Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
0.0 NA
CVE-2026-4334 — Shariff Wrapper <= 4.6.20 - Authenticated (Contributor+) Cross-Site Scripting

The Shariff Wrapper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'headline' parameter in the [shariff] shortcode in all versions up to, and including, 4.6.20 due to insuf…

| Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
0.0 NA
CVE-2026-6226 — Frontend Admin by DynamiApps <= 3.29.2 - Unauthenticated Privilege Escalation via Form Co…

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to unauthenticated privilege escalation in versions up to and including 3.29.2. This is due to insecure form submission handling th…

| Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.1 MEDIUM
CVE-2024-47097 — Reflected Cross-Site Scripting in Follet School Solutions Destiny

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the site parameter of handleloginform.do.

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.1 MEDIUM
CVE-2024-47096 — Reflected Cross-Site Scripting in Follet School Solutions Destiny

Cross Site Scripting vulnerability in Follet School Solutions Destiny before v22.0.1 AU1 allows a remote attacker to run arbitrary client-side code via the showSupportExpiredMessage parameter of hand…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.3 MEDIUM
CVE-2026-9806 — Stored Cross-Site Scripting (XSS) in CTI Transmute Notification Panel via Malicious Conve…

A stored cross-site scripting (XSS) vulnerability exists in the notification panel of CTI Transmute in versions prior to the patched release. Notification messages containing user-controlled convert …

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-9618 — PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink

The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to…

Remote | Cross-Site Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.8 HIGH
CVE-2026-9227 — GutenBee <= 2.20.1 - Authenticated (Author+) Arbitrary File Upload via wp_check_filetype_…

The GutenBee – Gutenberg Blocks plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 2.20.1 via the gutenbee_file_and_ext_json function. This is due to a …

Remote | Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-8682 — 3D Viewer <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugi…

The 3D Viewer – 3D Model Viewer – Augmented Reality – Virtual Try On plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.1. This is due to the plugin …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
0.0 NA
CVE-2026-7862 — Eupago Gateway For Woocommerce < 4.7.2 - Unauthenticated Arbitrary Refund Initiation

The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any Wo…

| Authentication
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.5 HIGH
CVE-2026-7797 — Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_wher…

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append_where_sql' parameter in all version…

Remote | Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.1 MEDIUM
CVE-2026-7660 — Easy Updates Manager <= 9.0.20 - Reflected Cross-Site Scripting via 'paged' Parameter

The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sani…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-7651 — User Registration & Membership <= 5.1.5 - Authenticated (Subscriber+) Insecure Direct Obj…

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.2 HIGH
CVE-2026-7634 — SlimStat Analytics <= 5.4.11 - Unauthenticated Stored Cross-Site Scripting via User-Agent…

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'User-Agent' header in all versions up to, and including, 5.4.11 due to insufficient input sanitizatio…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
4.3 MEDIUM
CVE-2026-7621 — SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Lo…

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying th…

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
5.3 MEDIUM
CVE-2026-7552 — Geo Mashup <= 1.13.19 - Missing Authorization to Unauthenticated Plugin Settings Disclosu…

The Geo Mashup plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.13.19. This is due to the plugin not properly verifying that a user is authorized to …

Remote | Authorization
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.2 HIGH
CVE-2026-7052 — HT Contact Form <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Fi…

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'file_upload' parameter in all versions up to, and including, 2.…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
8.1 HIGH
CVE-2026-6455 — WP Contact Form 7 DB Handler <= 3.0 - Cross-Site Request Forgery to Arbitrary File Deleti…

The WP Contact Form 7 DB Handler plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Arbitrary File Deletion via SQL Injection and PHP Object Injection in versions up to and i…

Remote | Cross-Site Request Forgery
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
6.4 MEDIUM
CVE-2026-6427 — a3 Lazy Load <= 2.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Vide…

The a3 Lazy Load plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.7.6 This is due to a regex bug in the _filter_videos() method that breaks HT…

Remote | Cross-Site Scripting
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.0 HIGH
CVE-2026-44604 — Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level directo…

A command injection vulnerability was discovered in the `rpmuncompress` utility of RPM. When extracting certain archive formats (ZIP, 7z, GEM) to a specified destination directory, the tool inserts t…

| Injection
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
7.7 HIGH
CVE-2026-9804 — Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read

A flaw was found in KubeVirt's virt-exportserver component. An attacker with specific namespace-level access can exploit a path traversal vulnerability in the VMExport directory endpoint. By placing …

Remote | Path Traversal
May 28, 2026 May 28, 2026
May 28, 2026
May 28, 2026
Showing 20 of 6581 Results