Skip to main content
CVE-2026-61428 MEDIUM PATCH This Month

Webhook signature verification is absent in PraisonAI AgentMail before version 4.6.78, permitting any unauthenticated network attacker to POST crafted message.received events directly to the webhook endpoint with spoofed sender identities. This bypasses configured sender allow/block lists, injecting arbitrary content into the AI agent's processing pipeline and causing the agent to dispatch replies to attacker-controlled addresses. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog, though the low-complexity, unauthenticated attack vector makes exploitation straightforward for any attacker with network access to the webhook endpoint.

Authentication Bypass Praisonai
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-56296 MEDIUM PATCH This Month

Information disclosure in Capgo (Cap-go) before 12.128.2 allows unauthenticated network attackers to enumerate valid app IDs by observing differential error responses from the public.transfer_app RPC endpoint, requiring only a publishable API key. The root cause is a CWE-203 observable discrepancy: the endpoint returns distinguishable error messages depending on whether a supplied app ID exists or not, functioning as an existence oracle. No active exploitation is confirmed (not in CISA KEV), but the low barrier to exploitation - network-accessible, no authentication beyond a publishable key - makes this a practical reconnaissance primitive against Capgo-hosted applications.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-60088 MEDIUM PATCH This Month

Path traversal in PraisonAI before 4.6.78 enables file exfiltration outside the workspace by embedding traversal sequences (e.g., @../outside_secret.txt) or absolute paths in custom project command templates, which are then injected verbatim into model prompts. Users who process attacker-controlled command files expose all process-readable files - including credentials, environment variables, and application secrets - to whoever controls the model interaction. No public exploit code has been identified and PraisonAI is not listed in the CISA KEV catalog at time of analysis; a vendor patch is available.

Path Traversal Praisonai
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-13262 MEDIUM This Month

SQL injection in the Majestic Support WordPress help desk plugin (versions up to and including 1.1.9) allows any authenticated WordPress user to extract sensitive data from the site's database by appending arbitrary SQL to queries via the unsanitized 'val' AJAX parameter. Although the description characterizes attackers as 'unauthenticated,' exploitation in practice requires a Subscriber-level account to obtain a 'get-smart-reply' nonce - a low but real barrier accurately reflected in the CVSS PR:L rating. No public exploit code or CISA KEV listing has been identified at time of analysis, but the trivial nonce-acquisition path (create a ticket, visit the result page) means any user permitted to submit support requests can exploit this on unpatched deployments. Version 1.2.0 appears to resolve the issue based on source code changes in the referenced repository tags.

WordPress SQLi Majestic Support The Leading Edge Help Desk Customer Support Plugin
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-11426 MEDIUM This Month

Arbitrary file read in the UnderConstructionPage PRO WordPress plugin (≤ 5.76) exposes sensitive server files to any authenticated subscriber-level user. The plugin's template_thumbnail parameter accepts unsanitized local file paths and copies their contents into the publicly accessible uploads directory, making the exfiltrated data retrievable by unauthenticated third parties after the fact. No public exploit code or CISA KEV listing exists at time of analysis; however, the low privilege bar (subscriber accounts) and high confidentiality impact (CVSS C:H) make this a meaningful risk on multi-user WordPress installations.

WordPress Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15072 MEDIUM This Month

SQL injection in KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress (all versions through 4.5.0) allows authenticated attackers with doctor-level or equivalent access to exfiltrate arbitrary database contents via a manipulated 'orderby' parameter. The flaw exists in DoctorSessionController.php and the KCQueryBuilder base class, where ORDER BY clause inputs are neither escaped nor parameterized, enabling appended SQL to traverse the entire WordPress database - including patient records, credentials, and clinical data. No public exploit code or active exploitation has been identified at time of analysis, though Wordfence has disclosed the vulnerability with source code references.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-15073 MEDIUM This Month

SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. No public exploit code or CISA KEV listing is identified at time of analysis; EPSS data was not provided, but the authenticated-only prerequisite and niche deployment footprint materially limit real-world impact.

WordPress SQLi Kivicare Clinic Patient Management System Ehr
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-5743 MEDIUM This Month

Stored XSS in the SimpLy Gallery Block & Lightbox WordPress plugin (all versions through 3.3.3.2) allows authenticated attackers with Author-level access to inject persistent JavaScript via the sliderMaxHeight block attribute. The root cause is a defective regex in pgc_sgb_sanitize_custom_css() that strips quoted event handlers but silently permits unquoted HTML event handler syntax (e.g., onfocus=alert(document.cookie)), enabling a sanitization bypass that survives to page render. No public exploit or CISA KEV listing is identified at time of analysis, though the stored nature means injected payloads persist and execute against any subsequent visitor - including administrators.

WordPress XSS Simply Gallery
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-12126 MEDIUM This Month

Stored XSS in WCFM Marketplace - Multivendor Marketplace for WooCommerce (all versions ≤ 3.7.3) permits authenticated attackers holding a Vendor-level account to plant persistent JavaScript payloads inside WordPress media attachment titles, targeting any privileged user who subsequently loads the media management dashboard. The injection path is notable for its stealth: the attacker uploads a media file with a crafted post_title via the standard WordPress REST API (/wp-json/wp/v2/media), bypassing any AJAX-based access controls, because the unescaped title is later serialized into DataTables JSON and written directly to the DOM via innerHTML on the admin media interface. No public exploit code is identified and the vulnerability has no CISA KEV listing at time of analysis, but the low privilege barrier - any marketplace vendor account - meaningfully elevates real-world risk in multi-vendor deployments with untrusted sellers.

WordPress XSS Wcfm Marketplace Multivendor Marketplace For Woocommerce
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15010 MEDIUM This Month

Stored Cross-Site Scripting in the bbp Style Pack WordPress plugin (versions up to and including 6.4.5) allows authenticated attackers with Subscriber-level access and bbPress topic-creation privileges to permanently inject arbitrary JavaScript into forum topic pages via the Topic Form Additional Fields feature, with payload execution affecting all subsequent visitors including unauthenticated users. The flaw is a paired failure: unsanitized POST data written to post meta in bsp_topic_fields_form_save(), then rendered into raw HTML in bsp_topic_content_append_topic_fields() without output escaping. No public exploit has been identified at time of analysis, though Wordfence has confirmed the vulnerability with function-level detail and an upstream patch commit (changeset 3601461) exists.

WordPress XSS
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2025-13968 MEDIUM This Month

Stored Cross-Site Scripting in the Starboard Suite Reservation Calendars WordPress plugin (all versions through 3.1.4) allows authenticated attackers with Contributor-level access to inject persistent malicious JavaScript via unescaped shortcode attributes in the [starboard-suite-lightbox] shortcode. Any site visitor who loads a page containing the injected shortcode will execute the attacker's script in their browser, enabling session hijacking, credential theft, or malicious redirects against potentially higher-privileged users such as site administrators. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low privilege bar (Contributor) and scope change to victim browsers make this a meaningful risk on multi-author WordPress sites.

WordPress XSS Starboard Suite Reservation Calendars
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15097 MEDIUM This Month

Stored XSS in the Themify Builder WordPress plugin (all versions through 7.7.6) allows contributor-level authenticated users to inject persistent JavaScript via the 'height_slider' Slider Module field, which executes in the browser of any visitor who loads an injected page. The scope change (S:C in CVSS) captures the cross-context impact: attacker payload runs in victims' sessions, enabling session hijacking, credential theft, or unauthorized admin actions. No active exploitation is confirmed in CISA KEV, but a patch commit (changeset 3601964) is visible in the WordPress plugin SVN repository, suggesting a fix has been committed beyond version 7.7.6.

WordPress XSS Themify Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-1382 MEDIUM This Month

Stored Cross-Site Scripting in the Fresh Podcaster WordPress plugin (all versions through 1.0.7) allows authenticated attackers holding at minimum contributor-level roles to inject persistent JavaScript payloads via unsanitized attributes of the 'freshpodcaster' shortcode. The injected script executes automatically in any visitor's browser upon loading an affected page, enabling session hijacking, credential theft, or unauthorized actions on behalf of higher-privileged users. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the Changed scope in the CVSS vector underscores that impact crosses the plugin boundary into victims' browser sessions.

WordPress XSS Fresh Podcaster
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-15096 MEDIUM This Month

Stored Cross-Site Scripting in the Themify Builder WordPress plugin (all versions through 7.7.6) enables authenticated attackers holding contributor-level access or higher to persist arbitrary JavaScript via the Map Module's `b_width_map` field. Because the scope changes (S:C in CVSS), the injected payload executes inside every subsequent visitor's browser context - enabling session hijacking, credential theft, or administrative account takeover against any user who views an affected page. No public exploit code has been identified and this vulnerability is not listed in CISA KEV, but the low exploitation complexity and network-accessible attack surface make it a meaningful risk on sites with open or broad contributor registration.

WordPress XSS Themify Builder
NVD VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-10660 MEDIUM PATCH This Month

Out-of-bounds write in Zephyr RTOS's Bluetooth BAP Broadcast Assistant (subsys/bluetooth/audio/bap_broadcast_assistant.c v4.4.0 and earlier) allows a BLE-adjacent attacker operating one or more malicious Scan Delegator peripherals to corrupt the target device's memory or cause a denial of service. The root cause is a file-static 512-byte att_buf (net_buf_simple) shared across all connection instances: when the Broadcast Assistant holds two or more concurrent BLE connections, concurrent GATT notification callbacks interleave writes into this buffer without tailroom checks, enabling writes past the BSS boundary into adjacent memory. No public exploit has been identified and exploitation requires high attack complexity, but the memory corruption primitive is serious for embedded/IoT targets where crash recovery may be unavailable.

Memory Corruption Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-61861 MEDIUM PATCH This Month

Use-after-free in ImageMagick before 7.1.2-26 exposes servers that process untrusted images to denial of service and potential code execution via a dangling pointer in the FormatMagickCaption method when memory allocation fails. The CVSS 4.0 vector scores this at 6.3, reflecting high attack complexity (AC:H) and specific prerequisite conditions (AT:P), though intelligence tags flag RCE - a claim the vendor CVSS impact metrics do not fully corroborate, as only low availability impact is scored. No public exploit has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Memory Corruption Denial Of Service Use After Free RCE Imagemagick
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.3%
CVE-2026-61857 MEDIUM PATCH This Month

Heap use-after-free in ImageMagick before 7.1.2-26 allows unauthenticated remote attackers to crash applications processing attacker-supplied image files by embedding specially crafted XMP profile data. The root cause is a missing null check (CWE-252) during XMP metadata parsing, which triggers invalid memory access and results in a denial-of-service condition. No public exploit code and no CISA KEV listing exist at time of analysis, though ImageMagick's deep integration into web image pipelines means a single malicious upload can disrupt server-side processing at scale.

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-56763 MEDIUM PATCH This Month

Prototype pollution in Hono before 4.12.7 enables unauthenticated remote attackers to inject properties into JavaScript's Object.prototype by submitting crafted form field names containing '__proto__' keys when the 'dot' option is enabled in parseBody. Exploitation is conditional - it further requires that application code merges parsed body output into plain JavaScript objects using unsafe merge patterns - but when both conditions are present, attackers can silently alter inherited object behavior across the entire runtime, potentially bypassing authorization checks or leaking sensitive data. No public exploit code or CISA KEV listing exists at time of analysis; the CVSS 4.0 score of 6.3 reflects limited impact and the attack prerequisite of the non-default dot option being enabled.

Information Disclosure Prototype Pollution Hono
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-10865 MEDIUM This Month

Plaintext payment gateway secret key exposure in the Cost Calculator Builder WordPress plugin (all versions ≤ 4.0.11) allows any unauthenticated remote visitor to harvest Stripe, Razorpay, and PayPal merchant credentials directly from page HTML source. The plugin embeds live API secret keys in the frontend template body when the 'use in all calculators' global payment gateway option is active, making those keys readable without any authentication or special tooling. While the assigned CVSS score is 5.3 (Medium), the practical impact is business-critical: extracted secret keys grant full programmatic control over the merchant's payment accounts, enabling unauthorized charges, refunds, and access to stored customer payment data. No public exploit or CISA KEV listing is identified at time of analysis.

WordPress Information Disclosure Cost Calculator Builder
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12994 MEDIUM This Month

Authorization bypass in WCFM - Frontend Manager for WooCommerce (all versions through 6.7.27) allows unauthenticated network attackers to inject arbitrary content into store inquiry replies, overwrite inquiry records in the wp_wcfm_enquiries database table, and trigger unsolicited notification emails to customers and vendors. The root cause is a missing authentication gate in the wcfm-my-account-enquiry-manage controller branch - unlike its sibling branches, it performs neither is_user_logged_in() nor current_user_can() checks. The nonce that serves as the sole barrier is embedded into every public page load without any login requirement, rendering it ineffective as an access control. No public exploit code and no CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-6804 MEDIUM This Month

Authorization bypass in the AI Copilot - Content Generator WordPress plugin (by wupsales/AIWU) allows unauthenticated remote attackers to manipulate WordPress post publication states across all versions through 1.4.12. By supplying arbitrary scenario IDs to the plugin's workspace controller endpoint - which lacks any authorization verification - attackers can expose unpublished draft content or take live published posts offline, causing content disclosure and service disruption. No public exploit or CISA KEV listing has been identified at time of analysis, though the trivial exploitation complexity (AV:N/AC:L/PR:N/UI:N) makes independent rediscovery straightforward.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD VulDB
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-6803 MEDIUM This Month

Unauthenticated mass data deletion in the AI Copilot - Content Generator WordPress plugin (all versions through 1.4.12) exposes sites to complete wipeout of plugin-managed database records by any remote visitor. The vulnerability stems from a permanently open authorization gate: the base controller's getPermissions() returns an empty array causing the auth check to unconditionally pass, while the removeGroup and clear AJAX actions are excluded from getNoncedMethods(), bypassing nonce verification entirely. No active exploitation has been confirmed in CISA KEV and no public exploit code has been identified at time of analysis, though the attack requires no credentials and minimal technical skill given the straightforward AJAX endpoint targeting.

Authentication Bypass WordPress Ai Copilot Content Generator
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12426 MEDIUM This Month

Sensitive information exposure in the Members - Membership & User Role Editor Plugin for WordPress (all versions through 3.2.22) allows unauthenticated network attackers to exploit the REST API filter `members_filter_protected_posts_for_rest` as a boolean oracle, revealing the existence, count, and inferred keyword content of posts explicitly restricted by membership rules. The mechanism abuses per-page pagination parameters to observe response count changes, enabling iterative inference of hidden post content without ever receiving the post body directly. No public exploit code has been identified at time of analysis, and this is not listed in CISA KEV, but the zero-authentication, network-accessible attack surface means any WordPress site using this plugin with sensitive restricted content is exposed by default.

WordPress Oracle Information Disclosure Members Membership User Role Editor Plugin
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-9017 MEDIUM This Month

Authorization bypass in the NEX-Forms WordPress plugin (all versions through 9.2.2) allows unauthenticated remote attackers to overwrite email metadata fields on arbitrary form entries and weaponize the victim WordPress site as an outbound email relay. The CVSS vector (PR:N/AC:L/AV:N) confirms zero authentication and zero configuration prerequisites beyond plugin activation. No public exploit has been identified at time of analysis, but the trivially low exploitation complexity makes mass scanning and abuse for phishing or spam distribution operationally realistic at scale.

Authentication Bypass WordPress
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13250 MEDIUM This Month

Permanent, irreversible deletion of all Starter Template-imported site content in the Solace Extra WordPress plugin (all versions through 1.5.3) is achievable by fully unauthenticated network attackers due to the complete absence of authorization checks on the responsible AJAX handler. The handler is registered via wp_ajax_nopriv_, removing WordPress's authentication gate entirely, while the required nonce is leaked to any Subscriber-level user visiting any wp-admin page - eliminating both authentication and authorization barriers simultaneously. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the Wordfence disclosure includes exact file and line references enabling straightforward reproduction; the official CVSS score of 5.3 significantly understates the destructive impact.

Authentication Bypass WordPress PHP Solace Extra
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-6801 MEDIUM This Month

Context Blog WordPress theme (all versions through 1.3.5) exposes the full content of password-protected posts to unauthenticated remote attackers through the `context_blog_modal_popup` component, effectively bypassing WordPress's native content-gating mechanism. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivially low exploitation complexity with no authentication or user interaction required. No public exploit code or active exploitation has been identified at time of analysis, and real-world impact is bounded entirely by what site owners store behind password-protected posts.

WordPress Information Disclosure Context Blog
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56240 MEDIUM PATCH This Month

Billing authorization bypass in Capgo (prior to 12.128.12) enables authenticated organizations with exhausted or expired usage credit grants to continue consuming paid API endpoints without valid entitlement. The divergence between the plugin's hot-path plan_valid expression and the authoritative billing gate creates a logic gap exploitable by any organization that reaches credit depletion, granting continued access to /updates, /stats, /channel_self, and attachment upload endpoints. No public exploit or CISA KEV listing exists at time of analysis, but the low attack complexity and network accessibility make this straightforward for any affected account holder to abuse.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-11901 MEDIUM This Month

Payment bypass in WP Hotel Booking (WordPress plugin, all versions ≤2.3.1) allows unauthenticated attackers to mark arbitrary hotel reservations as fully paid without submitting genuine payment. The PayPal IPN handler `web_hook_process_paypal_standard()` accepts an attacker-controlled `test_ipn=1` parameter that silently reroutes IPN validation to PayPal's sandbox environment, where a free sandbox account returns a legitimate 'VERIFIED' response; the handler then promotes any pending booking to completed while skipping critical post-verification checks on `receiver_email`, `mc_currency`, and `txn_id` uniqueness. No public exploit is identified at time of analysis, but the attack requires only a free PayPal sandbox account, making it nearly zero-cost for any motivated attacker.

WordPress Information Disclosure Wp Hotel Booking
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-5017 MEDIUM This Month

Time-based blind SQL injection in the Catalyst Connect Zoho CRM Client Portal WordPress plugin (all versions ≤ 2.2.0) enables authenticated administrators to exfiltrate arbitrary data from the underlying WordPress database via the unsanitized 'uid' parameter. The CVSS vector (PR:H) confirms exploitation requires administrator-level credentials, meaningfully constraining the attack surface. A public proof-of-concept is available on GitHub (BFS-Lab/BFSDV), and no confirmed patch version has been identified in available intelligence at time of analysis.

WordPress SQLi Zoho Catalyst Connect Zoho Crm Client Portal
NVD GitHub VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-12141 MEDIUM This Month

Stored XSS in Premium Addons for Elementor (all versions ≤4.11.84) lets authenticated contributors plant persistent JavaScript payloads via the `premium_tooltip_text` parameter that execute specifically when an administrator opens the injected post in the Elementor editor - not on public-facing pages. The root cause is unescaped output in the `print_template()` method registered on the `elementor/section/print_template` hook, meaning the attack surface is confined to the Elementor editor backend. No public exploit or CISA KEV listing has been identified at time of analysis; however, the scope-changed CVSS rating reflects real privilege-escalation potential from contributor to admin session context.

WordPress XSS Premium Addons For Elementor Powerful Elementor Templates Widgets
NVD VulDB
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-61858 MEDIUM PATCH This Month

Policy bypass in ImageMagick before 7.1.2-26 allows low-privileged local users to write files to filesystem paths explicitly blocked by the application's security policy framework. The APNG encoder and external delegate mechanisms omit required validation against policy.xml restrictions, enabling circumvention of configured path-based access controls. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis, though the impact is meaningful in multi-tenant or shared-processing environments that rely on ImageMagick's policy layer as a security boundary.

Authentication Bypass Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56372 MEDIUM PATCH This Month

Heap-based out-of-bounds read in ImageMagick before 7.1.2-19 is triggered when processing an image carrying an unrecognized magnify:method value, causing the magnify operation to read beyond allocated heap memory. Affected systems running any version prior to 7.1.2-19 can be impacted when a user or automated pipeline processes a specially crafted image file, with outcomes ranging from partial memory disclosure to application crash. No active exploitation is confirmed (not in CISA KEV) and no public proof-of-concept has been identified at time of analysis, and the CVSS 4.0 score of 4.8 (Medium) reflects the limited local/interactive nature of the attack.

Heap Overflow Denial Of Service Buffer Overflow Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-61465 MEDIUM PATCH This Month

Memory allocation policy bypass in ImageMagick's matrix-backed operations allows a crafted image to exhaust process memory and cause a denial of service. Affected across both the version 7 series (before 7.1.2-26) and the legacy version 6 series (before 6.9.13-51), the flaw arises because operations such as -canny fail to enforce the memory ceiling set in the configured policy, nullifying a key security control. No public exploit code or active exploitation has been identified at time of analysis, and the CVSS 4.0 score of 4.8 reflects a local attack vector requiring user interaction, keeping real-world exposure moderate.

Denial Of Service Imagemagick
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-3367 MEDIUM This Month

Stored Cross-Site Scripting in the Lockme OAuth2 Calendars Integration WordPress plugin (all versions through 2.11.0) permits authenticated administrators to persist arbitrary JavaScript in four settings fields - App ID, App Secret, Bookings ID prefix, and API domain - which then executes in the browser of any user who loads the plugin settings page. The root cause is a missing sanitize callback in register_setting() (Plugin.php:197) paired with unescaped output via direct echo into an HTML value attribute without esc_attr() (lines 212, 223, 245, 256), a classic CWE-79 dual-failure pattern. Exploitation risk is highest in WordPress multisite environments where per-site administrators, who should not have cross-site authority, could poison settings to harvest session tokens or perform actions in the context of super-administrators. No public exploit code and no CISA KEV listing have been identified at time of analysis; an upstream patch changeset (revision 3495564) has been committed to the WordPress plugin repository.

WordPress XSS Lockme Calendars Integration
NVD
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-11591 MEDIUM This Month

Stored Cross-Site Scripting in the Widgets for Google Reviews WordPress plugin (versions ≤ 13.3) enables authenticated attackers holding editor-level WordPress roles to inject persistent JavaScript through admin settings, which then executes in any site visitor's browser on pages rendering the compromised widget. Exploitation is gated by two environmental prerequisites - multi-site WordPress deployments or single-site installs where unfiltered_html has been explicitly disabled - substantially narrowing the attack surface despite the network-accessible entry point. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the fix is referenced via a WordPress plugin repository changeset but an exact patched release version is not independently confirmed.

WordPress XSS Google Widgets For Google Reviews
NVD VulDB
CVSS 3.1
4.4
EPSS
0.3%
CVE-2026-11898 MEDIUM This Month

Stored Cross-Site Scripting in the White Label CMS WordPress plugin (versions through 2.7.12) permits authenticated administrators to persist arbitrary JavaScript payloads via plugin settings pages, which then execute in the browsers of other users who access affected pages. Exploitation is gated behind two hard constraints: the attacker must hold administrator-level WordPress credentials, and the target site must be either a WordPress multisite installation or a site where the unfiltered_html capability has been explicitly disabled. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress XSS White Label Cms
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-9738 MEDIUM This Month

Stored Cross-Site Scripting in the Print, PDF, Email by PrintFriendly WordPress plugin (versions through 5.5.10) allows authenticated administrators to inject persistent JavaScript via the 'content_position_css' parameter, which executes in the browsers of any user who visits an affected page. The scope change (S:C) in the CVSS vector confirms the injected script breaks out of the plugin's security context into victim browsers, enabling session hijacking, credential theft, or malicious redirects against site visitors. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

WordPress XSS Print Pdf Email By Printfriendly
NVD VulDB
CVSS 3.1
4.4
EPSS
0.2%
CVE-2026-12103 MEDIUM This Month

User enumeration via authorization bypass in the Wallet for WooCommerce WordPress plugin (versions up to and including 1.6.4) allows any authenticated subscriber-level user to extract login names, email addresses, and user IDs for every WordPress account on the site, including administrators. The flaw exists because the plugin exposes a 'search-user' nonce - required to call its AJAX search handler - directly in the wallet_param JavaScript object rendered on the publicly accessible WooCommerce My Account page, making it trivially obtainable by any logged-in user. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low attack complexity and wide subscriber-level accessibility make exploitation straightforward on sites with open user registration.

Authentication Bypass WordPress Wallet For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10628 MEDIUM This Month

Authorization bypass in Points and Rewards for WooCommerce (all versions through 2.10.0) allows authenticated subscribers to drain any user's reward points into a wallet balance, exfiltrate all user emails and point balances to an attacker-controlled Klaviyo account, and overwrite the site's Klaviyo API key - compounding financial fraud with third-party data exfiltration. Critically, the plugin exposes its authentication nonce (wps-wpr-verify-nonce) on every public-facing page via wp_localize_script(), and the wallet-draining handler is registered on the wp_ajax_nopriv_ hook, meaning the most financially damaging action - converting points to wallet balance - is exploitable by unauthenticated visitors. No public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass WordPress Points And Rewards For Woocommerce
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-10041 MEDIUM This Month

Unauthorized cross-vendor manipulation in WCFM - Frontend Manager for WooCommerce (all versions ≤ 6.7.27) allows authenticated subscriber-level users to archive competitor vendors' product listings, toggle featured status on arbitrary listings, mark WooCommerce orders as completed, and permanently delete enquiries and bulk messages belonging to other vendors within the same marketplace. Multiple AJAX handlers in class-wcfm-ajax.php, class-wcfm-enquiry.php, and class-wcfm-notification.php accept user-controlled object IDs without verifying ownership - a textbook CWE-639 IDOR pattern enabling horizontal privilege escalation across vendor accounts. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Wcfm Frontend Manager For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7559 MEDIUM This Month

Unauthorized affiliate management actions in the Affilia plugin for WordPress (all versions through 3.3.3) allow any subscriber-level authenticated user to approve or reject referrals, credit commissions to affiliate wallets, delete referral records, and modify banner options - enabling direct financial fraud against WooCommerce stores. The root cause is that the sole authentication gate relies on a WordPress nonce that is publicly embedded in every frontend page load via the JavaScript global `rtwalwm_global_params.rtwalwm_nonce`, making role-based access enforcement trivially bypassable. No public exploit code or CISA KEV listing is identified at time of analysis, but the low exploitation complexity and direct financial fraud impact make this a meaningful operational risk for any site running an affiliate program on this plugin.

Authentication Bypass WordPress Affiliate Program Referral Tracking For Woocommerce Wordpress Affilia
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7620 MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-7544 MEDIUM This Month

Sensitive Information Exposure in the Mux Video Uploader WordPress plugin (all versions through 1.1.4) allows any authenticated WordPress user at subscriber level or higher to retrieve Mux API credentials via the `muxvideo_enqueue_settings_script` function. Mux API keys exposed this way could enable unauthorized access to the site's Mux account, including video management and potential billing abuse. Reported by Wordfence; no public exploit code or CISA KEV listing identified at time of analysis.

WordPress Information Disclosure Mux Video Uploader
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13116 MEDIUM This Month

Insecure Direct Object Reference in the PDF Invoices & Packing Slips for WooCommerce plugin (versions through 5.14.0) allows authenticated contributors to mint permanent, session-free download links for arbitrary third-party orders, exposing customer PII including names, billing and shipping addresses, email addresses, phone numbers, line items, payment details, and customer notes. Exploitation is gated on a non-default plugin setting - the 'Document link access type' must be configured to 'full' rather than the default 'logged_in'; the default configuration signs URLs with a per-session nonce, neutralising the attack path. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress Pdf Invoices Packing Slips For Woocommerce
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-3552 MEDIUM PATCH This Month

Unauthorized data modification in SurfLink - Link Manager & Backup Restore (all versions up to 2.6.0) allows authenticated attackers with Subscriber-level access to inject arbitrary URLs into the plugin's 410 Gone database table, causing those site paths to return HTTP 410 Gone responses to all visitors. The root cause is a missing capability check (current_user_can()) and absent nonce verification (check_ajax_referer()) in the ajax_import_410() AJAX handler - a conspicuous gap given that every other AJAX handler in the same PHP class correctly implements both controls. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the low authentication barrier and clear impact on site availability and SEO ranking make this a meaningful risk for affected WordPress deployments.

Authentication Bypass WordPress Denial Of Service Surflink Link Manager Backup Restore
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-8678 MEDIUM This Month

Authorization bypass in the MyParcel (woocommerce-myparcel) WordPress plugin allows any authenticated subscriber-level user to view and modify shipment options - including carrier, delivery type, package type, label count, weight, signature requirement, and insurance - on arbitrary WooCommerce orders they do not own. All plugin versions up to and including 4.25.1 are affected, with the flaw rooted in missing capability checks on administrative AJAX handlers. No public exploit or active exploitation has been identified at time of analysis, though the low privilege bar (any registered WordPress user) expands the realistic attacker pool significantly for e-commerce stores.

Authentication Bypass WordPress Myparcel
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-1832 MEDIUM This Month

Unauthorized cache deletion in the ThriveDesk WordPress plugin (all versions through 2.1.7) is possible by any authenticated user holding a Subscriber-level role or above, due to a missing capability check on the `thrivedesk_clear_cache` AJAX action. The root cause is a CWE-862 Missing Authorization flaw in `includes/helper.php` - any logged-in user can invoke the privileged cache-clearing function without role validation. No public exploit has been identified at time of analysis and no CISA KEV listing exists; real-world impact is bounded to cache disruption and potential performance degradation rather than data loss or code execution.

Authentication Bypass WordPress Agentic Help Desk Plugin For Wordpress Live Chat Ai Chatbot Ticketing Thrivedesk
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-12738 MEDIUM This Month

Authorization bypass in the WP Easy Pay WordPress plugin (versions ≤4.5.0) allows any authenticated WordPress user at subscriber level or above to set arbitrary posts and pages to 'draft', silently unpublishing site content without editorial authorization. The flaw stems from missing capability checks in the plugin's action handlers (wpep-setup.php), confirmed by Wordfence with direct source code references. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, but the low barrier to exploitation - any registered user qualifies - makes this a meaningful risk on sites with open user registration.

Authentication Bypass WordPress Wp Easy Pay Payment And Donation Form Builder For Square
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy