Skip to main content
CVE-2026-34900 HIGH This Week

Unauthenticated reflected cross-site scripting in the GiveWP WordPress donation plugin (versions ≤4.14.2) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the user clicks a crafted link. The flaw was disclosed via Patchstack and tracked as EUVD-2026-36921; no public exploit identified at time of analysis, and the CVSS scope-change rating of 7.1 reflects potential session hijacking or administrative action abuse against logged-in WordPress users including site administrators.

XSS Givewp
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-23970 HIGH This Week

Reflected/stored cross-site scripting in the Redirection for Contact Form 7 WordPress plugin (versions ≤ 3.2.8) allows remote unauthenticated attackers to inject malicious scripts that execute in a victim's browser after user interaction. The flaw, reported by Patchstack and tracked as EUVD-2026-36909, carries a CVSS 3.1 base score of 7.1 with scope change due to script execution crossing the plugin/browser trust boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Redirection For Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2025-68840 HIGH This Week

Reflected cross-site scripting in the iRobots.txt SEO WordPress plugin (versions 1.1.2 and earlier) allows remote unauthenticated attackers to inject malicious JavaScript that executes in a victim's browser when they interact with a crafted link. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.1 driven by a scope change, though no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction, which limits mass-scale weaponization but makes it viable for targeted phishing against WordPress administrators.

XSS Irobots Txt Seo
NVD VulDB
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-5233 HIGH PATCH This Week

Resource flooding in MIA Technology Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to abuse improper interaction frequency controls (CWE-799) to degrade availability and tamper with integrity. With a CVSS 3.1 base score of 7.1 and no public exploit identified at time of analysis, the flaw primarily threatens service availability in deployments that expose the library over the network. The advisory was coordinated through Turkey's TR-CERT, with no CISA KEV listing and no EPSS data provided.

Information Disclosure Pizzy Library
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-5230 HIGH PATCH This Week

Improper access control in MIA Technology Inc. Pizzy Library versions 1.0.0.26250 through 1.3.9.26250 allows authenticated remote attackers to bypass authorization checks and access resources or actions outside their permission level. The flaw was reported by TR-CERT and carries a CVSS 3.1 base score of 7.1, with high confidentiality impact but only low integrity impact and no availability impact; no public exploit identified at time of analysis.

Authentication Bypass Pizzy Library
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-34026 HIGH This Week

Authenticated path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) - software used to manage vault rooms and safe deposit locker systems - allows any logged-in user to read arbitrary files from the host via the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. Successful exploitation exposes application log files (which may contain credentials or session data) and application binaries, enabling secondary attacks against the safe deposit locker infrastructure. No public exploit identified at time of analysis, and the issue was disclosed by SEC Consult Vulnerability Lab (SEC-VLab).

Path Traversal Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-34023 HIGH This Week

Cross-branch authorization bypass in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) allows an authenticated low-privileged branch user to tamper with WebSocket messages handled by the SafeController WebMessageBroker and act on safe-deposit boxes belonging to other branches. The flaw stems from missing tenant/branch enforcement on supplied controller identifiers, enabling activation of vault boxes outside the user's authorized scope. No public exploit identified at time of analysis, and the CVE is not listed in CISA KEV.

Authentication Bypass Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
CVSS 4.0
7.1
EPSS
0.3%
CVE-2026-34022 HIGH This Week

Cryptographic key disclosure in Wertheim SafeController Family 65000 (AssemblyVersion 6.11.8130.22319), a microcontroller-based safe deposit locker system, allows adjacent attackers to decrypt protected communications. The device uses a weak custom (proprietary) cryptographic algorithm with hard-coded keys, and researchers at SEC-VLab demonstrated both breaking the encryption routine and recovering the key by intercepting sufficient traffic. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Information Disclosure Wertheim Safecontroller Family 65000 Hardware For Vault Rooms Safe Deposit Locker System Microcontroller
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-48736 MEDIUM PATCH GHSA This Month

SSRF filter bypass in Symfony's NoPrivateNetworkHttpClient permits requests to private IPv4 addresses to be smuggled via four classes of IPv6 transition encodings - 6to4 (2002::/16), NAT64 (64:ff9b::/96 and 64:ff9b:1::/48), Teredo (2001::/32), and IPv4-compatible (::/96) - none of which appeared in the IpUtils::PRIVATE_SUBNETS blocklist. Any Symfony application on versions 5.4.0-5.4.52 or 6.4.0-8.0.12 that uses NoPrivateNetworkHttpClient as its SSRF guard and accepts attacker-controlled URLs is vulnerable to the filter bypass; actual packet delivery to the embedded private IPv4 is additionally gated by the server's IPv6 routing configuration. No public exploit code has been released and this CVE is not in CISA KEV, but the bypass payloads are fully enumerated in the official security advisory.

Mozilla Google Information Disclosure
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-53655 MEDIUM PATCH GHSA This Month

Tar parser interpretation differential in node-tar (npm `tar` package) <= 7.5.15 allows a crafted archive to present a different member list to node-tar than to GNU tar, libarchive, or Python tarfile, enabling security scanner evasion in pipelines that scan with one tool and extract with another. The flaw stems from node-tar incorrectly applying a PAX extended header's `size=` override to intermediary GNU long-name (`L`) and long-link (`K`) metadata headers, desynchronizing the stream cursor and causing node-tar to raise a checksum error and report zero members while reference parsers correctly extract files. A detailed, working proof-of-concept (Python stdlib only) is included in the advisory; no active exploitation (CISA KEV) has been confirmed at time of analysis, but the broad npm ecosystem blast radius - node-tar backs npm's own tarball handling - materially elevates real-world risk.

Python Information Disclosure Node.js Suse
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-34030 MEDIUM This Month

Path traversal in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables an authenticated user holding the settings_branches_manage privilege to embed directory traversal sequences in a newly created branch code, redirecting downstream file-write operations — covering uploaded files, profile pictures, and settings data — to attacker-chosen filesystem locations. The root cause is insufficient server-side validation of the branch code field at branch creation time; that tainted value later propagates into multiple file-path-generation routines across the application. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified; real-world impact is bounded by both the service account's write permissions and length restrictions on the branch code value.

Path Traversal Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-34028 MEDIUM This Month

Unauthenticated file disclosure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) exposes unprotected HTTP endpoints that allow any remote, unauthenticated attacker to directly download files from paths including /Resources/CompanyId_[ID]/Audio/ and /SafeData/. The affected software manages physical vault rooms and safe deposit locker systems, making the /SafeData/ endpoint particularly sensitive as it likely contains locker allocation records, customer data, or audit materials. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the network-accessible, zero-authentication nature of the flaw (AV:N/AC:L/PR:N/UI:N per CVSS 4.0) makes opportunistic abuse trivially achievable without specialized tooling.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD VulDB
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-39468 MEDIUM This Month

Arbitrary file deletion in Meta Box - WordPress Custom Fields Framework versions 5.11.1 and earlier exposes servers to filesystem damage through a path traversal flaw (CWE-22) accessible to WordPress Contributor-level users. By embedding traversal sequences in a crafted file deletion request, an authenticated Contributor can delete files outside the intended plugin directory, potentially reaching critical server or WordPress installation files. No active exploitation has been confirmed by CISA KEV, and no public exploit code has been identified at time of analysis; however, the scope-changed CVSS metric indicates that impact can extend beyond the WordPress application boundary to the underlying server filesystem.

Path Traversal WordPress Meta Box Wordpress Custom Fields Framework
NVD
CVSS 3.1
6.8
EPSS
0.4%
CVE-2026-36933 MEDIUM This Month

An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature.

RCE N A Authentication Bypass
NVD
CVSS 3.1
6.8
EPSS
0.2%
CVE-2026-11931 MEDIUM PATCH This Month

Authentication token cache file exposure in Kiro IDE on macOS and Linux allows any local user to read credentials belonging to other users due to world-readable file permissions (0644) instead of the security-appropriate owner-only permissions (0600). All versions before 0.11.133 are affected on UNIX-based platforms; the vulnerability is confirmed by AWS via security bulletin 2026-045 and has been assigned CWE-276 (Incorrect Default Permissions). No public exploit code has been identified at time of analysis, but exploitation requires no technical sophistication - only filesystem read access on a shared system.

Privilege Escalation Apple Kiro Ide
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-34029 MEDIUM This Month

Hard-coded cryptographic key exposure in Wertheim SafeController Software (AssemblyVersion 6.15.8328.28014) enables local attackers to decrypt sensitive licensing and configuration data for vault room and safe deposit locker systems. The static key, embedded in SafeSystem.Infrastructure.Security.dll, can be recovered through standard reverse engineering, then used to decrypt the licence.whs file - which itself contains a second key granting access to additional configuration files. No active exploitation has been confirmed (not listed in CISA KEV), and no public exploit code is known at time of analysis; however, the attack requires only low-privilege local file access and straightforward tooling, making it realistic for any insider or attacker who achieves filesystem access.

Information Disclosure Wertheim Safecontroller Software For Vault Rooms Safe Deposit Locker System
NVD
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-54274 MEDIUM PATCH GHSA This Month

Denial-of-service in aiohttp (all versions up to and including 3.14.0) allows remote attackers to exhaust server memory by sending large, incomplete WebSocket frame payloads that bypass the library's configured memory size limits. Any Python web application exposing WebSocket endpoints via aiohttp is affected - no authentication is implied as a prerequisite at the protocol layer. No public exploit code has been identified at time of analysis, but the attack primitive is straightforward and the fix is available in 3.14.1.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.3%
CVE-2026-54277 MEDIUM PATCH GHSA This Month

Memory exhaustion in aiohttp's optimised C HTTP parser allows remote unauthenticated attackers to bypass the max_line_size guard by fragmenting oversized request targets or response reason phrases across multiple TCP reads, potentially causing denial of service against any server using the default pre-built wheel configuration. The flaw is specific to the Cython-compiled C parser (the default in pre-built PyPI wheels); the pure-Python fallback correctly accumulated fragment lengths and is unaffected. No public exploit code has been identified at time of analysis, and a vendor-released patch is available in aiohttp 3.14.1.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.3%
CVE-2026-54273 MEDIUM PATCH GHSA This Month

Unbounded HTTP/1 pipelined request queuing in aiohttp server allows a remote, unauthenticated attacker to exhaust process memory and cause denial of service by sending pipelined requests faster than the server can handle them. All aiohttp server deployments at version 3.14.0 and earlier are affected; the client library is not impacted. No public exploit code has been identified and this CVE is not listed in the CISA KEV catalog, though the attack requires no special tooling beyond a standard HTTP/1.1 client capable of pipelining.

Denial Of Service Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.3%
CVE-2026-54278 MEDIUM PATCH GHSA This Month

Unread compressed request bodies in aiohttp bypass the client_max_size limit during the cleanup phase, allowing a single-chunk decompression of an arbitrarily large payload into server memory. All versions up to and including 3.14.0 are affected. An attacker who can send HTTP requests with compressed bodies can trigger a zip bomb condition during cleanup, exhausting server memory and causing denial of service. No public exploit has been identified at time of analysis.

Information Disclosure Red Hat Suse
NVD GitHub VulDB
CVSS 4.0
6.6
EPSS
0.3%
CVE-2026-42378 MEDIUM This Month

Broken authentication in WP Full Stripe Free (WordPress plugin by Themeisle) versions 8.4.1 and earlier permits subscriber-level authenticated users to bypass authorization controls and access restricted functionality, resulting in high-confidence information disclosure. The vulnerability (CWE-288) targets the Stripe payment integration plugin's internal access control logic, allowing a low-privileged WordPress user to reach endpoints or data intended only for higher-privileged roles. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Information Disclosure Wp Full Stripe Free
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-42662 MEDIUM This Month

Unauthenticated authentication bypass in the Event Tickets WordPress plugin (versions ≤ 5.27.5 by Liquid Web / StellarWP) allows remote attackers to circumvent access controls without any credentials, affecting the integrity and availability of ticketing functionality. Classified under CWE-290 (Authentication Bypass by Spoofing), the CVSS vector confirms PR:N and AV:N - meaning any network-accessible attacker can attempt exploitation with low complexity and no user interaction required. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA's KEV catalog, indicating no confirmed active exploitation.

Authentication Bypass Event Tickets
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-39515 MEDIUM PATCH This Month

Broken access control in the Motors WordPress plugin (StylemixThemes) prior to version 1.4.107 enables subscriber-level authenticated users to invoke privileged actions that trigger a high availability impact, without passing appropriate authorization checks. Reported by Patchstack and tracked under EUVD-2026-36954, this flaw targets WordPress sites running an unpatched Motors plugin where the lowest default user role - subscriber - can reach restricted functionality. No public exploit has been identified at time of analysis and CISA has not listed this in the Known Exploited Vulnerabilities catalog.

Authentication Bypass Motors
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-48878 MEDIUM This Month

Sensitive data exposure in the Visual Link Preview WordPress plugin (versions up to and including 2.4.1) allows authenticated users with subscriber-level access to access restricted data they should not be authorized to view. The vulnerability stems from insufficient access controls over sensitive system information (CWE-497), permitting any logged-in subscriber to trigger a disclosure endpoint or functionality that returns protected data. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the low privilege bar makes this accessible to any registered WordPress user.

Information Disclosure Visual Link Preview Bootstrap
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-42660 MEDIUM This Month

Sensitive data exposure in the Contest Gallery WordPress plugin (versions <= 28.1.7) allows authenticated subscribers to access confidential information they are not authorized to view. The vulnerability stems from insufficient access control over data retrieval endpoints within the plugin, permitting low-privileged WordPress users to read sensitive data with high confidentiality impact. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low complexity and remote exploitability make it a credible risk for WordPress sites with open subscriber registration.

Information Disclosure Contest Gallery
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40796 MEDIUM This Month

Sensitive subscriber data exposure in the WPPizza WordPress plugin (versions ≤ 3.19.9) permits any authenticated user with a subscriber-level account to access protected data belonging to other users, such as customer order records or personal information managed by the plugin. The vulnerability stems from insufficient access control enforcement on data retrieval functionality (CWE-497), where low-privilege users are permitted to query sensitive system information outside their authorization scope. No public exploit code or confirmed active exploitation has been identified at time of analysis, though the low access complexity makes opportunistic exploitation realistic on sites permitting public user registration.

Information Disclosure Wppizza
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-39584 MEDIUM This Month

Broken access control in the RepairBuddy WordPress plugin (versions ≤ 4.1132) allows subscriber-level authenticated users to access restricted functionality or sensitive data without adequate authorization checks. The CVSS vector (PR:L, C:H, I:N, A:N) confirms that low-privileged users - specifically WordPress subscribers, the lowest authenticated role - can achieve high confidentiality impact, likely by reading repair orders, customer PII, or administrative data reserved for shop managers and admins. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Repairbuddy
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2025-69332 MEDIUM This Month

Broken access control in the Bookify WordPress plugin (versions ≤ 1.1.1) allows authenticated subscriber-level users to access resources or functionality reserved for higher-privileged roles. The flaw stems from missing authorization checks (CWE-862), enabling low-privilege users to retrieve sensitive data they should be denied. No public exploit or CISA KEV listing has been identified at time of analysis, though Patchstack has documented the vulnerability with a CVSS 6.5 score reflecting high confidentiality impact.

Authentication Bypass Bookify
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-52718 MEDIUM PATCH This Month

Denial of service in GStreamer's AV1 codec parser (gst-plugins-bad) allows a remote unauthenticated attacker to crash any application using GStreamer for AV1 media playback by delivering a specially crafted AV1 file. The root cause is a unit mismatch in the gst_av1_parser_parse_tile_list_obu() function, which feeds a byte count to an API expecting a bit count, desynchronizing the parser and triggering an assertion abort. No public exploit has been identified at time of analysis, and exploitation requires user interaction; however, the vulnerability affects Red Hat Enterprise Linux 6 through 10 where GStreamer is a core multimedia component.

Denial Of Service Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 +1
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40773 MEDIUM This Month

Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress (versions <= 4.7.9) permits low-privileged authenticated users at the subscriber level to invoke privileged plugin functionality without authorization, yielding high integrity impact. The CVSS vector (PR:L, I:H, AV:N, AC:L, UI:N) confirms that any logged-in subscriber can exploit this remotely without complexity or user interaction, making sites with open user registration particularly exposed. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.

Authentication Bypass WordPress Rtmedia For Wordpress Buddypress And Bbpress
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-34892 MEDIUM This Month

Broken access control in the Rank Math SEO WordPress plugin (versions ≤ 1.0.271) allows authenticated subscribers to invoke privileged functionality beyond their authorization level. The missing authorization check (CWE-862) permits low-privileged WordPress Subscriber-role users to manipulate SEO settings or execute actions normally gated to editors or administrators, with a confirmed High integrity impact per CVSS. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis.

Authentication Bypass Rank Math Seo
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-40743 MEDIUM This Month

Broken access control in Tutor LMS WordPress plugin versions up to and including 3.9.7 permits unauthenticated remote attackers to bypass authorization checks and access or modify restricted LMS resources. The flaw, classified as CWE-862 (Missing Authorization), stems from the plugin failing to enforce appropriate permission checks before executing sensitive operations. No active exploitation has been confirmed by CISA KEV and no public exploit code has been identified at time of analysis, though the unauthenticated attack vector and low complexity make this straightforward to exploit opportunistically.

Authentication Bypass Tutor Lms
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-39525 MEDIUM This Month

Broken access control in the Booking Activities WordPress plugin (versions up to and including 1.16.48.1) enables unauthenticated remote attackers to perform restricted booking-related operations without authorization. Rooted in CWE-862 (Missing Authorization), the flaw bypasses access controls at the network level with no privileges or user interaction required, resulting in low-severity integrity and availability impacts - likely allowing unauthorized creation, modification, or cancellation of bookings. No public exploit code or CISA KEV listing has been identified at time of analysis.

Authentication Bypass Booking Activities
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-39491 MEDIUM This Month

Stored or reflected Cross-Site Scripting in the JupiterX Core WordPress plugin (versions up to and including 4.14.1) allows low-privilege authenticated users with Subscriber roles to inject malicious JavaScript that executes in the browser context of other users, including administrators. The scope change component (S:C in CVSS) confirms the payload crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against victims who view attacker-controlled content. No public exploit code has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

XSS Jupiterx Core
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48880 MEDIUM This Month

Stored Cross-Site Scripting in WP Job Portal WordPress plugin versions up to and including 2.5.2 allows authenticated Subscriber-level users to inject persistent malicious JavaScript payloads that execute in other users' browsers, including administrators. The CVSS S:C scope change confirms the injected script crosses the security boundary into victims' browser sessions, enabling session hijacking or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege requirement makes this realistic on open-registration WordPress job-board deployments.

XSS Wp Job Portal
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48870 MEDIUM This Month

Stored Cross-Site Scripting in the King Addons for Elementor WordPress plugin (versions up to and including 51.1.62) allows authenticated subscribers to inject and persist malicious JavaScript payloads within plugin-rendered content. The scope-changed CVSS vector (S:C) reflects that injected scripts execute in the browsers of other site users - including administrators - enabling session hijacking and privilege escalation via social engineering. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing this in the moderate-priority tier despite the network-reachable attack surface.

XSS King Addons For Elementor Elementor
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-41556 MEDIUM This Month

Cross-site scripting in ProfilePress WordPress plugin versions up to and including 4.16.13 allows authenticated subscribers to inject malicious JavaScript payloads that execute in the browsers of other users - including administrators - who view affected content. The CVSS scope change (S:C) indicator confirms this is a stored or reflected XSS that crosses privilege boundaries, enabling low-privilege users to target higher-privilege accounts. No public exploit has been identified at time of analysis and the vulnerability is not listed in the CISA KEV catalog.

XSS Profilepress
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-39540 MEDIUM This Month

Stored Cross-Site Scripting in the Shipment Tracker for WooCommerce WordPress plugin (versions up to and including 1.5.3.2) allows authenticated subscriber-level users to inject malicious scripts that execute in a privileged user's browser session. The CVSS scope-change flag (S:C) indicates the injected payload crosses into the administrator's browser context, enabling session hijacking, credential theft, or unauthorized admin actions. Reported by Patchstack with no public exploit code identified at time of analysis and no CISA KEV listing.

WordPress XSS Shipment Tracker For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-8683 MEDIUM This Month

Denial of service in Mattermost Desktop App (versions ≤6.1 and ≤5.5.13.0) allows a malicious Mattermost server owner to crash client applications by injecting a script that calls window.open() with an excessively large URL, exploiting a missing resource limit on URL length processing. Exploitation requires user interaction - the victim must actively connect their Desktop App to an attacker-controlled server - and impact is strictly limited to application availability with no confidentiality or integrity exposure. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Mattermost Denial Of Service
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42663 MEDIUM This Month

Cross-site scripting in the Simple Membership WordPress plugin (versions up to and including 4.7.2) allows injection of malicious scripts that execute in the context of other users' browsers. The official CVSS vector assigns PR:L (low privileges required), which directly contradicts the CVE description's claim of 'unauthenticated' exploitation - this discrepancy must be resolved with the vendor before accurate risk tiering. With a scope-changed impact (S:C), the primary concern is an attacker inducing a privileged user such as a WordPress administrator to trigger the payload, enabling session hijacking or unauthorized administrative actions. No public exploit code or active exploitation in CISA KEV has been identified at time of analysis.

XSS Simple Membership
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-39197 MEDIUM This Month

Uncontrolled resource consumption in Datadog Vector v0.54.0 allows authenticated remote attackers to crash or degrade the observability pipeline by sending crafted HTTP requests to the /util/http/prelude.rs handler. The vulnerability is classified as CWE-400 and carries a CVSS 3.1 score of 6.5 (Medium), requiring low-privilege network access with no user interaction. No public exploit identified at time of analysis beyond a GitHub gist that may contain proof-of-concept material; EPSS sits at 0.15% (4th percentile), indicating very low observed exploitation probability in the broader threat landscape.

Denial Of Service N A
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-50892 MEDIUM This Month

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

Nginx N A Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-49775 MEDIUM This Month

Unauthenticated broken access control in the Welcart e-Commerce WordPress plugin (versions up to and including 2.11.28) permits remote attackers without any credentials to bypass authorization checks and perform restricted actions. Rooted in CWE-862 (Missing Authorization), the flaw exposes low-severity but tangible integrity and availability impacts against any WordPress installation running the affected plugin. No public exploit code has been identified at the time of analysis, and this vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Welcart E Commerce
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49773 MEDIUM PATCH This Month

Stored Cross-Site Scripting in the FV Flowplayer Video Player WordPress plugin (versions below 7.5.51.7212) allows low-privileged authenticated users - specifically those with subscriber-level access - to inject persistent malicious JavaScript that executes in the browsers of other site visitors or administrators who view affected content. The Scope:Changed CVSS metric confirms the payload escapes the plugin's trust boundary and can target higher-privileged sessions. No public exploit identified at time of analysis, and SSVC signals no confirmed exploitation; a vendor-released patch is available at version 7.5.51.7212.

XSS Fv Flowplayer Video Player
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-48965 MEDIUM This Month

Sensitive data exposure in the XCloner backup and restore WordPress plugin (versions up to and including 4.8.6) permits unauthorized access to subscriber-level sensitive information via a network-accessible attack path. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), meaning the plugin inadvertently includes sensitive data in responses or transmitted content accessible without sufficient authorization controls. Discovered and reported by Patchstack, this flaw carries a CVSS 3.1 base score of 6.5 with no public exploit or CISA KEV listing identified at time of analysis.

Information Disclosure Xcloner
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-48887 MEDIUM This Month

Broken Access Control in the JS Help Desk WordPress plugin version 3.0.9 and earlier enables unauthenticated remote attackers to perform unauthorized actions against the help desk system, impacting both integrity and availability. The flaw, rooted in missing authorization checks (CWE-862), allows network-accessible exploitation with no credentials, no user interaction, and low attack complexity. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial exploitation profile warrants prompt remediation on any internet-exposed WordPress deployment.

Authentication Bypass Js Help Desk
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42752 MEDIUM This Month

Unauthenticated bypass in the Stripe Payments WordPress plugin (versions up to and including 2.0.98) allows remote, unauthenticated attackers to circumvent authentication controls, resulting in limited confidentiality and integrity impact against affected WordPress installations. Reported by Patchstack (ENISA EUVD-2026-36838), the flaw is classified under CWE-440 (Expected Behavior Violation), indicating the plugin's actual enforcement diverges from its intended or documented security model. No public exploit code has been identified at time of analysis, and this CVE does not appear in the CISA KEV catalog.

Authentication Bypass Stripe Payments
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42743 MEDIUM This Month

Unauthenticated broken authentication in the Masteriyo LMS WordPress plugin (versions ≤2.1.8) stems from improper JWT signature verification (CWE-347), allowing remote attackers to forge authentication tokens without valid credentials and gain unauthorized access to protected LMS resources. The CVSS:3.1 vector AV:N/AC:L/PR:N/UI:N confirms fully unauthenticated, low-complexity network exploitation, enabling an attacker to impersonate enrolled students or instructors and read or modify course-related data. No public exploit code or active exploitation has been confirmed at time of analysis, and the vulnerability is not listed in CISA KEV.

Jwt Attack Information Disclosure Masteriyo Lms
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-42688 MEDIUM This Month

Subscriber-level stored Cross-Site Scripting in the Modula Image Gallery WordPress plugin (versions up to and including 2.14.23) allows authenticated users with subscriber privileges to inject persistent malicious JavaScript into gallery content. When a higher-privileged user such as an administrator views the affected gallery, the injected script executes in their browser context, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low authentication barrier and scope change to admin sessions make this a meaningful risk for multi-user WordPress environments.

XSS Modula Image Gallery
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-42659 MEDIUM This Month

Broken Access Control in the Advanced Form Integration WordPress plugin (versions ≤ 1.126.12) allows authenticated subscriber-level users to perform privileged actions that should be restricted to administrators, due to missing authorization checks (CWE-862). The flaw carries a CVSS 3.1 score of 6.5 with high integrity impact (I:H), meaning a low-privilege attacker can substantially alter plugin or form integration configurations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and broad applicability to any multi-user or open-registration WordPress site make this a meaningful operational risk.

Authentication Bypass Advanced Form Integration
NVD
CVSS 3.1
6.5
EPSS
0.3%
Prev Page 7 of 9 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy