613
CVEs
41
Critical
190
High
0
KEV
101
PoC
186
Unpatched C/H
15.2%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
41
HIGH
190
MEDIUM
374
LOW
7
Monthly CVE Trend
Affected Products (30)
PHP
4375
Debian Linux
88
Open Redirect
69
Royal Elementor Addons
44
Download Manager
43
Essential Addons For Elementor
40
Tutor Lms
37
Ninja Forms
36
Givewp
35
Photo Gallery
34
Learnpress
31
Ultimate Member
29
The Plus Addons For Elementor
29
Contest Gallery
28
Element Pack
27
Premium Addons For Elementor
27
Contact Form
27
Booster For Woocommerce
26
Website Builder
26
Profilepress
25
Mstore Api
25
Quiz And Survey Master
25
Happy Addons For Elementor
25
Shortcodes Ultimate
23
Wpbot
23
Email Subscribers Newsletters
23
Beaver Builder
23
Gutenberg Blocks With Ai
22
Wp Fastest Cache
21
Elementor Addon Elements
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-12415 | Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV. | CRITICAL | 9.8 | 0.7% | 70 |
PoC
No patch
|
| CVE-2026-12417 | Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed. | CRITICAL | 9.8 | 0.5% | 69 |
PoC
No patch
|
| CVE-2026-12416 | Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward. | CRITICAL | 9.8 | 0.4% | 69 |
PoC
No patch
|
| CVE-2026-12492 | Authentication bypass in the Happy Coders OTP Login for WooCommerce WordPress plugin (versions 1.5 through 2.7) lets unauthenticated remote attackers log in as any existing user, including administrators, and create arbitrary accounts. The plugin authenticates a user from a supplied identifier without confirming that the one-time password was ever validated. Publicly available exploit code exists (WPScan) and a vendor patch (2.8) is available; EPSS remains low at 0.15% despite the maximal 9.8 CVSS score. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-11563 | Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list. | CRITICAL | 9.6 | 0.1% | 68 |
PoC
No patch
|
| CVE-2022-50972 | WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.6% | 67 |
PoC
No patch
|
| CVE-2019-25763 | WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.3 | 0.4% | 67 |
PoC
|
| CVE-2026-6382 | The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1 | CRITICAL | 9.1 | 0.5% | 66 |
PoC
|
| CVE-2026-11964 | Payment-verification bypass in the User Registration & Membership WordPress plugin before 5.2.2 lets unauthenticated attackers forge a payment-provider webhook to mark a subscription as paid, activating premium memberships without any real transaction. WPScan reports publicly available exploit code, though there is no public exploit identified as being used in active attacks (not in CISA KEV). The core weakness is that inbound webhook notifications are trusted and acted upon without authenticating their origin or signature. | CRITICAL | 9.1 | 0.1% | 66 |
PoC
|
| CVE-2026-11962 | Authenticated remote code execution in the FileOrganizer WordPress plugin before 1.2.0 lets users granted file-manager access upload arbitrary PHP files because several file-management operations skip file-type validation. Publicly available exploit code exists, and the flaw is an incomplete fix of CVE-2024-7985, which only hardened the upload operation while leaving other file-management endpoints unvalidated. With CVSS 3.1 base 8.8 (PR:L) and a working PoC, any low-privileged account with file-manager rights - extendable to sub-administrator roles via the premium add-on - can achieve full site compromise. | HIGH | 8.8 | 0.2% | 64 |
PoC
|
| CVE-2026-11855 | The Simple Membership WordPress plugin before 4.7.5 does not verify the authenticity of Stripe webhook requests when no signing secret is configured, | HIGH | 8.8 | 0.2% | 64 |
PoC
|
| CVE-2026-11589 | Stored cross-site scripting in the WP Support Plus Responsive Ticket System WordPress plugin (all versions through 9.1.2) lets unauthenticated attackers upload files containing malicious JavaScript - such as HTML or SVG payloads - to a publicly accessible location, where the script executes in the browsers of site users and administrators who view it. The flaw stems from missing validation of uploaded file types/content. Publicly available exploit code exists (reported by WPScan), though it is not listed in CISA KEV and no EPSS score was provided. | HIGH | 8.8 | 0.2% | 64 |
PoC
No patch
|
| CVE-2026-8163 | SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. No CISA KEV listing at time of analysis. | HIGH | 8.8 | 0.2% | 64 |
PoC
|
| CVE-2026-12525 | The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing u | HIGH | 8.8 | 0.1% | 64 |
PoC
|
| CVE-2026-10830 | The AllCoach WordPress plugin before 1.0.2 does not verify that an email address submitted to a public account-registration endpoint is not already a | HIGH | 8.8 | 0.1% | 64 |
PoC
|