Skip to main content
CVE-2025-14726 MEDIUM POC This Month

Unauthenticated attackers can access and modify plugin settings in the Widgets for Social Photo Feed WordPress plugin through missing capability checks on two REST API endpoints, allowing unauthorized data access and configuration changes in all versions up to and including 1.8. The vulnerability requires only network access with no user interaction, making it trivially exploitable by remote attackers without authentication credentials.

Authentication Bypass WordPress Information Disclosure
NVD VulDB GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7633 MEDIUM POC This Month

External file inclusion in Totolink N300RH firmware 6.1c.1353_B20190305 allows remote unauthenticated attackers to manipulate the FileName parameter in the setUploadSetting function via /cgi-bin/cstecgi.cgi, enabling arbitrary file writes and denial of service. Publicly available exploit code exists, and the vulnerability carries a CVSS score of 6.5 reflecting network-accessible attack vector with low complexity.

Information Disclosure N300Rh
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7630 MEDIUM POC PATCH This Month

InnoShop e-commerce platform versions up to 0.7.8 allow unauthenticated remote attackers to bypass authentication controls in the installation endpoint via improper authentication handling in InstallServiceProvider::boot. The vulnerability permits unauthorized access to installation functionality even after initial setup is complete, enabling attackers to achieve partial confidentiality, integrity, and availability impact. Publicly available exploit code exists (GitHub issue #314), and vendor has released patch commit 45758e4ec22451ab944ae2ae826b1e70f6450dc9.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7645 MEDIUM POC This Month

Path traversal in the MCP Interface export_state function of ruvnet sublinear-time-solver 1.5.0 allows remote unauthenticated attackers to manipulate file paths, resulting in information disclosure and integrity compromise. Public exploit code is available and the vulnerability has CVSS 6.5 (medium severity) with proof-of-concept publicly disclosed, though the vendor has not yet responded to early notification.

Path Traversal Sublinear Time Solver
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7668 MEDIUM POC This Month

Out-of-bounds read in MikroTik RouterOS 6.49.8 SCEP endpoint allows remote unauthenticated attackers to trigger memory disclosure and potential service disruption via malformed transactionID or messageType parameters. Public exploit code exists on GitHub. CVSS 7.3 reflects network-accessible attack surface with low complexity, though impact is rated limited across confidentiality, integrity, and availability. Vendor non-responsive to coordinated disclosure attempts.

Information Disclosure Buffer Overflow Mikrotik
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7632 MEDIUM POC This Month

SQL injection in code-projects Online Hospital Management System 1.0 allows remote unauthenticated attackers to manipulate the delid parameter in /viewappointment.php, enabling database queries with limited confidentiality and integrity impact. The vulnerability is publicly disclosed with available exploit code and poses a network-accessible risk to unpatched deployments.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7670 MEDIUM POC This Month

SQL injection in Jinher OA 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the DeptIDList parameter in UserSel.aspx. The vulnerability permits unauthorized database access with potential for data exfiltration, modification, and limited system compromise. Public exploit code exists on GitHub (zzlln/cvecve), significantly lowering the barrier to exploitation. Vendor did not respond to disclosure, leaving patch status unknown.

SQLi Oa
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6457 MEDIUM This Month

Time-based blind SQL injection in Geo Mashup WordPress plugin versions up to 1.13.19 allows authenticated attackers with subscriber-level access to extract sensitive database information via the 'geo_mashup_null_fields' parameter due to insufficient escaping and lack of prepared statement usage. The vulnerability requires valid WordPress authentication but grants high-confidence data confidentiality compromise without requiring user interaction, affecting all installations of this geolocation plugin with vulnerable versions active.

WordPress SQLi
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-6378 MEDIUM This Month

Stored cross-site scripting in Maxi Blocks plugin for WordPress versions up to 2.1.9 allows authenticated attackers with Author-level access and above to inject arbitrary JavaScript via the `/wp-json/maxi-blocks/v1.0/style-card` REST API endpoint through insufficient sanitization of the `sc_styles` parameter. Injected scripts execute on every page where style card styles are loaded, including the WordPress admin panel, affecting all website visitors and administrators. The vendor released patched version 2.1.10 on 27 April 2026 with input sanitization fixes (wp_strip_all_tags applied to sc_styles parameter) and privilege escalation mitigation in the image crop functionality.

WordPress XSS
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2026-7209 MEDIUM This Month

Stored Cross-Site Scripting in Simple Link Directory plugin for WordPress up to version 8.9.2 allows authenticated contributors and above to inject arbitrary JavaScript through insufficiently sanitized shortcode attributes like `title_font_size`, which executes in the browsers of all users accessing affected pages. The vulnerability affects the `qcopd-directory` shortcode and requires contributor-level WordPress access to exploit, making it a moderate-to-high risk for multi-author WordPress sites without strict role management.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0703 MEDIUM This Month

Stored cross-site scripting in NextMove Lite - Thank You Page for WooCommerce plugin allows authenticated attackers with contributor-level access to inject arbitrary JavaScript via the 'xlwcty_current_date' shortcode due to insufficient input sanitization and output escaping. Injected scripts execute in the browser of any user viewing affected pages, potentially compromising WordPress site integrity and user sessions. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-4658 MEDIUM This Month

Stored Cross-Site Scripting in Essential Blocks WordPress plugin versions up to 6.0.4 allows authenticated Contributor-level users to inject arbitrary JavaScript into the Add to Cart block via unescaped className, classHook, and blockId attributes, executing malicious scripts in pages viewed by any site visitor. The vulnerability stems from use of raw sprintf() and implode() functions without WordPress escaping functions (esc_attr) in the render_callback() function, despite the outer wrapper using proper escaping. CVSS 6.4 (medium) reflects the requirement for authenticated access; however, the stored nature and cross-site scope elevate real-world risk on multi-author WordPress sites.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6916 MEDIUM This Month

Stored cross-site scripting in Jeg Kit for Elementor WordPress plugin versions up to 3.1.0 allows authenticated contributors and above to inject arbitrary JavaScript via the 'sg_content_number_prefix' parameter, which executes when any user accesses the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the Fun Fact widget element, affecting any WordPress site using this popular page builder addon. CVSS score of 6.4 reflects the network attack vector and broad scope, though exploitation requires valid contributor-level credentials.

WordPress XSS Elementor
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-7669 MEDIUM This Month

Unsafe deserialization in SGLang's HuggingFace Transformer Handler allows remote attackers to trigger deserialization attacks via the get_tokenizer function in versions up to 0.5.9, potentially leading to code execution or information disclosure. The vulnerability requires high attack complexity and has not been patched despite early vendor notification.

Python Deserialization
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7611 MEDIUM PATCH Monitor

Insufficient verification of firmware authenticity in TRENDnet TEW-821DAP up to version 1.12B01 allows remote attackers to manipulate firmware updates through the cameo_dev.sh update handler, potentially leading to information disclosure. The vulnerability requires high attack complexity and difficult exploitation conditions. The affected hardware (v1.xR) reached end-of-life eight years ago and is no longer supported by the vendor, significantly limiting real-world exposure.

Information Disclosure Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-7606 MEDIUM PATCH Monitor

Insufficient verification of data authenticity in the firmware update handler of TRENDnet TEW-821DAP 1.12B01 allows remote attackers to manipulate the dest argument during firmware updates, leading to integrity violations. The vulnerability requires high attack complexity and affects only end-of-life hardware (version 1.xR) discontinued 8 years ago. CVSS score is 3.7 (low) with integrity impact but no confidentiality or availability impact; no public exploit confirmed.

Information Disclosure Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-6817 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Quiz Maker by AYS WordPress plugin versions up to 6.7.1.29 allows unauthenticated attackers to inject arbitrary JavaScript through the 'rate_reason' parameter due to insufficient input sanitization and output escaping. Injected scripts execute in the browsers of all users who view affected pages, enabling credential theft, malware distribution, or defacement without requiring authentication or user interaction.

WordPress XSS
NVD VulDB
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-7644 MEDIUM This Month

Improper authorization in ChatGPTNextWeb NextChat up to version 2.16.1 allows remote unauthenticated attackers to bypass access controls in the addMcpServer function (app/mcp/actions.ts), potentially disclosing sensitive information. The vulnerability has a CVSS score of 5.5 (moderate severity) with public exploit code available, though the vendor has not yet responded to the disclosed issue.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-43058 MEDIUM PATCH This Month

Local denial-of-service in the Linux kernel's vidtv virtual DVB media driver allows an authenticated local user to crash the kernel via a NULL pointer dereference triggered by uninitialized struct fields in vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into(). Affected kernel versions span from commit f90cf6079bf6 across multiple stable branches through Linux 5.10, with fixes backported to 6.6.136, 6.12.83, 6.18.24, 6.19.14, 7.0.1, and 7.1-rc1. No public exploit identified at time of analysis, EPSS is 0.02% (7th percentile), and this CVE is not listed in the CISA KEV catalog, reflecting its low real-world exploitation likelihood.

Linux Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-6525 MEDIUM PATCH This Month

Wireshark 4.6.0 through 4.6.4 crashes when processing malformed IEEE 802.11 frames due to a null pointer dereference in the protocol dissector. An attacker can trigger denial of service by crafting or replaying a specially malformed wireless packet that causes the dissector to crash when analyzed, rendering packet analysis impossible until the application restarts. CVSS score 5.5 reflects local attack vector with user interaction required; no public exploit code has been identified at time of analysis.

Null Pointer Dereference Denial Of Service Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-4790 MEDIUM This Month

Stored Cross-Site Scripting in Premium Addons for Elementor plugin for WordPress up to version 4.11.70 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript via the 'custom_svg' parameter, which executes in the browsers of users viewing the affected pages. The vulnerability stems from insufficient input sanitization and output escaping on a user-controllable SVG parameter. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress XSS Elementor
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-5077 MEDIUM This Month

Stored Cross-Site Scripting in Total WordPress theme versions up to 2.2.1 allows authenticated contributors and above to inject arbitrary JavaScript via post titles in the home blog section. The vulnerability stems from insufficient output escaping when rendering post titles in HTML attribute context. Exploitation requires the malicious post to be published and displayed with a featured image on the home page, where the injected script will execute in the browsers of all users viewing the page. No public exploit code has been identified, and active exploitation has not been confirmed.

WordPress XSS
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-6446 MEDIUM This Month

My Social Feeds - Social Feeds Embedder WordPress plugin up to version 1.0.4 exposes sensitive TikTok OAuth credentials via an unauthenticated AJAX endpoint due to missing authorization and nonce checks. Authenticated attackers with Subscriber-level access can retrieve stored access_token and refresh_token values belonging to administrator-connected TikTok accounts, enabling them to impersonate the site owner in TikTok API interactions. No public exploit code or active exploitation has been reported at the time of analysis, though the vulnerability is trivial to exploit once network access is established.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-7601 MEDIUM PATCH This Month

Denial of service in Open5GS AMF (Access and Mobility Function) up to version 2.7.6 allows authenticated remote attackers to cause service unavailability by sending crafted registration requests with manipulated reg_type arguments. The vulnerability exists in the GMM (Mobility Management) handler due to insufficient validation of registration type values, potentially triggering null pointer dereferences or assertion failures. Vendor-released patch version 2.7.7 is available.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-7638 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify the profile avatar of any WordPress user, including administrators, via an Insecure Direct Object Reference in the App Builder - Create Native Android & iOS Apps On The Flight plugin versions up to 5.6.0. The `/wp-json/app-builder/v1/upload-avatar` endpoint fails to validate that the authenticated user owns the target account before processing avatar uploads, allowing privilege escalation and account compromise through arbitrary user_id parameter submission in POST requests. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Google WordPress Apple
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3504 MEDIUM This Month

{id}/reviews' REST API endpoint in Dokan plugin versions up to 4.3.1. The vulnerability affects only installations with the Pro version activated and store reviews enabled, allowing information disclosure of all customers who left vendor reviews. No public exploit code has been identified, but the attack requires no authentication or user interaction and can be automated at scale.

WordPress Information Disclosure
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4650 MEDIUM This Month

Unauthenticated attackers can bypass authorization controls in FundPress WordPress Donation Plugin versions up to 2.0.8 to arbitrarily modify donation statuses via the donate_action_status() AJAX handler, which lacks nonce verification and capability checks despite being exposed to unauthenticated users. By enumerating sequential donation IDs and sending crafted POST requests, attackers can mark donations as completed, pending, or cancelled, potentially triggering email notifications and corrupting donation records without any user interaction or authentication.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-4024 MEDIUM This Month

Unauthenticated attackers can modify form action metadata on WordPress posts through the Royal Addons for Elementor plugin (versions up to 1.7.1056) due to a missing capability check on the wpr_update_form_action_meta AJAX endpoint. The endpoint registers on both wp_ajax and wp_ajax_nopriv hooks, is accessible without authentication, and relies on a nonce that is publicly exposed in frontend JavaScript, allowing attackers to bypass the nonce protection and alter email, Mailchimp, and webhook settings on any post. This enables attackers to hijack form submissions, exfiltrate data via modified webhook URLs, or redirect emails to attacker-controlled addresses without any user interaction or special configuration required.

Authentication Bypass WordPress Elementor
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6449 MEDIUM This Month

Unauthenticated attackers can approve any WordPress booking in 'waiting' status via the admin-ajax endpoint in Amelia plugin versions up to 2.1.2, due to a logical short-circuit flaw that skips token validation when the booking status matches a specific condition. An attacker can craft a direct request to the publicly-accessible endpoint to approve arbitrary bookings without authentication. This impacts all installations with pending bookings and exposes the booking workflow integrity across WordPress sites using this plugin.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-6447 MEDIUM This Month

Stored Cross-Site Scripting in Call for Price for WooCommerce plugin versions up to 4.2.0 allows authenticated administrators to inject arbitrary JavaScript via plugin settings that executes for all users visiting affected pages. The vulnerability requires administrator-level access and is limited to WordPress multisite installations or single-site installations with the unfiltered_html capability disabled, significantly reducing real-world exposure compared to the CVSS score of 4.4 suggests.

WordPress XSS
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-6812 MEDIUM This Month

Server-Side Request Forgery in the Ona WordPress theme versions up to 1.26 via the ona_activate_child_theme function allows authenticated administrators to make arbitrary web requests originating from the affected server, enabling query and modification of internal services. The vulnerability requires administrator-level privileges and high attack complexity, limiting real-world exploitation to compromised or malicious admin accounts. No public exploit code or active exploitation has been identified.

SSRF WordPress
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy