2624
CVEs
163
Critical
695
High
0
KEV
285
PoC
781
Unpatched C/H
6.7%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
163
HIGH
695
MEDIUM
1734
LOW
21
Monthly CVE Trend
Affected Products (30)
PHP
4375
Debian Linux
88
Open Redirect
69
Royal Elementor Addons
44
Download Manager
43
Essential Addons For Elementor
40
Tutor Lms
37
Ninja Forms
36
Givewp
35
Photo Gallery
34
Learnpress
31
Ultimate Member
29
The Plus Addons For Elementor
29
Contest Gallery
28
Element Pack
27
Premium Addons For Elementor
27
Contact Form
27
Booster For Woocommerce
26
Website Builder
26
Profilepress
25
Mstore Api
25
Quiz And Survey Master
25
Happy Addons For Elementor
25
Shortcodes Ultimate
23
Wpbot
23
Email Subscribers Newsletters
23
Beaver Builder
23
Gutenberg Blocks With Ai
22
Wp Fastest Cache
21
Elementor Addon Elements
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-4257 | Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis. | CRITICAL | 9.8 | 0.2% | 84 |
PoC
No patch
|
| CVE-2026-49777 | Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|
| CVE-2026-12415 | Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV. | CRITICAL | 9.8 | 0.7% | 70 |
PoC
No patch
|
| CVE-2026-12417 | Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed. | CRITICAL | 9.8 | 0.5% | 69 |
PoC
No patch
|
| CVE-2026-1357 | Unauthenticated arbitrary file upload in WPvivid Backup & Migration WordPress plugin. EPSS 0.44%. | CRITICAL | 9.8 | 0.4% | 69 |
PoC
No patch
|
| CVE-2026-12416 | Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward. | CRITICAL | 9.8 | 0.4% | 69 |
PoC
No patch
|
| CVE-2026-10580 | Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
No patch
|
| CVE-2026-8181 | Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
No patch
|
| CVE-2026-0926 | Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|
| CVE-2026-3584 | The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|
| CVE-2026-3300 | Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|
| CVE-2026-1405 | Arbitrary file upload in Slider Future WordPress plugin. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|
| CVE-2026-8935 | The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any fron | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-1492 | Privilege escalation in User Registration & Membership WordPress plugin. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
No patch
|
| CVE-2026-0740 | Unauthenticated arbitrary file upload in Ninja Forms - File Uploads plugin for WordPress (versions ≤3.3.26) enables remote code execution through missing file type validation in the upload handler. Attackers can upload malicious PHP files without authentication, achieving complete server compromise. CVSS 9.8 (Critical) with CVSS:3.1/AV:N/AC:L/PR:N/UI:N indicates network-based exploitation requiring no privileges or user interaction. Fully patched in version 3.3.27 following a partial fix in 3.3.25. No public exploit identified at time of analysis, though the vulnerability class (CWE-434: Unrestricted Upload of File with Dangerous Type) is well-understood and readily exploitable. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
No patch
|