Skip to main content
CVE-2026-57792 HIGH This Week

Local file inclusion in the Mikado-Themes "Dor" WordPress theme (all versions through 2.4.1) lets an authenticated attacker with low privileges supply a crafted filename to a PHP include/require statement, causing the server to include and execute arbitrary local files. Patchstack attributes it to improper control of a filename passed to a PHP include path (CWE-98), enabling disclosure of sensitive files and potential code execution. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the high CVSS (7.5) reflects the full-impact potential once the low-privilege prerequisite is met.

Information Disclosure LFI PHP D R
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57791 HIGH This Week

Local file inclusion in the ThemeMove Brook WordPress theme (versions up to and including 2.9.0) lets authenticated attackers coerce a PHP include/require statement into loading arbitrary local files on the server, exposing sensitive data such as wp-config.php credentials and potentially escalating to code execution. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 7.5, but exploitation is rated high-complexity (AC:H) and requires at least low-level authentication (PR:L). There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP Brook
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57789 HIGH This Week

Local File Inclusion in the jwsthemes Aqua WordPress theme (versions up to and including 5.1.2) lets an authenticated attacker coerce a PHP include/require statement into loading arbitrary local files, exposing sensitive data and potentially achieving code execution. Reported by Patchstack under CWE-98, the flaw carries CVSS 7.5 but requires low-level privileges and high attack complexity. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure LFI PHP Aqua
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57790 HIGH This Week

Local File Inclusion in the ThemeMove 'Billey' premium WordPress theme (versions up to and including 2.1.8) lets an authenticated attacker with low privileges control a filename used in a PHP include/require statement, exposing sensitive server-side files such as wp-config.php. Classified by Patchstack under CWE-98 (PHP Remote File Inclusion) but resolving to Local File Inclusion in practice, the flaw carries a CVSS 7.5 rating and no public exploit identified at time of analysis. Under specific conditions PHP file inclusion can escalate from information disclosure toward code execution via techniques such as log poisoning.

Information Disclosure LFI PHP Billey
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57788 HIGH This Week

Local File Inclusion in the Edge-Themes "Aalto" WordPress theme (all versions up to and including 1.8) lets an authenticated attacker control a filename passed to a PHP include/require statement, exposing local files and potentially executing PHP. The flaw was reported by Patchstack and carries CVSS 7.5; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Despite the CWE-98 "Remote File Inclusion" classification, the described impact is Local File Inclusion.

Information Disclosure LFI PHP Aalto
NVD VulDB
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57729 HIGH This Week

Broken access control in the UX-Themes Flatsome WordPress theme (versions up to and including 3.20.5) allows remote unauthenticated attackers to reach functionality or data that should be authorization-gated, resulting in confidentiality-only impact per the CVSS vector. The flaw stems from a missing authorization check (CWE-862) and was catalogued by Patchstack, but there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Flatsome is one of the most widely sold commercial WooCommerce themes, so the affected footprint is substantial even though only information disclosure (not integrity or availability) is implicated.

Authentication Bypass Flatsome
NVD VulDB
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57727 HIGH This Week

Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.

Authentication Bypass Kirki
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57705 HIGH This Week

Broken access control in the Event Tickets WordPress plugin (versions up to and including 5.28.5) lets remote unauthenticated attackers modify data they should not be able to reach because an authorization check is missing on a privileged action. The flaw carries a 7.5 CVSS with an integrity-only impact (I:H) and no confidentiality or availability effect, and there is no public exploit identified at time of analysis. It was disclosed by Patchstack and affects default installations of the plugin.

Authentication Bypass Event Tickets
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-57697 HIGH This Week

Authentication bypass in the Metagauss ProfileGrid WordPress plugin (versions up to and including 5.9.9.6) lets remote unauthenticated attackers abuse the password recovery flow as an alternate channel to hijack arbitrary user accounts, including administrators. Because the flaw is exploitable over the network with no privileges and no user interaction (CVSS 7.5, I:H), it enables full account takeover on affected WordPress sites. No public exploit is identified at time of analysis and it is not in CISA KEV, but the low attack complexity makes it an attractive target once details circulate.

Authentication Bypass Profilegrid
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2026-57378 HIGH This Week

Broken access control in the Phil Kurth "Advanced Forms" WordPress plugin (all versions up to and including 1.9.3.7) lets remote unauthenticated attackers reach a form-handling function that fails to verify authorization, enabling unauthorized modification of form data or settings. The CVSS 3.1 score is 7.5 with integrity-only impact and no confidentiality or availability loss. Reported by Patchstack; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Advanced Forms
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-15574 HIGH This Week

Sensitive information disclosure in Red Hat OpenShift AI's vllm-orchestrator-gateway component exposes bearer tokens and full chat payloads because the production binary writes all incoming Authorization headers and complete request bodies to persistent logs. Any user holding logging privileges can read these logs to harvest live credentials and potentially PII-laden conversation content. There is no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Red Hat Openshift Ai Rhoai
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-14165 HIGH This Week

Insecure direct object reference (IDOR) in Dassault Systèmes Tuleap Enterprise Edition 17.0 through 17.5 lets attackers read other users' data by manipulating a user-controlled key/identifier, breaking horizontal authorization boundaries. The CVSS 3.1 vector (AV:N/PR:N) scores it as remotely reachable with high confidentiality impact but no integrity or availability effect. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Tuleap Enterprise Edition
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-26396 HIGH This Week

Sensitive information disclosure in OpenBMB XAgent v1.0.0 and earlier allows remote unauthenticated attackers to read arbitrary files on the server by abusing a path traversal flaw in the file() endpoint of XAgentServer's workspace router. The user-controllable 'filename' parameter is concatenated into a file path without validation, so a crafted request escapes the intended workspace directory. SSVC lists exploitation as proof-of-concept and automatable=yes; publicly available exploit code exists via a referenced gist, though this is not confirmed as actively exploited in the wild.

Path Traversal Information Disclosure N A
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2026-15684 HIGH This Week

Local privilege escalation in Glarysoft Glary Utilities lets an already-present low-privileged attacker abuse the Disk Clean feature to delete arbitrary files and ultimately execute code as SYSTEM. Discovered and reported through the Zero Day Initiative (ZDI-26-402, ZDI-CAN-27004), it stems from the privileged cleanup service following filesystem junctions (CWE-59) planted by the attacker. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but ZDI-sourced advisories are typically high-fidelity and reproducible.

RCE Privilege Escalation Glary Utilities
NVD
CVSS 3.0
7.3
EPSS
0.1%
CVE-2025-45869 HIGH This Week

Server-Side Request Forgery in LogicalDOC Enterprise versions up to and including 9.1.1 lets a remote, unauthenticated attacker abuse the ShareFileCallback servlet to coerce the server into issuing HTTP requests to an attacker-chosen host. Because no credentials are required and the flaw is network-reachable, it can be used to probe internal networks, reach otherwise-firewalled services, and potentially retrieve cloud metadata. A public technical disclosure exists (netero1010 Vulnerability-Disclosure repository); there is no public exploit identified as being used in active attacks and it is not listed in CISA KEV.

SSRF N A
NVD GitHub
CVSS 3.1
7.3
EPSS
0.2%
CVE-2026-62192 HIGH This Week

Privilege-boundary bypass in OpenClaw's Discord guild-action handling (versions 2026.6.6 up to but not including 2026.6.9) lets a low-privilege authenticated caller invoke operations that should require stronger authorization. By abusing misconfigured input paths, the attacker skips the cross-provider requester authorization step and executes restricted guild operations. No public exploit identified at time of analysis; the CVSS 4.0 score of 7.2 reflects high integrity and availability impact with no confidentiality exposure.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-62186 HIGH This Week

Privilege escalation in OpenClaw before 2026.6.8 lets a lower-trust, already-authenticated caller invoke admin-restricted operations by abusing OpenAI-compatible HTTP model-override input paths, bypassing the authorization checks that should gate those actions. The flaw was reported by VulnCheck and stems from missing authorization (CWE-862) on override-driven request handling. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-55372 HIGH POC PATCH GHSA This Week

Server-side request forgery in NukeViet CMS before 4.6.00 lets a remote unauthenticated attacker coerce the server into issuing outbound HTTP requests to an arbitrary host by spoofing the X-Forwarded-Host and X-Forwarded-Proto headers, which flow unvalidated into the cURL URL built by server_info_update(). Because the __serverInfoUpdate=1 POST handler in includes/ini.php runs before authentication, no credentials are needed. The flaw is blind, HEAD-only and uses a fixed request path, so its practical value is internal host/port discovery and poisoning of the cached server_headers rather than data exfiltration; no public exploit beyond the advisory PoC is identified and it is not in CISA KEV.

Canonical PHP SSRF
NVD GitHub
CVSS 3.1
7.2
CVE-2026-59521 HIGH This Week

PHP Object Injection in the ShapedPlugin Real Testimonials (testimonial-free) WordPress plugin affects all versions up to and including 3.1.15, allowing a high-privileged authenticated user to inject serialized PHP objects that the plugin unsafely deserializes. Depending on gadget chains present in WordPress core, other active plugins, or themes, this can escalate to arbitrary code execution, data disclosure, or site compromise. Reported by Patchstack; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Real Testimonials
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-57407 HIGH This Week

Server-Side Request Forgery in WP Swings' PDF Generator for WordPress plugin (all versions up to and including 1.6.2) lets remote attackers coerce the WordPress server into issuing attacker-controlled outbound requests, with a scope-changed impact reaching adjacent internal systems. Reported by Patchstack and tracked as CWE-918 with a CVSS 3.1 base score of 7.2, it currently has no public exploit identified at time of analysis and is not listed in CISA KEV. Because the scope is changed (S:C), successful abuse can pivot the server against internal metadata endpoints, intranet services, or cloud IMDS resources beyond the WordPress host itself.

WordPress SSRF Pdf Generator For Wordpress
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57372 HIGH This Week

Server-Side Request Forgery in the WPJAM Basic WordPress plugin (by denishua) affects all versions up to and including 7.0, letting remote attackers coerce the site's server into issuing crafted outbound requests. Because the CVSS scope is marked Changed with low confidentiality and integrity impact, an attacker can reach internal or otherwise-protected services and read back limited responses. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; it was disclosed through the Patchstack vulnerability database.

SSRF Wpjam Basic
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-57382 HIGH This Week

Reflected cross-site scripting in the Simple File List WordPress plugin (versions up to and including 6.3.8) allows remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The scope-changed CVSS vector (S:C) reflects that injected script escapes the plugin's context to affect the broader WordPress site, potentially hijacking authenticated admin sessions. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

XSS Simple File List
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57383 HIGH This Week

Stored cross-site scripting in the eyecix JobSearch (wp-jobsearch) WordPress plugin, versions up to and including 3.2.9, lets attackers inject persistent JavaScript that executes in the browsers of users who later view the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) indicates a network-reachable, low-complexity flaw requiring no attacker authentication but relying on a victim viewing the poisoned content, with a scope change reflecting script execution crossing into the victim's browser context. No public exploit identified at time of analysis, and no EPSS score was supplied in the intelligence set.

XSS Jobsearch
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-62191 HIGH This Week

Privilege escalation via authorization bypass in OpenClaw 2026.6.6 through 2026.6.8 allows a low-privileged, authenticated caller to invoke message-mutation operations that should require stronger authorization, letting them execute privileged actions. The flaw is a missing authorization check (CWE-862) on mutation input paths and requires the affected feature to be enabled and reachable. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-58410 HIGH This Week

Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. No public exploit identified at time of analysis, though the flaw is trivially reproducible by manipulating a request parameter.

Authentication Bypass Crm
NVD GitHub
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-61956 HIGH This Week

Cross-Site Request Forgery in the Woosalam (ووسلام - همگام سازی ووکامرس و باسلام) WooCommerce-to-Basalam sync plugin for WordPress lets a remote attacker forge state-changing requests that a logged-in victim's browser executes, affecting all versions from an unspecified initial release through 1.9.1. Because the plugin fails to validate request authenticity (CWE-352), an attacker who lures an authenticated user to a malicious page can trigger high-integrity changes with no attacker authentication required (CVSS 7.1). No public exploit identified at time of analysis and the flaw is not on CISA KEV.

CSRF 8211
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-59516 HIGH This Week

Reflected cross-site scripting in the ICS Calendar WordPress plugin (by Room 34 Creative Services) affects all versions from initial release through 12.1.1, letting an attacker craft a malicious URL that, when opened by a victim, injects arbitrary script into the rendered page. Because the CVSS scope is changed (S:C), successful execution can affect resources beyond the vulnerable component, including a logged-in administrator's WordPress session. No public exploit identified at time of analysis, and it is not on the CISA KEV list.

XSS Ics Calendar
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57816 HIGH This Week

Reflected cross-site scripting in the FunnelKit Funnel Builder WordPress plugin (versions up to and including 3.15.0.8) lets unauthenticated remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS vector marks a scope change (S:C), the injected script runs beyond the vulnerable component and can affect the wider WordPress admin/site session context. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Funnel Builder By Funnelkit
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57814 HIGH This Week

DOM-based cross-site scripting in the WPMU DEV Forminator WordPress plugin (versions up to and including 1.55.0.1) allows remote attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a maliciously crafted link or page element. Reported by Patchstack and rated CVSS 7.1, the flaw carries a scope-changing impact but requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS WordPress Forminator
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57745 HIGH This Week

Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including 2.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), a successful payload can affect resources beyond the vulnerable component, such as the WordPress session context. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; disclosure comes from Patchstack.

XSS Rt Theme 18 Extensions
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57741 HIGH This Week

Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.

XSS Acymailing Smtp Newsletter
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57740 HIGH This Week

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.

Authentication Bypass Acymailing Smtp Newsletter
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57734 HIGH This Week

Reflected cross-site scripting in the tagDiv Composer (td-composer) WordPress plugin through version 5.4.3 allows remote attackers to inject arbitrary script into pages that a victim views after clicking a crafted link. Because the CVSS vector marks a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the WordPress admin session context. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Tagdiv Composer
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57733 HIGH This Week

Stored/DOM-based cross-site scripting in the tagDiv Cloud Library (td-cloud-library) WordPress plugin, versions up to and including 3.9.4, allows remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a crafted input, per the CVSS PR:N/UI:R vector. Because the scope is changed (S:C), the injected script can affect resources beyond the vulnerable component - for example hijacking an authenticated administrator session. Reported by Patchstack; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Tagdiv Cloud Library
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57732 HIGH This Week

DOM-based cross-site scripting in the tagDiv Opt-In Builder WordPress plugin (td-subscription) affects all versions up to and including 1.7.4, allowing remote unauthenticated attackers to execute arbitrary JavaScript in a victim's browser when the victim interacts with a crafted link or page. The CVSS 3.1 scope-changed vector (7.1) reflects that injected script runs in the site's origin and can affect resources beyond the vulnerable component. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

XSS Tagdiv Opt In Builder
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57725 HIGH This Week

Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attacker persist malicious script that executes in the browsers of users who later view the affected page or admin screen. Because the CVSS scope is marked changed (S:C), a successful payload can act beyond the vulnerable component's boundary, affecting whoever renders the stored input. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Kirki
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57728 HIGH This Week

Reflected cross-site scripting in the UX-themes Flatsome WordPress/WooCommerce theme (all versions up to and including 3.20.5) lets a remote attacker inject script that executes in a victim's browser when they click a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1 (scope-changed, low-impact), the flaw requires user interaction but no authentication. No public exploit code or active exploitation has been identified at time of analysis.

XSS Flatsome
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57718 HIGH This Week

Reflected cross-site scripting in the Unlimited Elements For Elementor (Free Widgets, Addons, Templates) WordPress plugin affects all versions up to and including 2.0.12, allowing unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 score of 7.1 reflects a scope change (S:C) where injected script escapes into the victim's browser context, yielding limited confidentiality, integrity, and availability impact. No public exploit has been identified at time of analysis and the flaw is not listed in CISA KEV; the issue was reported by Patchstack.

XSS Unlimited Elements For Elementor Free Widgets Addons Templates
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57715 HIGH This Week

Reflected cross-site scripting in the WPManageNinja Fluent CRM WordPress plugin (all versions through 3.1.7) lets a remote unauthenticated attacker inject script that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful exploitation can affect resources beyond the vulnerable component, typically hijacking an authenticated WordPress admin session within the wp-admin context. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

XSS Fluent Crm
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57712 HIGH This Week

Reflected cross-site scripting in the WPZOOM Portfolio WordPress plugin (all versions up to and including 1.4.29) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Reported by Patchstack with a CVSS 3.1 score of 7.1, the flaw requires user interaction and carries no public exploit identified at time of analysis and no CISA KEV listing. Impact is scoped to the session of whichever user is lured into clicking, including logged-in administrators.

XSS Wpzoom Portfolio
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57708 HIGH This Week

Reflected cross-site scripting in the CRM Perks "Contact Form Entries" WordPress plugin (versions up to and including 1.5.2) lets remote attackers inject script that executes in a victim's browser after the victim clicks a crafted link. Because the CVSS scope is changed (S:C), successful injection can reach data and actions beyond the vulnerable component, typically the WordPress admin/session context. No public exploit has been identified and it is not on CISA KEV; the flaw was reported by Patchstack.

XSS Contact Form Entries
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57706 HIGH This Week

Reflected cross-site scripting in the Dokan (dokan-lite) WordPress multivendor marketplace plugin, versions up to and including 5.0.6, lets a remote attacker inject script that executes in a victim's browser when they follow a crafted link. Reported by Patchstack (CWE-79) and rated CVSS 7.1, the scope-changed vector reflects that injected script runs in the user's authenticated WordPress session context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV; exploitation requires the target to click an attacker-supplied URL.

XSS Dokan
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57695 HIGH This Week

Reflected cross-site scripting in the Dan Rossiter Document Gallery WordPress plugin (all versions up to and including 5.1.0) lets an unauthenticated attacker inject script into a reflected response that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed, the injected script can affect resources beyond the vulnerable component (e.g., the surrounding WordPress session context). This flaw was reported by Patchstack; no public exploit code has been identified and it is not listed in CISA KEV at time of analysis.

XSS Document Gallery
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57668 HIGH This Week

Stored cross-site scripting in Basix NEX-Forms (WordPress form-builder plugin) affects all versions up to and including 9.2.2, letting an attacker persist malicious script that executes in a victim's browser when they view the affected form or its stored data. Reported by Patchstack and scored CVSS 7.1 with a scope change, the flaw can lead to session/credential theft or admin actions within the WordPress origin. No public exploit is identified at time of analysis and it is not on CISA KEV.

XSS Nex Forms
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57423 HIGH This Week

Reflected cross-site scripting in the Message Filter for Contact Form 7 WordPress plugin (versions up to and including 1.6.3.8) lets an attacker embed malicious script in a request parameter that is echoed back unsanitized, executing in the victim's browser when they follow a crafted link. Reported by Patchstack, the flaw carries a scope-changing CVSS 3.1 score of 7.1 and requires user interaction; no public exploit identified at time of analysis and it is not listed in CISA KEV. Exploitation yields limited confidentiality, integrity, and availability impact within the WordPress admin or visitor session context.

XSS Message Filter For Contact Form 7
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57422 HIGH This Week

Reflected cross-site scripting in the VillaTheme Bopo - WooCommerce Product Bundle Builder plugin for WordPress affects all versions up to and including 1.2.0, letting unauthenticated attackers inject script into a victim's browser session when the victim clicks a crafted link. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C) reflects a scope change, meaning injected script executes in the WordPress site's security context and can target logged-in administrators. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV, but reflected XSS in WooCommerce plugins is a well-understood and easily weaponized class.

XSS WordPress Bopo Woocommerce Product Bundle Builder
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57421 HIGH This Week

Reflected cross-site scripting in the CRM Perks Forms WordPress plugin (all versions up to and including 1.1.7) lets an unauthenticated attacker inject script that executes in a victim's browser when they open a crafted link. Patchstack catalogued the issue at CVSS 3.1 7.1, and the scope-changed vector reflects that injected script runs in the WordPress site's origin rather than a sandbox. No public exploit or active exploitation has been identified at time of analysis, so risk is driven by the low attack complexity and required user interaction rather than mass exploitation.

XSS Crm Perks Forms
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57417 HIGH This Week

Stored cross-site scripting in the RexTheme Cart Lift WordPress plugin (versions up to and including 3.1.57) lets an attacker persist malicious JavaScript that executes in a victim's browser when the affected page is viewed. Because the CVSS scope is marked changed, injected script can affect resources beyond the vulnerable component, such as the WordPress admin session viewing abandoned-cart data. No public exploit has been identified at time of analysis and the issue is not listed in CISA KEV, but stored XSS in a customer-facing e-commerce recovery plugin is a realistic session-hijacking and admin-compromise vector.

XSS Cart Lift
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57416 HIGH This Week

Stored cross-site scripting in the SiteGround Email Marketing WordPress plugin (versions up to and including 1.7.5) lets attackers persist malicious JavaScript that executes in the context of a victim's browser when the affected page is rendered. Reported by Patchstack with a CVSS 3.1 base score of 7.1 and a scope-changed impact, the flaw carries no public exploit identified at time of analysis and is not listed in CISA KEV. Because the injected payload is stored server-side, it can strike any user - including administrators - who later loads the tainted content.

XSS Siteground Email Marketing
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57415 HIGH This Week

Stored cross-site scripting in the Codemenschen 'Gift Vouchers' WordPress plugin (all versions up to and including 4.7.0) lets an attacker persist malicious script into plugin-managed content that later executes in the browser of any user who views the affected page. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, score 7.1) indicates network-reachable, low-complexity injection with a scope change and required victim interaction. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Gift Vouchers
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
Prev Page 4 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy