip_search, startdate, enddate, username_search, useremail_search) in the Submissions display function. The vulnerability stems from the validate_data() method stripping WordPress's magic quotes protection and get_labels_parameters() concatenating user input directly into SQL queries without prepared statements. A CSRF vector exists because the vulnerable display task lacks nonce verification, enabling attackers to trick administrators into triggering the injection via a crafted link. Exploitation requires Administrator-level privileges but can be chained with CSRF for unauthorized triggering.

WordPress SQLi CSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-40301 MEDIUM PATCH This Month

DOMSanitizer before version 1.0.10 fails to sanitize CSS content within SVG <style> elements, allowing attackers to inject url() references and @import rules that trigger unauthorized HTTP requests to attacker-controlled hosts when the sanitized SVG is rendered in a browser. This affects PHP applications using the vulnerable library to sanitize user-supplied SVG content, enabling information disclosure through request metadata and potential CSRF attacks. The vulnerability requires user interaction (rendering the SVG) but affects all downstream users of the sanitized content due to scope change (C:L, S:C).

XSS PHP
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-6439 MEDIUM This Month

Stored Cross-Site Scripting in VideoZen WordPress plugin versions up to 1.0.1 allows authenticated administrators to inject arbitrary JavaScript into plugin settings that executes for all users accessing the settings page. The 'lang' POST parameter in the videozen_conf() function is stored without sanitization and output without escaping, enabling privilege-abusing admins to compromise any WordPress installation running the vulnerable plugin. No public exploit code or active exploitation has been identified at time of analysis.

XSS WordPress
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-6441 MEDIUM This Month

Authenticated attackers with subscriber-level WordPress access can bypass capability checks in the Canto plugin (versions up to 3.1.1) via unprotected AJAX endpoints to arbitrarily modify or delete critical plugin options controlling cron scheduling and disable scheduled update tasks. The vulnerability requires a logged-in user but accepts any authenticated account regardless of intended permissions, allowing privilege escalation of low-level accounts to perform administrative functions without authorization. No active exploitation confirmed; patch status not yet identified.

PHP Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-23777 MEDIUM PATCH This Month

Dell PowerProtect Data Domain (DD OS) versions 7.7.1.0-8.5, 8.3.1.0-8.3.1.20 (LTS2025), and 7.13.1.0-7.13.1.50 (LTS2024) leak sensitive information to low-privileged remote attackers. An authenticated user with minimal privileges can access confidential data without authorization, resulting in information disclosure with a CVSS score of 4.3. No active exploitation reported, but the low attack complexity and remote network vector make this a practical vulnerability for attackers within administrative networks.

Information Disclosure Dell
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40305 MEDIUM PATCH This Month

DNN (DotNetNuke) Platform versions 6.0.0 through 10.2.1 allow authenticated users to bypass authorization controls in the friends feature and force acceptance of friend requests on behalf of other users, resulting in unauthorized relationship modifications. The vulnerability requires valid user credentials (PR:L) and affects the integrity of user social graphs without exposing sensitive data. No public exploit code or active exploitation has been confirmed; vendors have released patched version 10.2.2.

Authentication Bypass Microsoft
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6451 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in the cms-fuer-motorrad-werkstaetten WordPress plugin version 1.0.0 and earlier allows unauthenticated attackers to delete arbitrary vehicles, contacts, suppliers, receipts, positions, catalog articles, stock items, and supplier catalogs by tricking logged-in users into clicking a malicious link. Eight AJAX handlers lack nonce validation and capability checks, enabling direct data destruction without authentication or authorization verification. User interaction is required (UI:R), limiting the attack to social engineering scenarios rather than direct network exploitation.

CSRF WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy