Skip to main content
CVE-2026-2052 HIGH This Week

Remote code execution in Widget Options plugin for WordPress (all versions ≤4.2.2) allows authenticated Contributor-level users to execute arbitrary PHP code on the server by bypassing input validation in the Display Logic feature. The plugin's unsafe use of eval() on user-controlled expressions, combined with insufficient authorization checks on the extended_widget_opts_block attribute, enables attackers to chain array_map with string concatenation to bypass blocklists. Version 4.2.0 included a partial patch, indicating the vulnerability remains exploitable in current versions. No CISA KEV listing or public POC identified at time of analysis, but EPSS data not provided for risk calibration.

RCE WordPress Code Injection
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-7641 HIGH This Week

Authenticated privilege escalation in 'Import and export users and customers' WordPress plugin versions up to 2.0.8 allows Subscriber-level users to elevate privileges to Administrator on any subsite within a WordPress Multisite network. The vulnerability stems from an incomplete blocklist in save_extra_user_profile_fields() that restricts primary site capability meta keys (wp_capabilities) but fails to block multisite-prefixed equivalents (wp_2_capabilities, wp_3_capabilities, etc.). Exploitation requires that an administrator has previously imported a CSV with multisite-prefixed capability headers and enabled the 'Show fields in profile?' option. Patch released in changeset 3515646 per WordPress plugin repository. No EPSS or KEV data available, indicating no widespread exploitation detected at time of analysis.

Privilege Escalation WordPress PHP
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6963 HIGH This Week

Missing capability check in WP Mail Gateway plugin for WordPress (versions ≤1.8) allows authenticated attackers with Subscriber-level privileges to modify SMTP settings via the wmg_save_provider_config AJAX action, enabling mail redirection. Attackers exploit this by redirecting password reset emails to attacker-controlled servers, then using intercepted credentials to escalate privileges to Administrator. CVSS 8.8 (High) reflects the severe impact despite requiring initial low-level authentication. No active exploitation confirmed via CISA KEV, but Wordfence reporting indicates discovery by security researchers and likely inclusion in their threat intelligence feeds.

Authentication Bypass WordPress Privilege Escalation
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-7489 HIGH This Week

SQL injection in Sunnet CTMS allows authenticated remote attackers with low privileges to execute arbitrary SQL commands over the network. The vulnerability enables complete compromise of database integrity - reading sensitive data, modifying records, and deleting information. Taiwan CERT (TWCERT) published advisories documenting this vulnerability, indicating coordinated disclosure. EPSS and KEV data not available; exploitation status unknown beyond vendor notification.

SQLi Ctms
NVD VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-7607 HIGH PATCH Monitor

Remote authenticated attackers can execute arbitrary code on TRENDnet TEW-821DAP v1.xR hardware running firmware 1.12B01 by exploiting a buffer overflow in the auto_update_firmware function during firmware update operations. The vulnerable product was end-of-lifed 8 years ago and is no longer supported by TRENDnet, making patching practically impossible for remaining deployed devices. With CVSS 8.7 (AV:N/AC:L/PR:L), this represents a critical risk for legacy installations, though real-world impact is limited by the obsolete product lifecycle and requirement for authenticated access to the firmware update interface.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-7490 HIGH This Week

Arbitrary file upload in Sunnet CTMS and CPAS allows authenticated remote attackers with high privileges to upload and execute web shell backdoors, achieving full server compromise. The vulnerability enables complete control over affected systems via malicious file execution, with critical impact to confidentiality, integrity, and availability. Despite requiring high-privilege access (PR:H), the network-accessible attack vector and low complexity (AV:N/AC:L) make this exploitable by any authenticated administrator or privileged user, representing significant risk in environments where such credentials are compromised or where insider threats exist.

File Upload RCE Ctms Cpas
NVD VulDB
CVSS 4.0
8.6
EPSS
0.2%
CVE-2026-7491 HIGH PATCH This Week

Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Authentication Bypass School App
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-2554 HIGH This Week

Authenticated vendors with low-level privileges can delete arbitrary WordPress users, including site administrators, via Insecure Direct Object Reference in WCFM - Frontend Manager for WooCommerce plugin versions up to 6.7.25. The vulnerability resides in the 'wcfm_delete_wcfm_customer' function which fails to validate user-controlled 'customerid' parameters, allowing privilege escalation through unauthorized user deletion. Patch available in version 6.7.26 per Trac changeset 3483695. No public exploit code or active exploitation confirmed at time of analysis, though CVSS 8.1 (High) reflects significant real-world impact if exploited by malicious vendors on WooCommerce marketplaces.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7647 HIGH This Week

Unauthenticated PHP object injection in Profile Builder Pro for WordPress allows remote attackers to execute arbitrary code by deserializing malicious objects through an unprotected AJAX endpoint. The vulnerability affects all versions through 3.14.5 and stems from unsafe deserialization of attacker-controlled POST data in the wppb_request_users_pins_action_callback() handler, which was registered for both authenticated and unauthenticated users without nonce verification. With CVSS 8.1 and AC:H complexity, exploitation requires chaining with a POP gadget chain, though EPSS data and KEV status are not available to confirm active exploitation.

PHP WordPress Deserialization
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-43824 HIGH PATCH This Week

Authenticated users with low privileges can read cleartext Kubernetes Secret data through Argo CD's ServerSideDiff feature in versions 3.2.0-3.2.10 and 3.3.0-3.3.8. This scope-changing vulnerability (CVSS:3.1 S:C) allows attackers to access sensitive credential data managed by Kubernetes, including database passwords, API tokens, and certificates, by exploiting the server-side diff functionality. With a 7.7 CVSS score and low attack complexity (AC:L), this represents a significant confidentiality breach requiring only network access and basic authentication-no public exploit identified at time of analysis, but the technical barrier to exploitation is minimal.

Information Disclosure Kubernetes Argo Cd
NVD GitHub VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-6320 HIGH This Week

Arbitrary file read in Salon Booking System plugin for WordPress (versions ≤10.30.25) allows unauthenticated remote attackers to exfiltrate sensitive local files by injecting malicious file paths into booking form fields, which are then attached to confirmation emails sent by the system. Wordfence identified this path traversal vulnerability (CWE-22) with a CVSS score of 7.5, exploitable without authentication or user interaction. The vulnerability is confirmed patched in version 10.30.26 via changeset 3512110, though no CISA KEV listing or public exploit code has been identified at time of analysis.

Path Traversal WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7649 HIGH This Week

Time-based blind SQL injection in ARMember WordPress plugin versions up to 4.0.60 allows unauthenticated remote attackers to extract sensitive database information via the 'orderby' parameter. The vulnerability stems from insufficient input sanitization in the members directory and shortcode handling classes, enabling attackers to append malicious SQL queries without authentication (CVSS 7.5, AV:N/AC:L/PR:N/UI:N). EPSS data and active exploitation status not available at time of analysis, but the lack of authentication requirements and low attack complexity make this a high-priority remediation target for WordPress sites using ARMember for membership management or content restriction.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4061 HIGH This Week

Time-based blind SQL injection in Geo Mashup WordPress plugin allows unauthenticated remote attackers to extract database contents when Geo Search is enabled. The vulnerability stems from explicit removal of WordPress's built-in magic quotes protection via stripslashes_deep($_POST), combined with failure to sanitize the map_post_type parameter before SQL concatenation in an IN() clause. EPSS data not provided. No CISA KEV listing indicates this is not yet confirmed as actively exploited. Public exploit code status unknown, though detailed code references in Wordfence advisory provide clear exploitation path. Patch released in changeset 3503627.

WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4062 HIGH This Week

Time-based SQL injection in Geo Mashup WordPress plugin versions ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The vulnerability stems from ineffective sanitization in the 'object_ids' and 'exclude_object_ids' parameters-while esc_sql() is applied, it provides no protection in unquoted IN() contexts where attackers can inject parentheses and SQL keywords. The numeric sanitizer exists but only applies to AJAX paths, leaving render-map.php and template tag paths vulnerable. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence Threat Intelligence disclosure increases likelihood of weaponization.

PHP WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-4060 HIGH This Week

Time-based SQL injection in WordPress Geo Mashup plugin ≤1.13.18 allows unauthenticated remote attackers to extract sensitive database information. The 'sort' parameter in multiple code paths (render-map.php, template tags) lacks proper sanitization despite esc_sql() application, which is ineffective in ORDER BY contexts without quote encapsulation. Version 1.13.18 added allowlist-based sanitization but only protected the AJAX endpoint, leaving other attack vectors exploitable. EPSS and KEV data not available; vulnerability disclosed by Wordfence with public source code references confirming the flaw.

PHP WordPress SQLi
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5324 HIGH This Week

Unauthenticated attackers can inject stored cross-site scripting payloads into Brizy Page Builder for WordPress (versions ≤2.8.11) via form submission FileUpload fields, which execute when administrators view the form Leads page. The vulnerability chains three implementation flaws: missing nonce verification for anonymous form submissions, inadequate sanitization of FileUpload field values when no file is attached, and reversal of HTML entity encoding via html_entity_decode() before unescaped output in admin views. Publicly available exploit code exists. EPSS data not provided, but the CVSS 7.2 (High) with scope change reflects the privilege escalation from unauthenticated user to admin-context execution. Patch released in version 2.8.12 per WordPress plugin repository changeset 3502206.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-7049 HIGH This Week

Server-Side Request Forgery in PixelYourSite Pro WordPress plugin allows unauthenticated remote attackers to force the web application to make arbitrary HTTP requests to internal or external resources through the vulnerable scan_video function. The vulnerability affects all versions up to 12.5.0.1 and features a Changed scope (CVSS S:C), enabling attackers to probe internal network infrastructure, access cloud metadata services, and potentially modify data in internal systems that trust requests from the WordPress server. The blind SSRF nature means attackers receive no direct response but can infer results through timing attacks or side-channel observation. EPSS data not available; no public exploit code identified at time of analysis.

SSRF WordPress
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-6229 HIGH This Week

Server-Side Request Forgery (SSRF) in Royal Elementor Addons plugin for WordPress allows authenticated attackers with Contributor-level permissions to bypass URL validation by including 'docs.google.com/spreadsheets' in query parameters, enabling requests to arbitrary internal URLs and retrieval of sensitive data from private network services. Affects versions up to 1.7.1057. The CVSS vector indicates network-based attack with no authentication required (PR:N), contradicting the description's statement of Contributor-level requirement-affected site operators should verify actual privilege requirements with vendor advisory. No active exploitation confirmed (not in CISA KEV), but detailed source code references enable rapid POC development.

SSRF Google WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5110 HIGH This Week

Stored cross-site scripting (XSS) in Gravity Forms WordPress plugin versions ≤2.10.0 allows remote unauthenticated attackers to inject malicious JavaScript that executes when administrators view form entries. The vulnerability exploits a validation bypass in nested SingleProduct fields within Repeater fields, where product name tampering is not validated. When admins access compromised entries via wp-admin, the unsanitized payload executes in their browser session. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N) indicates network-accessible exploitation without authentication or user interaction during payload delivery, though the attack requires subsequent admin interaction (viewing the entry) for payload execution. No active exploitation confirmed in CISA KEV at time of analysis.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5111 HIGH This Week

Stored Cross-Site Scripting in Gravity Forms plugin for WordPress through version 2.10.0 allows unauthenticated remote attackers to inject malicious scripts via Hidden Product fields nested in Repeater fields. The vulnerability executes when WordPress administrators view submitted form entries. Attack succeeds because repeater subfields bypass validation, and the Hidden Product field's validate() method checks only quantity while ignoring the product name field, which renders unescaped in entry details. CVSS 7.2 with changed scope indicates potential cross-user impact. EPSS and KEV data not provided; exploitation requires no authentication or user interaction (AV:N/PR:N/UI:N), making this exploitable against any public-facing Gravity Forms installation accepting submissions.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5109 HIGH This Week

Stored XSS in Gravity Forms for WordPress ≤2.10.0 allows unauthenticated remote attackers to inject malicious JavaScript through Product Option field values that execute when administrators view entry details. The flaw exploits a sanitization bypass: the plugin's state validation accepts values matching wp_kses()-cleaned legitimate options but stores the raw unsanitized input, which is then rendered without escaping in the Order Summary view (view-order-summary.php:32). EPSS data not available; no public exploit identified at time of analysis. Vendor patch status requires verification via changelog.

PHP WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5112 HIGH This Week

Stored Cross-Site Scripting in Gravity Forms for WordPress up to 2.10.0 enables unauthenticated attackers to inject malicious scripts through form submissions containing crafted Calculation Product field names within Repeater fields. When administrators view entry details in wp-admin, the unescaped product names execute arbitrary JavaScript in the admin context. CVSS 7.2 (AV:N/AC:L/PR:N/UI:N/S:C) indicates network-accessible exploitation without authentication, though actual impact requires admin interaction. EPSS and KEV data not provided; no public exploit code confirmed at time of analysis. Wordfence reported this vulnerability affecting the Calculation Product field validation and rendering chain.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-5113 HIGH This Week

Stored Cross-Site Scripting in Gravity Forms plugin for WordPress allows unauthenticated remote attackers to inject malicious JavaScript into form entries that executes when administrators view the Entries List page. The vulnerability exploits a flawed dual-hash state validation mechanism that fails to prevent sanitized-then-restored XSS payloads in Consent field hidden inputs. Gravity Forms versions up to 2.10.0 are affected. EPSS data not available; no CISA KEV listing or public POC identified at time of analysis, but Wordfence threat intelligence disclosure indicates vendor awareness and patching activity.

WordPress XSS
NVD VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-4100 HIGH This Week

Authenticated attackers with Subscriber-level access can disrupt all Stripe payment processing in Paid Memberships Pro for WordPress versions up to 3.6.5 by deleting, creating, or rebuilding webhook configurations. Missing capability checks on three AJAX handlers (pmpro_stripe_create_webhook, pmpro_stripe_delete_webhook, pmpro_stripe_rebuild_webhook) allow low-privilege users to break subscription renewals, cancellation handling, and failed payment management for the entire site. Patch available in PR #3615 implementing proper authorization checks requiring manage_options or pmpro_paymentsettings capabilities plus nonce validation. EPSS data not provided; no CISA KEV listing indicates no confirmed active exploitation at time of analysis.

Authentication Bypass WordPress
NVD GitHub VulDB
CVSS 3.1
7.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy