Skip to main content
CVE-2026-9691 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WordPress plugin 'Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms' (versions 1.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, enabling abuse of POP gadget chains for code execution, file operations, or data tampering. The flaw scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and impacts any WordPress site running the affected CRM Perks integration plugin. There is no public exploit identified at time of analysis, but the unauthenticated nature and prevalence of WordPress as a target make this a high-priority patching item.

PHP Deserialization Integration For Activecampaign And Contact Form 7 Wpforms Elementor Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-48114 CRITICAL PATCH Act Now

Unauthenticated SQL injection in NCEAS Metacat 2.0.0 through pre-3.0.0 allows remote attackers to read, modify, and execute arbitrary statements against the PostgreSQL backend by sending crafted parameters to the /harvesterRegistration endpoint. The flaw stems from string-concatenated INSERTs in HarvesterRegistration.dbInsert() combined with a missing LDAP identity check, and because the backend permits stacked queries via Statement.executeUpdate() the injection escalates to full database compromise. No public exploit identified at time of analysis, but the CVSS 9.8 vector and trivial trigger via three reachable parameters (unit, contactEmail, documentListURL) make exploitation straightforward once the endpoint is reachable.

PostgreSQL SQLi Metacat
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-39583 CRITICAL Act Now

Unauthenticated privilege escalation in the Datalogics Ecommerce Delivery WordPress plugin (versions ≤ 2.6.62) allows remote attackers to gain elevated privileges on affected WordPress sites without any credentials or user interaction. The flaw, tracked by Patchstack and assigned a CVSS 9.8, enables full compromise of site integrity and confidentiality; no public exploit identified at time of analysis, but the network-reachable, no-auth nature makes opportunistic exploitation likely once details circulate.

Privilege Escalation Datalogics Ecommerce Delivery
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-34901 CRITICAL Act Now

Unauthenticated privilege escalation in iControlWP WordPress plugin versions 5.5.3 and earlier allows remote attackers to gain elevated privileges on affected WordPress sites without authentication. Reported by Patchstack and rated CVSS 9.8, the flaw maps to CWE-266 (Incorrect Privilege Assignment) and impacts the worpit-admin-dashboard-plugin distribution. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Icontrolwp
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-38812 CRITICAL Act Now

RuoYi v4.8.2 is vulnerable to SQL Injection via the /tool/gen/createTable endpoint. The issue affects the code generation module and may allow an authenticated attacker with administrative privileges to access sensitive database information.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-30120 CRITICAL PATCH GHSA Act Now

Remote code execution affects remotion-dev's Remotion framework at version 4.0.409, enabling attackers to execute arbitrary code on systems running the affected version per CWE-94 code injection semantics. The CVSS 9.8 vector indicates network-reachable, unauthenticated exploitation without user interaction, though no public exploit identified at time of analysis and EPSS probability remains low at 0.25% (16th percentile). The vulnerability is reported by MITRE with a third-party advisory on GitHub but lacks detailed exploitation specifics.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-50869 CRITICAL Act Now

Path traversal in Bludit 3.19.0's api/plugin.php endpoint allows remote attackers to escape the intended directory and access arbitrary files on the server via crafted requests. The CVSS 9.8 rating reflects unauthenticated network-based exploitation with high impact across confidentiality, integrity, and availability, and publicly available exploit code exists in a public gist, though EPSS remains low at 0.25%.

Path Traversal PHP N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-36537 CRITICAL Act Now

ThingsBoard v4.3.0.1 is vulnerable to an authentication bypass during the OAuth authorization code exchange. The application improperly trusts user-supplied identity data within the user parameter of the /login/oauth2/code/ endpoint. By manipulating the email address in this JSON object, a remote attacker can bypass authentication and gain full access to any existing user account on the platform without possessing the target user's credentials. This results in a complete account takeover.

Microsoft Authentication Bypass N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-39006 CRITICAL Act Now

Remote code execution in SNMP4J-Agent 3.8.3 is enabled through the snmp4jCfgStoragePath component, allowing remote attackers to run arbitrary code on hosts running the agent. The CWE-73 (External Control of File Name or Path) classification indicates the storage path parameter can be manipulated to influence file operations, and no public exploit identified at time of analysis though a third-party advisory has been published on GitHub. EPSS is low at 0.21% (11th percentile) despite the 9.8 CVSS, suggesting limited current exploitation activity.

RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-38329 CRITICAL Act Now

{key} endpoint in bl-plugins/api/plugin.php. Publicly available exploit code exists as a gist, though EPSS rates exploitation probability at only 0.21% (11th percentile).

Authentication Bypass PHP RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-50872 CRITICAL Act Now

Remote code execution in fossar selfoss v2.20-SNAPSHOT allows unauthenticated attackers to execute arbitrary commands and retrieve sensitive data by sending a crafted HTTP request to the loopback request handling component. The flaw carries a CVSS 9.8 score and a public gist (likely containing proof-of-concept material) is referenced, though EPSS exploitation probability remains low at 0.19% and the issue is not listed in CISA KEV.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-50880 CRITICAL Act Now

Remote code execution in YouTransfer v1.0.6 allows unauthenticated attackers to run arbitrary code by sending a crafted request to the sendmail transport integration component. The flaw is a CWE-94 code injection issue with a critical CVSS 9.8 score and publicly available exploit code exists via a referenced GitHub gist, though no active exploitation has been confirmed by CISA KEV.

Code Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-50873 CRITICAL Act Now

Arbitrary code execution in flatnotes v5.5.4 is achievable by uploading crafted HTML or SVG files through the attachment handling component, enabling remote attackers to run code in the context of the application. The CVSS 9.8 rating reflects network-reachable, unauthenticated exploitation with full impact on confidentiality, integrity, and availability. Publicly available exploit code exists via a referenced GitHub gist, though there is no public exploit identified as actively exploited in the CISA KEV catalog at time of analysis.

File Upload RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-39196 CRITICAL Act Now

Datadog, Inc Vector v0.54.0 was discovered to contain a SQL injection vulnerability in the set_uri_query parameter in the KeyPartitioner::partition function. This vulnerability allows attackers to access sensitive database information via crafted SQL statements.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-50890 CRITICAL Act Now

Bernd Bestel grocy v4.6.0 was discovered to contain a SQL injection vulnerability in the product-group parameter at /stockreports/spendings. This vulnerability allows attackers to access sensitive database information via a crafted SQL statement.

SQLi N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-49781 CRITICAL Act Now

Unauthenticated PHP Object Injection in the OttoKit WordPress plugin (formerly SureTriggers) versions 1.1.27 and earlier allows remote attackers to deserialize attacker-controlled PHP objects against any site running the plugin. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and a CWE-502 deserialization root cause, successful exploitation can lead to full code execution, data theft, or site takeover when a suitable POP gadget chain is present in WordPress core or another installed plugin. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

PHP Deserialization Ottokit
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49770 CRITICAL Act Now

Unauthenticated PHP Object Injection in the WP Travel Engine WordPress plugin versions 6.7.12 and earlier enables remote attackers to deserialize attacker-controlled data without authentication, leading to full compromise (CVSS 9.8). The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial network exploitation against any WordPress site running a vulnerable installation. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin ecosystem make this a high-priority patching target for travel-booking sites.

PHP Deserialization Wp Travel Engine
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49764 CRITICAL Act Now

Authentication bypass in the RegistrationMagic WordPress plugin (versions up to and including 6.0.8.6) allows unauthenticated remote attackers to circumvent intended authentication controls and gain access to protected resources. The flaw, tracked as CWE-288 and reported by Patchstack, carries a critical 9.8 CVSS score because exploitation requires no privileges, no user interaction, and is reachable over the network. There is no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Information Disclosure Registrationmagic
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49105 CRITICAL Act Now

Unauthenticated PHP Object Injection in the CRM Perks 'WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms' WordPress plugin (versions 1.1.4 and earlier) allows remote attackers to inject crafted serialized PHP objects into the application, potentially leading to remote code execution, data theft, or site takeover when a suitable POP gadget chain is present. The flaw is reported by Patchstack and carries a 9.8 CVSS score with network-reachable, no-privilege, no-interaction characteristics. No public exploit identified at time of analysis.

PHP Deserialization Wp Zendesk For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-49085 CRITICAL Act Now

Unauthenticated PHP object injection in the WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms WordPress plugin (versions <= 1.1.4) allows remote attackers to deliver crafted serialized payloads that the plugin deserializes without validation. Successful exploitation can lead to remote code execution, data tampering, or full site compromise when a suitable POP (property-oriented programming) gadget chain is available in WordPress core, the active theme, or any installed plugin. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Wp Insightly For Contact Form 7 Wpforms Elementor Formidable And Ninja Forms Elementor
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-50883 CRITICAL Act Now

Stored HTML/script injection in matze wastebin v3.4.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in the browser of any user who views a crafted paste, by abusing improper output encoding in the /src/highlight.rs syntax-highlighting component. A public gist appears to demonstrate the issue, but no public exploit identified at time of analysis as weaponized tooling, and EPSS exploitation probability is low at 0.18% (8th percentile).

XSS N A
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-12198 MEDIUM POC This Month

Path traversal in Microweber CMS up to version 2.0.20 exposes the unauthenticated `/api_nosession/thumbnail_img` endpoint to file system manipulation via the `cache_path_relative` parameter of the `userfiles_path` function. Remote, unauthenticated attackers can traverse outside the intended directory to read - and potentially write - files accessible to the web server process. A public proof-of-concept exploit is available and the vendor did not respond to responsible disclosure, meaning no patch exists at time of analysis.

Path Traversal Microweber
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-52703 CRITICAL Act Now

Path traversal in the FastDup WordPress plugin through version 2.7.2 allows remote attackers to read or write arbitrary files outside the plugin's intended directory after a single user interaction, with confidentiality, integrity, and availability impacts extending to the WordPress host (scope-changed, CVSS 9.6). The flaw is unauthenticated per the CVSS vector but requires a victim to trigger the malicious request, and no public exploit identified at time of analysis. Disclosure originates from Patchstack's WordPress vulnerability research program.

Path Traversal Fastdup
NVD
CVSS 3.1
9.6
EPSS
0.4%
CVE-2026-12203 MEDIUM POC PATCH This Month

Unauthenticated information disclosure in HKUDS AI-Trader exposes the Research Export endpoint (`/api/research/agents.csv`) to any remote attacker without credentials, leaking proprietary research output in CSV format. The vendor explicitly confirmed the pre-patch state lacked access control: 'Research export endpoints now require an authenticated agent with the research_exports capability.' A public proof-of-concept exploit exists (CVSS 4.0: 6.9, E:P), and the upstream fix is available via commit 91a31aac1b0f4dbc6b8bef9f6eff0b7912e0bc65; no active exploitation is confirmed in CISA KEV at this time.

Information Disclosure Ai Trader
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-12200 MEDIUM POC This Month

Stack-based buffer overflow in Ritlabs TinyWeb Server 1.94 and earlier on Win32 allows remote unauthenticated attackers to crash the server or potentially execute arbitrary code by sending a specially crafted HTTP Authorization header, triggering a memory corruption condition in the libeay32.dll component's Header Handler. A public proof-of-concept exploit has been disclosed at nathan2.com/posts/tinyweb/, and the vendor has not responded to responsible disclosure notifications, leaving all known versions unpatched. No active exploitation has been confirmed in CISA KEV, though the combination of a public POC, network-reachable attack surface, and no patch represents a meaningful risk for any deployment of this software.

Stack Overflow Buffer Overflow Tinyweb Server
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-12209 MEDIUM POC This Month

Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated attackers to modify JavaScript Object.prototype attributes by supplying crafted template filter input. All versions through 2.2.10 are affected per the CPE range cpe:2.3:a:rubylouvre:avalon:*:*:*:*:*:*:*:*. No vendor patch exists - the maintainer did not respond to coordinated disclosure - and a public exploit is available on GitHub (OriginSecurityX/avalon-filter-rce), which the repository title characterizes as capable of remote code execution, a materially more severe claim than the CVSS 4.0 VI:L rating assigned by the reporter.

Prototype Pollution Information Disclosure Avalon
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-12208 MEDIUM POC This Month

Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary properties into JavaScript's Object.prototype via the createFrame function in src/jsonata.js. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) with exploitation status E:P confirms this is network-exploitable with zero prerequisites, and a public proof-of-concept has been published on GitHub demonstrating a hasOwnProperty guard bypass. No patch exists - the vendor failed to respond to coordinated disclosure - leaving all users of jsonata ≤ 2.2.0 indefinitely exposed.

Prototype Pollution Information Disclosure Jsonata Red Hat
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-12204 MEDIUM POC This Month

Unauthenticated remote access to ShopXO's Scheduled Task (Crontab) API endpoint in versions up to 6.7.1 allows any network attacker to invoke order-state mutation functions - including OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral - without any credentials or authorization. This authorization bypass (CWE-639) directly threatens e-commerce integrity: attackers can fraudulently mark unpaid orders as successful, prematurely close active orders, or artificially award loyalty points. A public proof-of-concept exploit is available on GitHub, no vendor patch has been released, and the vendor did not respond to responsible disclosure - making this an immediately actionable risk for any internet-exposed ShopXO deployment.

Authentication Bypass PHP Shopxo
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-9278 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Form Builder CP WordPress plugin (all versions before 1.2.47) allows authenticated users holding Editor-level access or above to inject persistent malicious scripts via unsanitized form configuration values, which execute in every visitor's browser upon rendering the affected form. Critically, this attack succeeds even when WordPress's `unfiltered_html` capability has been revoked - a control that multisite administrators commonly rely on to prevent exactly this class of injection from Editor-level roles. A publicly available exploit exists per WPScan, though no confirmed active exploitation (CISA KEV) has been recorded and the EPSS score of 0.19% (9th percentile) reflects limited automated mass exploitation at time of analysis.

XSS WordPress Form Builder Cp
NVD WPScan
CVSS 3.1
5.4
EPSS
0.2%
CVE-2026-5482 CRITICAL Act Now

Unrestricted file upload in Responsive FileManager 9.14.0 (and likely earlier) allows remote unauthenticated attackers to upload arbitrary files - including PHP scripts - via the dialog.php endpoint, leading directly to remote code execution on the hosting web server. The project is unmaintained at the time of CVE assignment, so no vendor patch is forthcoming, and while no public exploit is identified at time of analysis the trivial nature of unrestricted file upload makes weaponization straightforward.

File Upload PHP RCE Responsive Filemanager
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-39493 CRITICAL Act Now

Unauthenticated SQL injection in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.9.27) allows remote attackers to inject crafted SQL through plugin endpoints without authentication. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the vulnerable component, though only confidentiality (High) and availability (Low) are affected per the vector. No public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV.

SQLi Simply Schedule Appointments
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-39492 CRITICAL Act Now

Unauthenticated SQL injection in the WP Maps WordPress plugin (versions 4.9.1 and earlier, by Flipper Code) allows remote attackers to inject arbitrary SQL queries against the underlying WordPress database without any authentication or user interaction. With a CVSS 3.1 score of 9.3 and a scope-changed vector, successful exploitation can disclose sensitive database contents (users, hashed credentials, secrets) and affect availability. No public exploit identified at time of analysis, but the unauthenticated nature and trivial complexity make weaponization likely once technical details circulate.

SQLi Wp Maps
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-39530 CRITICAL Act Now

Unauthenticated SQL injection in the SpeakOut! Email Petitions WordPress plugin (versions ≤ 4.6.5) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. Reported by Patchstack and tracked as EUVD-2026-36960, the flaw carries a CVSS 3.1 score of 9.3 driven by a changed scope and network-reachable attack surface. No public exploit identified at time of analysis, but the trivial exploitability and WordPress plugin ecosystem make opportunistic mass-scanning likely.

SQLi Speakout Email Petitions
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39511 CRITICAL Act Now

Unauthenticated SQL injection in the WP Photo Album Plus WordPress plugin (versions ≤ 9.1.08.001) allows remote attackers to inject arbitrary SQL into backend database queries without any credentials or user interaction. With a CVSS 3.1 score of 9.3 (scope-changed) and no public exploit identified at time of analysis, the flaw exposes WordPress sites running the plugin to database content disclosure and limited integrity/availability impact. Patchstack reported the issue and it carries CWE-89 (SQL Injection).

SQLi Wp Photo Album Plus
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-45439 CRITICAL Act Now

Unauthenticated SQL injection in Realtyna Organic IDX WordPress plugin (versions 5.1.0 and earlier) allows remote attackers to inject arbitrary SQL into backend queries without credentials. The flaw carries a CVSS 3.1 score of 9.3 with a scope change, indicating impact beyond the plugin's own data boundary, though no public exploit identified at time of analysis. The vulnerability was disclosed via Patchstack and affects WordPress sites running this real-estate listing plugin.

SQLi Realtyna Organic Idx Plugin
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-40771 CRITICAL Act Now

Unauthenticated SQL injection in the Contest Gallery WordPress plugin (versions ≤28.1.6) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36980; no public exploit identified at time of analysis, but the CVSS 9.3 score and PR:N attack vector make it a high-priority issue for any WordPress site running the plugin.

SQLi Contest Gallery
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39519 CRITICAL Act Now

Unauthenticated SQL injection in the GeekyBot WordPress plugin versions 1.2.0 and earlier allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw was disclosed via Patchstack and carries a high CVSS 3.1 score of 9.3 with scope change, indicating impact beyond the plugin's own security context. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Geekybot
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-39441 CRITICAL Act Now

Unauthenticated SQL injection in the Feed KuantoKusta for WooCommerce Free WordPress plugin (versions n/a through 5.3) allows remote attackers to inject crafted SQL statements without prior authentication. Disclosed via Patchstack and tracked as EUVD-2026-36926, the flaw carries a CVSS 3.1 score of 9.3 with a changed scope, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, and no EPSS or KEV signal was provided in the input.

WordPress SQLi Feed Kuantokusta For Woocommerce Free
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-54257 CRITICAL PATCH GHSA Act Now

Heap buffer under/overflow in Electron's Node.js Buffer API (versions 42.3.1 through 42.3.2) causes most apps to crash and may lead to incorrect buffer allocations resulting in unexpected truncation or memory corruption. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 reflects network-reachable, unauthenticated memory corruption with high impact to confidentiality, integrity, and availability. Affects any Electron-based desktop application shipping the vulnerable runtime.

Node.js Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-8386 MEDIUM POC PATCH This Month

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address and description fields and the marker's geographic coordinates.

WordPress Information Disclosure Wp Go Maps
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-8385 MEDIUM POC PATCH This Month

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title, category, address and description fields.

WordPress Information Disclosure Wp Go Maps
NVD WPScan
CVSS 3.1
5.3
EPSS
0.1%
CVE-2016-20067 MEDIUM POC This Month

WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

CSRF WordPress Cp Polls
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2016-20074 MEDIUM POC This Month

WordPress Lazy Content Slider Plugin 3.4 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF WordPress Lazy Content Slider Plugin
NVD Exploit-DB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-48853 CRITICAL PATCH Act Now

Unsafe Erlang term deserialization in the elixir-grpc library (versions 0.4.0 through 1.0.0) allows unauthenticated remote attackers to crash the BEAM VM via atom-table exhaustion or achieve remote code execution by sending crafted gRPC payloads with Content-Type application/grpc+erlpack. The flaw lives in GRPC.Codec.Erlpack.decode/2, which calls :erlang.binary_to_term/1 without the :safe option, size bounds, or type guards. No public exploit is identified at time of analysis, but the upstream fix is published at commit 272a97a and a patched 1.0.0 release is available.

Deserialization RCE Grpc
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.6%
CVE-2026-52693 CRITICAL Act Now

Unauthenticated SQL injection in the implecode eCommerce Product Catalog WordPress plugin (versions 3.5.5 and earlier) allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact, meaning data outside the plugin's database context can be reached. No public exploit identified at time of analysis, though the Patchstack advisory confirms the vendor-tracked vulnerability class.

SQLi Ecommerce Product Catalog
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49776 CRITICAL Act Now

Unauthenticated SQL injection in the GPTranslate - Multilingual AI Translation for WordPress plugin (versions 2.32.6 and earlier) by jExtensions Store allows remote attackers to inject arbitrary SQL into backend database queries without credentials or user interaction. The CVSS 9.3 score reflects a scope change with high confidentiality impact and low availability impact, indicating data exposure beyond the plugin's own context. No public exploit identified at time of analysis, but the unauthenticated nature and WordPress plugin attack surface make this a high-priority patch.

WordPress SQLi Gptranslate Multilingual Ai Translation For Wordpress
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-49067 CRITICAL Act Now

SQL injection in the Advanced 301 and 302 Redirect WordPress plugin (versions <= 1.6.9) allows remote unauthenticated attackers to inject arbitrary SQL queries into the underlying WordPress database. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 9.3 with a scope change, indicating attacker-controlled input crosses a trust boundary. No public exploit identified at time of analysis, and EPSS data was not provided in the input.

SQLi Advanced 301 And 302 Redirect
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-48886 CRITICAL Act Now

SQL injection in the JS Help Desk WordPress plugin versions 3.0.9 and earlier allows remote unauthenticated attackers to inject arbitrary SQL into backend database queries. The flaw was disclosed via Patchstack and carries a CVSS 9.3 with scope change, meaning successful exploitation can read database contents beyond the plugin's own data. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

SQLi Js Help Desk
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-42665 CRITICAL Act Now

Unauthenticated SQL injection in the WP Data Access WordPress plugin (versions <= 5.5.70) allows remote attackers to inject arbitrary SQL through the plugin's interfaces without authentication. The high CVSS 9.3 score reflects a scope change (S:C) that lets the injection reach beyond the vulnerable component, exposing the entire WordPress database to confidentiality compromise. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Wp Data Access
NVD
CVSS 3.1
9.3
EPSS
0.3%
CVE-2026-42639 CRITICAL Act Now

Unauthenticated SQL injection in the GD Rating System WordPress plugin (versions <= 3.6.2) allows remote attackers to inject arbitrary SQL queries against the WordPress database without any authentication or user interaction. The flaw carries a CVSS 3.1 score of 9.3 with scope change, indicating database tampering can affect resources beyond the plugin itself. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

SQLi Gd Rating System
NVD
CVSS 3.1
9.3
EPSS
0.3%
Prev Page 2 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy