Skip to main content
CVE-2026-15684 HIGH This Week

Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but ZDI-sourced advisories are typically high-fidelity and reproducible.

RCE Privilege Escalation Glary Utilities
NVD
CVSS 3.0
7.3
EPSS
0.1%
CVE-2025-45869 HIGH This Week

Server-Side Request Forgery in LogicalDOC Enterprise versions up to and including 9.1.1 lets a remote, unauthenticated attacker abuse the ShareFileCallback servlet to coerce the server into issuing HTTP requests to an attacker-chosen host. Because no credentials are required and the flaw is network-reachable, it can be used to probe internal networks, reach otherwise-firewalled services, and potentially retrieve cloud metadata. A public technical disclosure exists (netero1010 Vulnerability-Disclosure repository); there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

SSRF N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-62192 HIGH This Week

Privilege-boundary bypass in OpenClaw's Discord guild-action handling (versions 2026.6.6 up to but not including 2026.6.9) lets a low-privilege authenticated caller invoke operations that should require stronger authorization. By abusing misconfigured input paths, the attacker skips the cross-provider requester authorization step and executes restricted guild operations. No public exploit identified at time of analysis; the CVSS 4.0 score of 7.2 reflects high integrity and availability impact with no confidentiality exposure.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-62186 HIGH This Week

Privilege escalation in OpenClaw before 2026.6.8 lets a lower-trust, already-authenticated caller invoke admin-restricted operations by abusing OpenAI-compatible HTTP model-override input paths, bypassing the authorization checks that should gate those actions. The flaw was reported by VulnCheck and stems from missing authorization (CWE-862) on override-driven request handling. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-55372 HIGH POC PATCH GHSA This Week

Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.

Canonical PHP SSRF
NVD GitHub
CVSS 3.1
7.2
CVE-2026-59521 HIGH This Week

PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Real Testimonials
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-57407 HIGH This Week

Server-Side Request Forgery in WP Swings' PDF Generator for WordPress plugin (all versions up to and including 1.6.2) lets remote attackers coerce the WordPress server into issuing attacker-controlled outbound requests, with a scope-changed impact reaching adjacent internal systems. Reported by Patchstack and tracked as CWE-918 with a CVSS 3.1 base score of 7.2, it currently has no public exploit identified at time of analysis and is not listed in CISA KEV. Because the scope is changed (S:C), successful abuse can pivot the server against internal metadata endpoints, intranet services, or cloud IMDS resources beyond the WordPress host itself.

WordPress SSRF Pdf Generator For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57372 HIGH This Week

Server-Side Request Forgery in the WPJAM Basic WordPress plugin (by denishua) affects all versions up to and including 7.0, letting remote attackers coerce the site's server into issuing crafted outbound requests. Because the CVSS scope is marked Changed with low confidentiality and integrity impact, an attacker can reach internal or otherwise-protected services and read back limited responses. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through the Patchstack vulnerability database.

SSRF Wpjam Basic
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57383 HIGH This Week

Stored cross-site scripting in the eyecix JobSearch (wp-jobsearch) WordPress plugin, versions up to and including 3.2.9, lets attackers inject persistent JavaScript that executes in the browsers of users who later view the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates a network-reachable, low-complexity flaw requiring no attacker authentication but relying on a victim viewing the poisoned content, with a scope change reflecting script execution crossing into the victim's browser context. No public exploit identified at time of analysis, and no EPSS score was supplied in the intelligence set.

XSS Jobsearch
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57382 HIGH This Week

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Simple File List
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-62191 HIGH This Week

Privilege escalation via authorization bypass in OpenClaw 2026.6.6 through 2026.6.8 allows a low-privileged, authenticated caller to invoke message-mutation operations that should require stronger authorization, letting them execute privileged actions. The flaw is a missing authorization check (CWE-862) on mutation input paths and requires the affected feature to be enabled and reachable. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58410 HIGH This Week

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. No public exploit identified at time of analysis, though the flaw is trivially reproducible by manipulating a request parameter.

Authentication Bypass Crm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-61956 HIGH This Week

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). No public exploit identified at time of analysis and the flaw is not on CISA KEV.

CSRF 8211
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-59516 HIGH This Week

Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.

XSS Ics Calendar
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57816 HIGH This Week

Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS vector marks a scope change (S:C), the injected script runs beyond the vulnerable component and can affect the wider WordPress admin/site session context. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57814 HIGH This Week

DOM-based cross-site scripting in the WPMU DEV Forminator WordPress plugin (versions up to and including 1.55.0.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a maliciously crafted link or page element. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope-changing impact but requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS WordPress Forminator
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57745 HIGH This Week

Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including 2.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), a successful payload can affect resources beyond the vulnerable component, such as the WordPress session context. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; disclosure comes from Patchstack.

XSS Rt Theme 18 Extensions
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57741 HIGH This Week

Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.

XSS Acymailing Smtp Newsletter
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57740 HIGH This Week

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.

Authentication Bypass Acymailing Smtp Newsletter
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57734 HIGH This Week

Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Tagdiv Composer
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57733 HIGH This Week

Stored/DOM-based cross-site scripting in the tagDiv Cloud Library (td-cloud-library) WordPress plugin, versions up to and including 3.9.4, allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a crafted input, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), the injected script can affect resources beyond the vulnerable component - for example hijacking an authenticated administrator session. Reported by Patchstack; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Tagdiv Cloud Library
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57732 HIGH This Week

DOM-based cross-site scripting in the tagDiv Opt-In Builder WordPress plugin (td-subscription) affects all versions up to and including 1.7.4, allowing remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a crafted link or page. The CVSS 3.1 scope-changed vector (7.1) reflects that injected script runs in the site's origin and can affect resources beyond the vulnerable component. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

XSS Tagdiv Opt In Builder
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57725 HIGH This Week

Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attacker persist malicious script that executes in the browsers of users who later view the affected page or admin screen. Because the CVSS scope is marked changed (S:C), a successful payload can act beyond the vulnerable component's boundary, affecting whoever renders the stored input. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Kirki
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57728 HIGH This Week

Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.

XSS Flatsome
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57718 HIGH This Week

Reflected cross-site scripting in the Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin affects all versions up to and including 2.0.12, allowing unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 score of 7.1 reflects a scope change (S:C) where injected script escapes into the victim's browser context, yielding limited confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV; the issue was reported by Patchstack.

XSS Unlimited Elements For Elementor Free Widgets Addons Templates
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57715 HIGH This Week

Reflected cross-site scripting in the WPManageNinja Fluent CRM WordPress plugin (all versions through 3.1.7) lets a remote unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically hijacking an authenticated WordPress admin session within the wp-admin context. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

XSS Fluent Crm
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57712 HIGH This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (all versions up to and including 1.4.29) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1, the flaw requires user interaction and carries no public exploit identified at time of analysis and no CISA KEV listing. Impact is scoped to the session of whichever user is lured into clicking, including logged-in administrators.

XSS Wpzoom Portfolio
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57708 HIGH This Week

Reflected cross-site scripting in the CRM Perks "Contact Form Entries" WordPress plugin (versions up to and including 1.5.2) lets remote attackers inject script that executes in a victim's browser after the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can reach data and actions beyond the vulnerable component, typically the WordPress admin/session context. No public exploit has been identified and it is not on CISA KEV; the flaw was reported by Patchstack.

XSS Contact Form Entries
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57706 HIGH This Week

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and including 5.0.6, lets a remote attacker inject script that executes in a victim's browser when they follow a crafted link. Reported by Patchstack (CWE-79) and rated CVSS 7.1, the scope-changed vector reflects that injected script runs in the user's authenticated WordPress session context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation requires the target to click an attacker-supplied URL.

XSS Dokan
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57695 HIGH This Week

Reflected cross-site scripting in the Dan Rossiter Document Gallery WordPress plugin (all versions up to and including 5.1.0) lets an unauthenticated attacker inject script into a reflected response that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed, the injected script can affect resources beyond the vulnerable component (e.g., the surrounding WordPress session context). This flaw was reported by Patchstack; no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

XSS Document Gallery
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57668 HIGH This Week

Stored cross-site scripting in Basix NEX-Forms (WordPress form-builder plugin) affects all versions up to and including 9.2.2, letting an attacker persist malicious script that executes in a victim's browser when they view the affected form or its stored data. Reported by Patchstack and scored CVSS 7.1 with a scope change, the flaw can lead to session/credential theft or admin actions within the WordPress origin. No public exploit is identified at time of analysis and it is not on CISA KEV.

XSS Nex Forms
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57423 HIGH This Week

Reflected cross-site scripting in the Message Filter for Contact Form 7 WordPress plugin (versions up to and including 1.6.3.8) lets an attacker embed malicious script in a request parameter that is echoed back unsanitized, executing in the victim's browser when they follow a crafted link. Reported by Patchstack, the flaw carries a scope-changing CVSS 3.1 score of 7.1 and requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation yields limited confidentiality, integrity, and availability impact within the WordPress admin or visitor session context.

XSS Message Filter For Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57422 HIGH This Week

Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.

XSS WordPress Bopo Woocommerce Product Bundle Builder
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57421 HIGH This Week

Reflected cross-site scripting in the CRM Perks Forms WordPress plugin (all versions up to and including 1.1.7) lets an unauthenticated attacker inject script that executes in a victim's browser when they open a crafted link. Patchstack catalogued the issue at CVSS 3.1 7.1, and the scope-changed vector reflects that injected script runs in the WordPress site's origin rather than a sandbox. No public exploit or active exploitation has been identified at time of analysis, so risk is driven by the low attack complexity and required user interaction rather than mass exploitation.

XSS Crm Perks Forms
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57417 HIGH This Week

Stored cross-site scripting in the RexTheme Cart Lift WordPress plugin (versions up to and including 3.1.57) lets an attacker persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because the CVSS scope is marked changed, injected script can affect resources beyond the vulnerable component, such as the WordPress admin session viewing abandoned-cart data. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but stored XSS in a customer-facing e-commerce recovery plugin is a realistic session-hijacking and admin-compromise vector.

XSS Cart Lift
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57416 HIGH This Week

Stored cross-site scripting in the SiteGround Email Marketing WordPress plugin (versions up to and including 1.7.5) lets attackers persist malicious JavaScript that executes in the context of a victim's browser when the affected page is rendered. Reported by Patchstack with a CVSS 3.1 base score of 7.1 and a scope-changed impact, the flaw carries no public exploit identified at time of analysis and is not listed in CISA KEV. Because the injected payload is stored server-side, it can strike any user - including administrators - who later loads the tainted content.

XSS Siteground Email Marketing
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57415 HIGH This Week

Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Gift Vouchers
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57411 HIGH This Week

DOM-based cross-site scripting in the WordPress plugin CF7 Views - Complete Entry Management for Contact Form 7 (by Aman) affects all versions from an unspecified start through 3.2.2, letting a remote attacker who lures a user into interacting with a crafted link or page execute arbitrary JavaScript in that user's browser session. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change (S:C), reflecting that script executes outside the vulnerable component's security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Patchstack.

XSS Cf7 Views 8211 Complete Entry Management For Contact Form 7
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57409 HIGH This Week

DOM-based cross-site scripting affects the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (slug profit-products-tables-for-woocommerce) in all versions through 1.1.0, letting a remote attacker deliver crafted input that is unsafely written into the DOM and executed as script in a victim's browser. Because the CVSS scope is changed (S:C) and no authentication is required (PR:N), successful exploitation can affect resources beyond the vulnerable component, though it requires the victim to interact with an attacker-influenced page or link (UI:R). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was supplied.

XSS WordPress Active Products Tables For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57405 HIGH This Week

Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Open Shop
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57403 HIGH This Week

Reflected cross-site scripting in the GD Security Headers WordPress plugin (by Milan Petrovic, versions up to and including 1.8) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The flaw stems from improper input neutralization during web page generation (CWE-79) and, per the CVSS scope-change metric, can affect resources beyond the vulnerable component. No public exploit code has been identified and it is not listed in CISA KEV, but disclosure by Patchstack makes the affected versions well documented.

XSS Gd Security Headers
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57398 HIGH This Week

Reflected cross-site scripting in the WebCodingPlace Real Estate Manager Pro WordPress plugin (all versions up to and including 12.8.3) allows a remote attacker to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful execution can affect the broader WordPress session/DOM beyond the vulnerable component. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied.

XSS Real Estate Manager Pro
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57399 HIGH This Week

Stored cross-site scripting in the WordPress plugin 'Proxy & VPN Blocker' (versions up to and including 3.5.8) lets attackers persist malicious JavaScript that executes in victims' browsers when an affected page is rendered. Reported by Patchstack and carrying a CVSS 3.1 score of 7.1 with a scope change, the flaw affects all releases from an unspecified initial version through 3.5.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Proxy Amp Vpn Blocker
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57396 HIGH This Week

Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. No CISA KEV listing or POC has been reported, so this is a disclosed-but-not-yet-weaponized web plugin flaw.

XSS WordPress Free Gifts For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57394 HIGH This Week

Reflected cross-site scripting in the Tribulant Software Newsletters (newsletters-lite) WordPress plugin, affecting all versions up through 4.14, lets a remote attacker execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can lead to session/credential theft or actions performed as the targeted user, including administrators. There is no public exploit identified at time of analysis and it is not on CISA KEV.

XSS Newsletters
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57388 HIGH This Week

Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.

XSS Hydra Booking
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57387 HIGH This Week

Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.

XSS Picu
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57381 HIGH This Week

Reflected cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.3) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. No public exploit has been identified at time of analysis and the flaw is not on CISA KEV; EPSS data was not provided. Because exploitation is unauthenticated (PR:N) but requires user interaction (UI:R), practical risk depends on luring a logged-in user or administrator to a malicious URL.

XSS Propertyhive
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57379 HIGH This Week

Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Formychat
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57380 HIGH This Week

Stored/DOM-based cross-site scripting in the hupe13 "Extensions for Leaflet Map" WordPress plugin (all versions up to and including 5.1) lets an attacker inject script that executes in a victim's browser when they load a page rendering the crafted map content. Reported by Patchstack and carrying a 7.1 CVSS with a scope-changed vector, it requires victim interaction and yields limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Extensions For Leaflet Map
NVD
CVSS 3.1
7.1
EPSS
0.3%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy