Skip to main content
CVE-2026-49063 HIGH This Week

Unauthenticated privilege escalation in the Listdom WordPress plugin versions 5.5.0 and earlier allows remote attackers to elevate privileges without any authentication or user interaction. The flaw is tracked under CWE-266 (Incorrect Privilege Assignment) and was reported by Patchstack; no public exploit identified at time of analysis. Affected sites running this Webilia-developed directory listing plugin face risk of unauthorized account or capability elevation through exposed plugin endpoints.

Privilege Escalation Listdom
NVD
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-39499 HIGH This Week

PHP Object Injection in the Advanced Product Fields (Product Addons) for WooCommerce plugin versions 1.6.19 and below allows authenticated users with Shop Manager privileges to deserialize attacker-controlled data, potentially leading to remote code execution or full site compromise depending on available PHP gadget chains. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36946; no public exploit identified at time of analysis and the issue is not in CISA KEV.

PHP Deserialization WordPress Advanced Product Fields Product Addons For Woocommerce
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39481 HIGH This Week

PHP Object Injection in the Modula Image Gallery WordPress plugin (versions ≤ 2.14.18) allows authenticated authors to trigger unsafe deserialization of attacker-controlled input, potentially leading to remote code execution, data tampering, or denial of service depending on available POP gadget chains in the WordPress environment. The flaw was disclosed by Patchstack and tracked as ENISA EUVD-2026-36940; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

PHP Deserialization Modula Image Gallery
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39472 HIGH PATCH This Week

PHP Object Injection in the WooCommerce PDF Invoices & Packing Slips WordPress plugin before version 5.9.0 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, potentially leading to full compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available, though no public exploit has been identified at time of analysis. The CVSS 7.2 score reflects high privilege requirements offset by network reach and severe impact.

PHP Deserialization WordPress Woocommerce Pdf Invoices Packing Slips
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39434 HIGH This Week

PHP Object Injection in the CTX Feed (WebAppick Product Feed for WooCommerce) WordPress plugin versions up to and including 6.6.26 allows authenticated users with Shop Manager privileges to trigger unsafe deserialization, leading to full compromise of confidentiality, integrity, and availability on the host site. The flaw was disclosed by Patchstack and tracked as EUVD-2026-36924; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

PHP Deserialization Ctx Feed
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39470 HIGH PATCH This Week

Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.

Privilege Escalation WordPress Woocommerce Cart Abandonment Recovery
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-39498 HIGH This Week

PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.

PHP Deserialization Yaymail
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-42650 HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the AutomatorWP WordPress plugin (versions <= 5.6.7) allows remote attackers to inject malicious JavaScript that executes in the context of victim browsers, including site administrators. No public exploit identified at time of analysis, but the CVSS scope-change rating (7.2 High) reflects the cross-origin impact typical of XSS where attacker-supplied script crosses a trust boundary into the WordPress admin session. Patchstack reported the issue and tracks it in their WordPress vulnerability database.

XSS Automatorwp
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2026-39471 HIGH This Week

Authenticated PHP Object Injection in the ShortPixel Image Optimizer WordPress plugin (versions 6.4.3 and earlier) allows attackers with Author-level privileges to trigger unsafe deserialization of attacker-controlled data, enabling code execution or other impacts when a suitable PHP gadget chain is present. Reported by Patchstack with no public exploit identified at time of analysis, the flaw is tracked as CWE-502 and carries a CVSS 3.1 score of 7.2 due to the high-privilege prerequisite but full CIA impact.

PHP Deserialization Shortpixel Image Optimizer
NVD
CVSS 3.1
7.2
EPSS
0.4%
CVE-2026-52722 HIGH This Week

Out-of-bounds read in GStreamer's VMnc decoder allows remote attackers to crash the application or disclose memory contents when a victim opens a maliciously crafted VMnc video file. The flaw stems from a signed integer overflow in payload-size arithmetic that bypasses a length check when cursor dimensions are abnormally large. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Integer Overflow Information Disclosure Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-48838 HIGH This Week

Reflected or stored cross-site scripting in the Post SMTP WordPress plugin (versions 3.6.2 and earlier) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 7.1 score with scope change reflects potential session theft or administrative action hijacking against WordPress sites running the plugin. No public exploit identified at time of analysis, and the issue is tracked by Patchstack but not listed in CISA KEV.

XSS Post Smtp
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-39518 HIGH This Week

Insecure direct object reference in the EventPrime WordPress plugin (versions up to and including 4.3.0.0) allows authenticated users holding only the low-privilege Subscriber role to access or manipulate event records belonging to other users by tampering with object identifiers. The flaw was disclosed by Patchstack and carries CVSS 7.1 reflecting high confidentiality impact with limited integrity impact, but no public exploit identified at time of analysis and no CISA KEV listing. Because WordPress sites frequently allow open subscriber registration, the low PR:L barrier is practically trivial to clear on affected installations.

Authentication Bypass Eventprime
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-52719 HIGH This Week

Out-of-bounds read in the VA JPEG decoder shipped in GStreamer's gst-plugins-bad allows a remote attacker to crash the decoder or potentially leak adjacent memory contents when a victim opens a maliciously crafted JPEG file. The flaw stems from the JPEG parser trusting a segment-length value from the bitstream without verifying it fits within the buffer, and affects Red Hat Enterprise Linux 6 through 10 where the plugin is consumed. There is no public exploit identified at time of analysis and the issue is not in CISA KEV.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-48871 HIGH This Week

Reflected or stored Cross-Site Scripting in the MW WP Form WordPress plugin (versions <= 5.1.3) allows remote unauthenticated attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with crafted plugin content. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates network-reachable exploitation with no privileges but requiring user interaction, and the scope change reflects the cross-origin impact typical of XSS in browser contexts. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

XSS Mw Wp Form
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39447 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Simply Schedule Appointments WordPress plugin (versions ≤ 1.6.10.6) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of the targeted user. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Simply Schedule Appointments
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39463 HIGH This Week

Reflected/stored cross-site scripting in the ManageWP Worker WordPress plugin (versions ≤ 4.9.31) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction, potentially hijacking WordPress administrator sessions. The CVSS scope change (S:C) indicates the XSS payload crosses a trust boundary, affecting components beyond the vulnerable plugin itself. No public exploit identified at time of analysis, and the issue is not present in CISA KEV.

XSS Managewp Worker
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53703 HIGH This Week

Out-of-bounds read in the GStreamer RealMedia demuxer (gst-plugins-ugly) allows a maliciously crafted .rm file to crash the consuming application and potentially leak small amounts of adjacent heap memory through stream metadata. The flaw affects Red Hat Enterprise Linux 7, 8, 9, and 10 systems shipping the vulnerable demuxer, and exploitation requires a user to open or otherwise process the file (UI:R). There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68851 HIGH This Week

Reflected cross-site scripting in the Okay Toolkit WordPress plugin (versions ≤2.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 with a scope-changed impact, but no public exploit identified at time of analysis and EPSS data was not provided. Successful exploitation can lead to session hijacking, credential theft, or administrative actions against the targeted WordPress site.

XSS Okay Toolkit
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-53704 HIGH This Week

Out-of-bounds read and denial-of-service in GStreamer's RealMedia demuxer (gst-plugins-ugly) allows remote attackers to crash, hang, or potentially leak limited adjacent memory when a victim opens a maliciously crafted RealMedia (.rm) file. The flaw stems from unvalidated offsets in re_skip_pascal_string() and an attacker-controlled loop counter in the FILEINFO metadata parser. No public exploit identified at time of analysis, and the CVE is not on the CISA KEV list.

Denial Of Service Information Disclosure Buffer Overflow Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 +2
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48876 HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin Stop Spammers (versions 2026.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts that execute in a victim's browser when they interact with crafted content. The flaw carries a CVSS 3.1 base score of 7.1 due to scope change (S:C), and no public exploit identified at time of analysis, though Patchstack has catalogued the issue in its WordPress vulnerability database.

XSS Stop Spammers
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48867 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Quiz And Survey Master WordPress plugin (versions through 11.1.2) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. Exploitation is reflected in the CVSS 7.1 (High) score with a scope change, meaning injected script can impact resources beyond the vulnerable component. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

XSS Quiz And Survey Master
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40770 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Coupon Affiliates WordPress plugin (versions up to and including 7.5.3) allows remote attackers to inject malicious script that executes in a victim's browser after user interaction. The CVSS 3.1 score of 7.1 with scope change (S:C) indicates impact beyond the vulnerable component, typical of XSS reaching the WordPress admin or affiliate context. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Coupon Affiliates
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40732 HIGH This Week

Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.

XSS Notification For Telegram
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39507 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the Social Slider Feed WordPress plugin (versions ≤ 2.3.2, developed by ThemeIsle) allows remote attackers to inject malicious JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and tracked as EUVD-2026-36949; no public exploit identified at time of analysis and the issue is not listed in CISA KEV. Because exploitation crosses a privilege boundary (S:C) and requires only a user clicking a crafted link, it is a realistic phishing/account-takeover vector against WordPress sites running the plugin.

XSS Social Slider Feed
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39449 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Contact Form to Any API through version 3.0.3 allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw requires user interaction (UI:R) and changes scope (S:C), meaning injected script can affect resources beyond the vulnerable component, typically the WordPress admin session. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Contact Form To Any Api
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39435 HIGH This Week

Stored/reflected cross-site scripting in the CformsII WordPress plugin (versions ≤ 15.1.3) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when the crafted content is rendered, enabling session hijacking, credential theft, or actions on behalf of authenticated users including administrators. The flaw was reported by Patchstack and carries a CVSS 3.1 score of 7.1 (UI:R, scope-changed). No public exploit identified at time of analysis and EPSS data was not provided.

XSS Cformsii
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-68872 HIGH This Week

Reflected cross-site scripting in Eli's WordCents adSense Widget with Analytics WordPress plugin (versions <= 1.3.03.27) allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the user is lured into clicking a crafted link. The flaw stems from improper neutralization of user-supplied input (CWE-79), and while no public exploit identified at time of analysis, the scope-changing CVSS vector indicates potential for session hijacking or administrative account takeover if a logged-in WordPress admin is targeted.

XSS Eli 039 S Wordcents Adsense Widget With Analytics
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-12214 HIGH This Week

Protection mechanism failure in Qihoo 360 Total Security 6.0 allows a locally authenticated attacker to bypass the Nucleus Engine Monitoring Logic by manipulating the NetworkAddr argument to the RpcStringBindingComposeW function. Publicly available exploit code exists, and the vendor did not respond to coordinated disclosure, leaving users on 6.0 without an official remediation path. EPSS data is not provided and the issue is not in CISA KEV, but the public PoC raises the practical risk for endpoints running this version.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-12217 HIGH This Week

Local privilege escalation in DVDFab Virtual Drive 2.0.0.5 allows authenticated local users to abuse improper privilege management in the signed kernel driver dvdfabio.sys to gain elevated execution within the Windows kernel. Publicly available exploit code exists and the vendor did not respond to coordinated disclosure, increasing the window of risk for affected endpoints. No CISA KEV listing has been recorded, and EPSS data was not provided in the input.

Information Disclosure
NVD VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-52702 HIGH This Week

Cross-site scripting in the SEO Redirection WordPress plugin (versions <= 9.17) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction such as clicking a crafted link. The flaw has a CVSS 3.1 score of 7.1 with scope-changed impact, indicating injected scripts can affect resources beyond the vulnerable component. There is no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Seo Redirection
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-49055 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the WordPress plugin Drag and Drop Multiple File Upload - Contact Form 7 versions 1.3.9.7 and earlier allows remote attackers to inject script that executes in a victim's browser after user interaction, leading to session theft, account takeover, or pivoting against authenticated administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. CVSS 3.1 base score is 7.1 with a changed scope reflecting impact across the WordPress admin trust boundary.

File Upload XSS Drag And Drop Multiple File Upload Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48966 HIGH This Week

Unauthenticated stored/reflected cross-site scripting in the Funnel Builder by FunnelKit WordPress plugin (versions <= 3.15.0.2) allows remote attackers to inject malicious scripts that execute in a victim's browser when they visit a crafted page or link. The CVSS 3.1 score of 7.1 reflects a scope-changing impact with low confidentiality, integrity, and availability impact and required user interaction. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-48885 HIGH This Week

Unauthenticated reflected/stored cross-site scripting in the HollerBox WordPress plugin (versions 2.3.10.1 and earlier) allows remote attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 due to the scope change (S:C) reflecting the WordPress site context being affected from injected content; no public exploit identified at time of analysis and no CISA KEV listing exists.

XSS Hollerbox
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-45437 HIGH This Week

Reflected/stored cross-site scripting in the Product Filter Widget for Elementor WordPress plugin (versions <= 1.0.6) allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser after user interaction. The flaw was disclosed via Patchstack and carries a CVSS 3.1 score of 7.1 with scope change due to script execution in the browser context; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Product Filter Widget For Elementor Elementor
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42775 HIGH This Week

Reflected/stored Cross-Site Scripting in the WordPress plugin AutomatorWP versions 5.7.2 and earlier allows unauthenticated remote attackers to inject malicious script that executes in a victim's browser when they visit a crafted link or page. The CVSS 3.1 score of 7.1 reflects a scope change (S:C), meaning script execution affects components beyond the vulnerable one - typically authenticated WordPress administrators. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Automatorwp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42686 HIGH This Week

Stored or reflected cross-site scripting in the EventPrime WordPress plugin (versions <= 4.3.2.1) allows authenticated users with Subscriber-level privileges to inject malicious JavaScript that executes in other users' browsers. The flaw was disclosed by Patchstack and currently has no public exploit identified at time of analysis, but the low privilege bar makes it attractive for opportunistic attackers on multi-user WordPress sites. No CISA KEV listing or EPSS data was supplied with this report.

XSS Eventprime
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-42658 HIGH This Week

Unauthenticated reflected/stored Cross-Site Scripting in the Classified Listing WordPress plugin versions 5.3.8 and earlier allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The flaw was reported by Patchstack and carries CVSS 7.1 due to the scope change affecting the broader WordPress site context, though no public exploit identified at time of analysis. Risk is elevated for sites running the plugin in publicly accessible classified/marketplace deployments where untrusted visitor input is processed.

XSS Classified Listing
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-42649 HIGH This Week

Reflected/stored cross-site scripting in the Favicon Rotator WordPress plugin (versions 1.2.11 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser after user interaction. The CVSS scope-changed vector (S:C) indicates the injected script can impact resources beyond the vulnerable plugin component, typically the entire WordPress site context. No public exploit identified at time of analysis and the issue is not on the CISA KEV list, but the unauthenticated nature combined with WordPress's broad install base elevates real-world concern.

XSS Favicon Rotator
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40791 HIGH This Week

Reflected/stored cross-site scripting in the WP Time Slots Booking Form WordPress plugin (versions up to and including 1.2.46) lets remote unauthenticated attackers inject script that executes in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36994, carries a CVSS 7.1 due to the scope change against the WordPress origin, and no public exploit identified at time of analysis.

XSS Wp Time Slots Booking Form
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40788 HIGH This Week

Broken access control in the QuantumCloud ChatBot plugin for WordPress (versions <= 7.9.7) allows authenticated low-privileged users (Subscriber role) to invoke restricted plugin functionality without proper authorization checks, leading to integrity tampering and availability disruption. Reported by Patchstack and tracked as EUVD-2026-36991, with no public exploit identified at time of analysis.

Authentication Bypass Chatbot
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-40787 HIGH This Week

Stored or reflected cross-site scripting in the Quiz And Survey Master WordPress plugin (versions up to and including 11.0.0) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser after a single user interaction. Patchstack reports the issue under EUVD-2026-36990 with a CVSS 3.1 base score of 7.1 reflecting scope change and partial impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS Quiz And Survey Master
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-40785 HIGH This Week

Broken authentication in the AutomatorWP WordPress plugin versions 5.6.7 and earlier allows authenticated users with low-level Subscriber privileges to bypass authorization controls, enabling integrity tampering and high availability impact on affected WordPress sites. The flaw is tracked via Patchstack and ENISA EUVD-2026-36989, with no public exploit identified at time of analysis. EPSS data was not provided, and the issue is not currently listed in CISA KEV.

Information Disclosure Automatorwp
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-39514 HIGH This Week

Reflected cross-site scripting in the Paid Member Subscriptions WordPress plugin (versions through 2.17.3) allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser when the victim clicks a crafted link. No public exploit identified at time of analysis, but the vulnerability is reachable without authentication and carries a CVSS 3.1 score of 7.1 driven by scope change. The flaw was disclosed by Patchstack and affects the Cozmoslabs-maintained membership/subscription plugin used on WordPress sites.

XSS Paid Member Subscriptions
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-39450 HIGH This Week

Broken authentication in the FunnelKit Automations WordPress plugin (versions <= 3.7.3) allows authenticated low-privilege users (subscribers) to bypass intended authentication controls, leading to integrity tampering and availability impact on the WordPress site. The flaw is reported by Patchstack and tracked as EUVD-2026-36929, with no public exploit identified at time of analysis and no CISA KEV listing. Given subscriber-level registration is open on many WordPress sites, the practical attack surface is broader than the CVSS 7.1 score alone suggests.

Information Disclosure Funnelkit Automations
NVD
CVSS 3.1
7.1
EPSS
0.4%
CVE-2026-34902 HIGH This Week

Reflected/stored cross-site scripting in the WooCommerce Product Table Lite WordPress plugin (versions ≤ 4.6.3) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link or page. Successful exploitation can lead to session hijacking, credential theft, or administrative actions performed in the context of an authenticated WordPress user, including site administrators. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated attack surface combined with WordPress's broad install base makes this a meaningful risk for sites running the plugin.

WordPress XSS Woocommerce Product Table Lite
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-34900 HIGH This Week

Unauthenticated reflected cross-site scripting in the GiveWP WordPress donation plugin (versions ≤4.14.2) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36921; no public exploit identified at time of analysis, and the CVSS scope-change rating of 7.1 reflects potential session hijacking or administrative action abuse against logged-in WordPress users including site administrators.

XSS Givewp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-23970 HIGH This Week

Reflected/stored cross-site scripting in the Redirection for Contact Form 7 WordPress plugin (versions ≤ 3.2.8) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36909, carries a CVSS 3.1 base score of 7.1 with scope change due to script execution crossing the plugin/browser trust boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Redirection For Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-68840 HIGH This Week

Reflected cross-site scripting in the iRobots.txt SEO WordPress plugin (versions 1.1.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 driven by a scope change, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction, which limits mass-scale weaponization but makes it viable for targeted phishing against WordPress administrators.

XSS Irobots Txt Seo
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-5233 HIGH PATCH This Week

Resource flooding in MIA Technology Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to abuse improper interaction frequency controls (CWE-799) to degrade availability and tamper with integrity. With a CVSS 3.1 base score of 7.1 and no public exploit identified at time of analysis, the flaw primarily threatens service availability in deployments that expose the library over the network. The advisory was coordinated through Turkey's TR-CERT, with no CISA KEV listing and no EPSS data provided.

Information Disclosure Pizzy Library
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-5230 HIGH PATCH This Week

Improper access control in MIA Technology Inc. Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to bypass authorization checks and access resources or actions outside their permission level. The flaw was reported by TR-CERT and carries a CVSS 3.1 base score of 7.1, with high confidentiality impact but only low integrity impact and no availability impact; no public exploit identified at time of analysis.

Authentication Bypass Pizzy Library
NVD
CVSS 3.1
7.1
EPSS
0.2%
Prev Page 4 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy