Skip to main content
CVE-2026-57411 HIGH This Week

DOM-based cross-site scripting in the WordPress plugin CF7 Views - Complete Entry Management for Contact Form 7 (by Aman) affects all versions from an unspecified start through 3.2.2, letting a remote attacker who lures a user into interacting with a crafted link or page execute arbitrary JavaScript in that user's browser session. The flaw carries a CVSS 3.1 base score of 7.1 with a scope change (S:C), reflecting that script executes outside the vulnerable component's security context. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the issue was disclosed via Patchstack.

XSS Cf7 Views 8211 Complete Entry Management For Contact Form 7
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57409 HIGH This Week

DOM-based cross-site scripting affects the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (slug profit-products-tables-for-woocommerce) in all versions through 1.1.0, letting a remote attacker deliver crafted input that is unsafely written into the DOM and executed as script in a victim's browser. Because the CVSS scope is changed (S:C) and no authentication is required (PR:N), successful exploitation can affect resources beyond the vulnerable component, though it requires the victim to interact with an attacker-influenced page or link (UI:R). There is no public exploit identified at time of analysis and it is not listed in CISA KEV; no EPSS score was supplied.

XSS WordPress Active Products Tables For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57405 HIGH This Week

Broken access control in the ThemeHunk Open Shop WordPress theme (versions up to and including 1.7.1) lets an authenticated low-privileged user reach functionality that should be restricted, tampering with data and degrading site availability. Reported by Patchstack and rated CVSS 7.1, the flaw stems from missing authorization checks on a privileged action. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Open Shop
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57403 HIGH This Week

Reflected cross-site scripting in the GD Security Headers WordPress plugin (by Milan Petrovic, versions up to and including 1.8) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. The flaw stems from improper input neutralization during web page generation (CWE-79) and, per the CVSS scope-change metric, can affect resources beyond the vulnerable component. No public exploit code has been identified and it is not listed in CISA KEV, but disclosure by Patchstack makes the affected versions well documented.

XSS Gd Security Headers
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57398 HIGH This Week

Reflected cross-site scripting in the WebCodingPlace Real Estate Manager Pro WordPress plugin (all versions up to and including 12.8.3) allows a remote attacker to inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), successful execution can affect the broader WordPress session/DOM beyond the vulnerable component. No public exploit identified at time of analysis, and it is not listed in CISA KEV; EPSS was not supplied.

XSS Real Estate Manager Pro
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57399 HIGH This Week

Stored cross-site scripting in the WordPress plugin 'Proxy & VPN Blocker' (versions up to and including 3.5.8) lets attackers persist malicious JavaScript that executes in victims' browsers when an affected page is rendered. Reported by Patchstack and carrying a CVSS 3.1 score of 7.1 with a scope change, the flaw affects all releases from an unspecified initial version through 3.5.8. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Proxy Amp Vpn Blocker
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57396 HIGH This Week

Stored cross-site scripting in the Flintop "Free Gifts for WooCommerce" WordPress plugin (all versions through 13.1.0) lets an attacker inject persistent JavaScript that executes in the browser of anyone viewing the affected page. Reported by Patchstack and tracked as CWE-79, it carries a CVSS 7.1 score driven by a changed scope (S:C), and has no public exploit identified at time of analysis. No CISA KEV listing or POC has been reported, so this is a disclosed-but-not-yet-weaponized web plugin flaw.

XSS WordPress Free Gifts For Woocommerce
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57394 HIGH This Week

Reflected cross-site scripting in the Tribulant Software Newsletters (newsletters-lite) WordPress plugin, affecting all versions up through 4.14, lets a remote attacker execute arbitrary JavaScript in a victim's browser when the victim is lured into clicking a crafted link. Reported by Patchstack and rated CVSS 7.1, the scope-changing flaw can lead to session/credential theft or actions performed as the targeted user, including administrators. There is no public exploit identified at time of analysis and it is not on CISA KEV.

XSS Newsletters
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57388 HIGH This Week

Stored cross-site scripting in Themefic's Hydra Booking WordPress plugin (all versions up to and including 1.1.44) lets an attacker inject persistent JavaScript that executes in the browser of a victim who later views the affected page. The Patchstack-reported flaw (CVSS 7.1, scope-changed) requires victim interaction to fire, and no public exploit has been identified at time of analysis. Because impact crosses the security boundary into a privileged WordPress admin session, it can facilitate session hijacking or actions in the admin's context.

XSS Hydra Booking
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57387 HIGH This Week

Stored cross-site scripting in the picu WordPress plugin (all versions up to and including 3.5.1) lets an attacker inject persistent JavaScript that executes in the browser of any user who later views the affected page. Because the CVSS vector marks a scope change (S:C) and requires only user interaction (UI:R) with no privileges (PR:N), a crafted payload stored via picu can run in an administrator or reviewer session and act beyond the plugin's own boundary. No public exploit identified at time of analysis and the issue is not on CISA KEV; the 7.1 CVSS reflects moderate impact across confidentiality, integrity, and availability.

XSS Picu
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57381 HIGH This Week

Reflected cross-site scripting in the PropertyHive WordPress real-estate plugin (all versions up to and including 2.2.3) lets a remote attacker inject arbitrary JavaScript that executes in a victim's browser when they click a crafted link. No public exploit has been identified at time of analysis and the flaw is not on CISA KEV; EPSS data was not provided. Because exploitation is unauthenticated (PR:N) but requires user interaction (UI:R), practical risk depends on luring a logged-in user or administrator to a malicious URL.

XSS Propertyhive
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57379 HIGH This Week

Stored cross-site scripting in the WPPOOL FormyChat (social-contact-form) WordPress plugin, versions up to and including 2.15.3, lets remote attackers inject persistent JavaScript that executes in the browser of anyone who later views the affected page. Reported by Patchstack (CVSS 7.1), the scope-changing flaw can be abused to hijack sessions, deface content, or pivot toward WordPress administrator accounts. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

XSS Formychat
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57380 HIGH This Week

Stored/DOM-based cross-site scripting in the hupe13 "Extensions for Leaflet Map" WordPress plugin (all versions up to and including 5.1) lets an attacker inject script that executes in a victim's browser when they load a page rendering the crafted map content. Reported by Patchstack and carrying a 7.1 CVSS with a scope-changed vector, it requires victim interaction and yields limited confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Extensions For Leaflet Map
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57368 HIGH This Week

Reflected cross-site scripting in the NooTheme Jobmonster WordPress job-board theme (versions up to and including 4.8.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the flaw carries a scope change (S:C), successful exploitation can affect resources beyond the vulnerable component, such as the authenticated WordPress session of an administrator who is lured into clicking. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV.

XSS Jobmonster
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57363 HIGH This Week

Stored cross-site scripting in the QuantumCloud ChatBot WordPress plugin (versions through 8.3.7) lets an attacker persist malicious script that executes in another user's browser when the affected page is viewed. The CVSS 3.1 vector (AV:N/PR:N/UI:R/S:C) indicates a network-reachable, unauthenticated injection point that requires a victim to load the poisoned content and crosses a privilege boundary into the rendering context. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

XSS Chatbot
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57376 HIGH This Week

DOM-based cross-site scripting in the ElementInvader Addons for Elementor WordPress plugin (all versions up to and including 1.4.3) lets remote attackers inject client-side script that executes in a victim's browser when they interact with a crafted link or page. Reported by Patchstack and classified CWE-79 with a CVSS 7.1, the scope-changing flaw can lead to session hijacking or defacement in the WordPress context. No public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Elementinvader Addons For Elementor
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57369 HIGH This Week

Reflected cross-site scripting in the Themify Builder WordPress plugin (versions up to and including 7.7.4) lets remote attackers inject arbitrary script that executes in a victim's browser when they follow a crafted link. The CVSS 3.1 base score of 7.1 reflects unauthenticated exploitation with a scope change, though it requires user interaction. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Themify Builder
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-58411 HIGH This Week

Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.

PHP Privilege Escalation XSS Crm
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2026-61505 MEDIUM PATCH This Month

Path traversal via the `lang` query parameter in Rejetto HFS 3.0.0 through 3.2.0 enables remote unauthenticated attackers to read JSON files outside the application's designated shared folders. Exploitation is constrained by the application's own file-loading logic - only files matching a narrow naming convention and JSON format are reachable, limiting impact to partial information disclosure rather than arbitrary file read. Vendor-released patch v3.2.1 is available; no KEV listing or confirmed public exploit exists, though the same release addresses additional higher-severity vulnerabilities noted in the release notes.

Path Traversal Hfs
NVD GitHub
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-15542 MEDIUM PATCH This Month

Improper WebSocket authentication in will-moss Isaiah up to version 1.36.9 permits unauthenticated remote attackers to establish authenticated WebSocket sessions against the Docker management interface. The flaw resides in app/main.go within the WebSocket Connection Authentication component, where authentication controls can be bypassed, granting access to Docker management functionality without valid credentials. No public exploit has been identified at time of analysis, and an upstream fix exists as a pending pull request (PR #36) that has not yet been merged into a released version.

Authentication Bypass Isaiah
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2026-61503 MEDIUM PATCH This Month

Username enumeration in Rejetto HFS 3.0.0-3.2.0 exposes valid account names-including the default admin account-to remote unauthenticated attackers through observably different login endpoint responses (CWE-204). The vendor release notes for v3.2.1 indicate this is one of multiple related vulnerabilities that collectively could allow an attacker to gain administrative access, suggesting this flaw may serve as a reconnaissance enabler in a broader attack chain. No public exploit is identified at time of analysis; vendor-released patch v3.2.1 is available.

Information Disclosure Hfs
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-15594 LOW POC Monitor

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-15553 MEDIUM This Month

Unrestricted file upload in Ragic Enterprise Cloud Database exposes all versions to unauthenticated remote exploitation, allowing attackers to plant malicious files that are subsequently served to authenticated platform users for download. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application performs no meaningful validation of file type, content, or extension before persisting uploads. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the zero-authentication requirement and network-accessible attack vector make this a low-barrier, high-supply-chain-risk issue in environments where Ragic is used for file collaboration.

File Upload Enterprise Cloud Database
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-62193 MEDIUM This Month

Authorization bypass in OpenClaw's plugin install wrappers (versions 2026.6.5 through 2026.6.8) allows a lower-trust authenticated caller to skip the install policy check, executing or persisting plugin actions beyond their intended authorization scope. The impact is bounded by operator configuration - deployments where the plugin install feature is disabled or unreachable are not affected. No public exploit code has been identified and the vulnerability does not appear in CISA KEV; vendor-released fix is available in version 2026.6.9.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-58488 MEDIUM This Month

Rate-limiting bypass in HedgeDoc prior to 1.11.0 permits unauthenticated remote attackers to circumvent brute-force protections on the /login and /register endpoints by injecting arbitrary cf-connecting-ip headers, cycling apparent source IPs per request. This enables unlimited credential-stuffing attacks against login and bulk registration of throwaway accounts. No public exploit code identified at time of analysis; the issue is confirmed fixed in version 1.11.0 per the vendor's GitHub Security Advisory.

Authentication Bypass Hedgedoc
NVD GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-12257 CRITICAL Act Now

Remote code execution in Mura CMS versions prior to 10.0.712 allows unauthenticated attackers to execute arbitrary CFML and instantiate malicious Java objects by abusing the unvalidated 'method' parameter in POST requests to the /index.cfm/_api/json/v1/default JSON API endpoint. Because the ColdFusion engine processes the attacker-controlled input without sanitisation, a single crafted request yields full compromise (VC:H/VI:H/VA:H). No public exploit identified at time of analysis, though CISA SSVC flags the flaw as automatable with total technical impact.

XSS RCE Java Cms
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-15541 MEDIUM PATCH This Month

Missing authorization in Isaiah's Master WebSocket Handler allows remote unauthenticated attackers to manipulate the Agent argument in the Server.Handle function, bypassing access controls over Docker management operations. All versions of the will-moss/isaiah project up to and including 1.36.9 are affected. No public exploit or active exploitation has been identified at time of analysis; a fix pull request (#35) exists upstream but awaits acceptance.

Authentication Bypass Isaiah
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-15516 LOW POC PATCH Monitor

Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.

Authentication Bypass PHP Maccms Pro
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-60103 MEDIUM PATCH This Month

Out-of-bounds read in Blender 3.0.0 through 5.1.2 allows an attacker to crash the application or disclose heap memory contents by convincing a user to open a specially crafted .blend file containing a malicious member_index value in the SDNA block. The vulnerability stems from missing bounds validation on a signed short index used directly as an array subscript in sdna_expand_names(), enabling both denial-of-service via SIGSEGV and limited heap memory disclosure. No public exploit code or active exploitation has been identified at time of analysis, but the file-based attack vector makes social engineering a realistic delivery mechanism.

Buffer Overflow Information Disclosure Blender
NVD VulDB
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-58489 MEDIUM This Month

HedgeDoc's GitHub Gist export feature exposes private and protected note content to attacker-controlled GitHub accounts via OAuth2 state parameter forgery. Versions prior to 1.11.0 generated an OAuth2 state token during the Gist export flow but validated only its presence - not its binding to the initiating user session - enabling a cross-site request forgery attack. An attacker who tricks a logged-in victim into clicking a crafted callback URL can redirect the victim's note export to the attacker's own GitHub Gist, bypassing any note visibility controls. No public exploit code or CISA KEV listing is identified at time of analysis, but a confirmed patch exists in version 1.11.0.

CSRF Hedgedoc
NVD GitHub
CVSS 4.0
6.8
EPSS
0.1%
CVE-2026-45376 MEDIUM PATCH GHSA This Month

Blind SQL injection in decidim-admin's organization user search endpoint allows authenticated organization administrators to execute arbitrary PostgreSQL expressions inside an ORDER BY clause via the `term` query parameter. The flaw spans decidim-admin versions prior to 0.30.9, 0.31.5, and 0.32.0, and is exploitable using time-based payloads such as `pg_sleep` that return HTTP 200 while leaking data through measurable response-time deltas. No public exploit tool is identified at time of analysis and the vulnerability is not in CISA KEV, but the advisory provides working reproduction steps with a concrete payload, confirming practical exploitability.

SQLi Oracle PostgreSQL
NVD GitHub
CVSS 3.1
6.8
CVE-2026-9571 MEDIUM This Month

Mattermost fails to invalidate OAuth refresh tokens when a user account is deactivated, enabling former users - or any attacker who possesses a valid refresh token - to continue minting functional access tokens against the OAuth refresh token grant endpoint indefinitely after access revocation should have taken effect. All three actively maintained release branches are affected (10.11.x, 11.6.x, 11.7.x), making this a cross-branch session-persistence flaw with high confidentiality and integrity impact on any workspace relying on OAuth-integrated access control. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the attack path requires minimal skill for any party already holding a refresh token.

Information Disclosure Mattermost
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-58408 MEDIUM This Month

Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.

PHP Authentication Bypass Crm
NVD GitHub
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-45377 MEDIUM PATCH GHSA This Month

Private data exports in Decidim (decidim-core) are protected at the wrapper route level but expose reusable, session-unbound Active Storage blob redirect URLs that any party who obtains the URL can replay without authentication. The flaw affects all users of the `download_your_data` feature across three version lines of the decidim-core gem, allowing complete disclosure of a user's personal data export - GDPR-scope data - through passive leakage channels including browser history, proxy logs, referrer headers, screenshots, or shared support transcripts. No public exploit has been identified at time of analysis, but the vendor published detailed step-by-step reproduction instructions in the security advisory, making the attack straightforward for any party who intercepts the signed URL.

Information Disclosure
NVD GitHub
CVSS 3.1
6.5
CVE-2025-32781 MEDIUM PATCH GHSA This Month

{env}/releases/{releaseId}` endpoint fetches and returns a release payload without invoking `UserPermissionValidator.shouldHideConfigToCurrentUser(...)`, meaning a low-privileged user who supplies a valid release ID belonging to a restricted application receives the full configuration - potentially including embedded credentials, database connection strings, and service endpoints. No public exploit has been identified at time of analysis, and exploitation is gated by a non-default configuration setting (`configView.memberOnly.envs`), but the practical data sensitivity of Apollo configuration stores makes this a meaningful confidentiality risk.

Authentication Bypass
NVD GitHub
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-62147 MEDIUM This Month

Tenant data leakage in the Tempo Operator gateway component (Red Hat OpenShift Distributed Tracing 3) allows an authenticated low-privileged user to read span attributes from namespaces belonging to other tenants. The flaw exists because namespace-scoped redaction is inconsistently applied across certain query API response paths when query RBAC is enabled, meaning the authorization control exists but is not uniformly enforced. No public exploit code has been identified and this CVE is not listed in CISA KEV, but the high confidentiality impact and low attack complexity make it a meaningful risk in shared multi-tenant tracing deployments.

Authentication Bypass Red Hat Openshift Distributed Tracing 3
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-59523 MEDIUM This Month

Missing Authorization in NSquared's Simply Schedule Appointments WordPress plugin (versions through 1.6.11.11) allows unauthenticated network attackers to bypass access control security levels, yielding limited confidentiality and integrity impact against affected WordPress sites. Reported by Patchstack under CWE-862, the flaw is automatable per CISA's SSVC framework, meaning it can be exploited at scale without human interaction. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis, but the unauthenticated, low-complexity attack surface warrants prompt patching.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57812 MEDIUM This Month

Unauthenticated broken access control in the Simply Schedule Appointments WordPress plugin (versions through 1.6.12.4) allows remote attackers to perform unauthorized actions against appointment data, resulting in low-integrity and low-availability impacts. The plugin by NSquared fails to enforce proper authorization checks on one or more endpoints, enabling exploitation without any credentials against default installations. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the low attack complexity and zero privilege requirement lower the barrier for opportunistic abuse.

Authentication Bypass Simply Schedule Appointments
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57783 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in the merkulove Speaker WordPress plugin (versions through 4.1.13) allows an authenticated low-privilege user to inject and persistently store malicious scripts that execute in other users' browsers upon page visitation. The scope change in the CVSS vector (S:C) confirms that successful exploitation crosses the security boundary from the plugin's context into visiting users' browser sessions, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code or active exploitation (CISA KEV) has been identified at the time of analysis, and EPSS data was not supplied, but the low attack complexity keeps this a credible risk on any WordPress site where untrusted contributors have posting privileges.

XSS Speaker
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57780 MEDIUM This Month

DOM-Based Cross-Site Scripting in the Envision Page Builder WordPress plugin (versions through 0.22) allows low-privileged authenticated attackers to inject and execute malicious JavaScript in victim browsers via unsanitized page builder input. The scope change (S:C) in the CVSS vector confirms the payload escapes the plugin's own context and can affect the broader WordPress environment, including the admin panel. No public exploit code or active exploitation has been identified at time of analysis, but the stored-or-reflected DOM injection path makes this a realistic avenue for session hijacking or privilege escalation within WordPress installations.

XSS Envision Page Builder
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57711 MEDIUM This Month

Stored cross-site scripting in the SupportCandy WordPress plugin (versions through 3.4.8) allows a low-privileged authenticated attacker to inject persistent malicious scripts that execute in the browser of any user - likely an administrator or support agent - who subsequently views the tainted content. The scope change (S:C in CVSS) reflects that injected script breaks out of the plugin's trust boundary and runs in the victim's full browser session, enabling session hijacking, credential theft, or unauthorized administrative actions. No public exploit code has been identified at time of analysis, and the vulnerability has not been listed in the CISA Known Exploited Vulnerabilities catalog.

XSS Supportcandy
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57698 MEDIUM This Month

Authentication bypass in VillaTheme's Abandoned Cart Recovery for WooCommerce (versions through 1.1.12) allows unauthenticated remote attackers to access protected functionality via an alternate authentication path or channel (CWE-288). The CVSS vector confirms network-reachable, zero-complexity exploitation requiring no privileges or user interaction, yielding partial confidentiality and integrity compromise. No public exploit code or CISA KEV listing has been identified at time of analysis, but the low attack complexity and unauthenticated nature elevate practical risk for any WooCommerce store running this plugin.

Authentication Bypass WordPress Abandoned Cart Recovery For Woocommerce
NVD VulDB
CVSS 3.1
6.5
EPSS
0.4%
CVE-2026-57693 MEDIUM This Month

Cross-site scripting in the Ad Inserter WordPress plugin (Spacetime, versions through 2.8.11) allows authenticated low-privilege users to inject malicious JavaScript into pages served to other site visitors. The CVSS scope-change metric (S:C) confirms the vulnerability crosses the security boundary from the plugin into victims' browser contexts, enabling session theft or unauthorized action execution on behalf of targeted users. No public exploit code or CISA KEV listing has been identified at time of analysis, placing this in a moderate-priority category for WordPress operators running affected versions.

XSS Ad Inserter
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57694 MEDIUM This Month

Insecure Direct Object Reference (IDOR) in Tutor LMS WordPress plugin allows authenticated low-privilege users to bypass authorization controls by manipulating user-controlled keys, resulting in unauthorized modification of LMS objects such as courses, lessons, or student records. Affected versions span all releases through 3.9.13 by Themeum. No confirmed active exploitation (KEV) or public exploit code has been identified at time of analysis, but the low attack complexity and wide WordPress deployment surface make this a credible integrity risk for any site running an unpatched version.

Authentication Bypass Tutor Lms
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57424 MEDIUM This Month

Missing authorization in Razorpay Payment Links for WooCommerce (versions through 2.1.4) allows unauthenticated network attackers to invoke privileged plugin actions without any authentication check. The flaw stems from CWE-862, where one or more AJAX endpoints or REST routes in the plugin fail to verify the caller's identity or capability before executing sensitive operations, resulting in low-severity integrity and availability impacts against WooCommerce payment link workflows. No public exploit code has been identified at time of analysis, and the vulnerability has not been added to the CISA KEV catalog.

Authentication Bypass WordPress Razorpay Payment Links For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57420 MEDIUM This Month

Stored cross-site scripting in the Author Box WP Lens WordPress plugin (versions through 2.1.5) enables authenticated low-privilege users to persist malicious JavaScript payloads that execute in the browsers of any user who views an affected page, including administrators. The CVSS scope change (S:C) reflects that the injected script runs in a different security context than where it was stored, meaning a contributor-level attacker can target higher-privileged victims browsing the same site. No public exploit identified at time of analysis and no CISA KEV listing; however, multi-author WordPress deployments with untrusted contributors face realistic risk of privilege escalation via session hijacking.

XSS Author Box Wp Lens
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57418 MEDIUM This Month

Missing authorization controls in the Client Invoicing by Sprout Invoices WordPress plugin (versions through 20.8.13) allow low-privileged authenticated users to access confidential invoice data without proper permission checks. The flaw (CWE-862) enables a logged-in WordPress user with minimal privileges to bypass intended access control restrictions and retrieve sensitive financial or client information managed by the plugin. No public exploit or active exploitation has been identified at time of analysis, but the network-accessible attack vector and high confidentiality impact make this a meaningful exposure for sites hosting sensitive invoicing workflows.

Authentication Bypass Client Invoicing By Sprout Invoices
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57419 MEDIUM This Month

Stock Locations for WooCommerce plugin (versions through 3.1.8) exposes one or more privileged operations without performing authorization checks, allowing authenticated low-privileged WordPress users to manipulate stock location data they should have no rights to modify. Rooted in CWE-862 (Missing Authorization), the flaw means the plugin accepts and executes sensitive requests based solely on authentication rather than verifying the requester's WordPress capability level. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV, but the low-privilege access requirement and straightforward network exploitation path make it a realistic risk for any multi-location WooCommerce store running the affected plugin.

Authentication Bypass WordPress Stock Locations For Woocommerce
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-57414 MEDIUM This Month

Stored Cross-Site Scripting in QuantumCloud's WoowBot (ChatBot for eCommerce) WordPress plugin allows authenticated low-privileged users to inject persistent malicious scripts that execute in victims' browsers when stored content is rendered. Versions through 4.6.1 are affected, with a scope change confirmed by the CVSS vector (S:C), meaning attacker-controlled JavaScript runs in the context of other users - including administrators. No public exploit code has been identified at time of analysis and the vulnerability is not listed in CISA KEV.

XSS WordPress Chatbot For Ecommerce 8211 Woowbot
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-57412 MEDIUM This Month

Missing authorization controls in the Codemenschen Gift Vouchers WordPress plugin (versions through 4.6.9) allow unauthenticated remote attackers to perform unauthorized actions against voucher-related functionality, resulting in low-severity integrity and availability impact. The flaw stems from CWE-862 (Missing Authorization), meaning the plugin fails to verify whether a requesting user has rights to access specific functionality - effectively treating restricted endpoints as publicly accessible. No public exploit or CISA KEV listing is identified at time of analysis, but the unauthenticated attack vector (PR:N, AV:N) lowers the bar for opportunistic exploitation significantly.

Authentication Bypass Gift Vouchers
NVD
CVSS 3.1
6.5
EPSS
0.3%
Prev Page 5 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy