1095
CVEs
59
Critical
278
High
0
KEV
47
PoC
315
Unpatched C/H
5.1%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
59
HIGH
278
MEDIUM
753
LOW
4
Monthly CVE Trend
Affected Products (30)
PHP
2591
Open Redirect
16
Ltl Freight Quotes
13
Industrial
12
AI / ML
12
Ninja Forms
9
Givewp
9
Wsdesk
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Wp Recall
6
Zoomsounds
6
Booster For Woocommerce
6
Royal Elementor Addons
6
Everest Forms
6
Wpbookit
6
Form Maker
6
Forminator Forms
6
Buddyboss Platform
6
Jobcareer
5
Golang
5
School Management System
5
Wp Project Manager
5
Quiz Maker
5
Profilegrid
5
Jupiter X Core
5
Email Subscribers Newsletters
5
Learnpress
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-3584 | The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|
| CVE-2026-3220 | The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulne | HIGH | 8.8 | 0.0% | 64 |
PoC
|
| CVE-2026-32834 | Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches. | HIGH | 8.7 | 0.1% | 64 |
PoC
No patch
|
| CVE-2026-3830 | SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-4935 | Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-6379 | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-7862 | Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-41471 | Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path. | HIGH | 8.2 | 0.2% | 61 |
PoC
No patch
|
| CVE-2026-4896 | Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public. | HIGH | 8.1 | 0.0% | 61 |
PoC
No patch
|
| CVE-2026-2262 | Unauthenticated information disclosure in WordPress Easy Appointments plugin ≤3.12.21 exposes customer appointment data via unprotected REST API endpoint. Remote attackers without authentication can extract full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information through `/wp-json/wp/v2/eablocks/ea_appointments/`. CVSS score 7.5 (High) with EPSS data not yet available. Patch released in version 3.12.22 per WordPress plugin repository changeset. No active exploitation confirmed (not in CISA KEV), but the trivial exploit complexity (AV:N/AC:L/PR:N/UI:N) and privacy impact make this a priority for sites handling sensitive appointment data. | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-2025 | Unauthenticated disclosure of WordPress user email addresses in Mail Mint plugin versions before 1.19.5 through an unprotected REST API endpoint allows remote attackers to enumerate users without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. This affects all installations of the Mail Mint plugin below the patched version. | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-6381 | The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perf | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-4338 | Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact. | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2025-15609 | The Fortis for WooCommerce WordPress plugin before 1.3.1 may leak sensitive API keys to unauthenticated attackers, allowing them to query Fortis' API | HIGH | 7.5 | 0.0% | 58 |
PoC
|
| CVE-2026-1540 | Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions. | HIGH | 7.2 | 0.0% | 56 |
PoC
|