Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
5.3 MEDIUM
CVE-2026-1833 — WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary …

The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a …

Remote | Authorization
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.4 MEDIUM
CVE-2026-1827 — IDE Micro code-editor <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting…

The Flask Micro code-editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's codeflask shortcode in all versions up to, and including, 1.0.0 due to insufficient inpu…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.4 MEDIUM
CVE-2026-1826 — OpenPOS Lite <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortc…

The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and i…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.4 MEDIUM
CVE-2026-1821 — Microtango <= 0.9.29 - Authenticated (Contributor+) Stored Cross-Site Scripting via Short…

The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insuff…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.4 MEDIUM
CVE-2026-1809 — HTML Shortcodes <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Sho…

The HTML Tag Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1 due to insufficient input sanitization …

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.4 MEDIUM
CVE-2026-1804 — WDES Responsive Popup <= 1.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting…

The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficie…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.5 MEDIUM
CVE-2026-1786 — Twitter posts to Blog <= 1.11.25 - Missing Authorization to Unauthenticated Plugin Settin…

The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and includin…

Remote | Authorization
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
4.3 MEDIUM
CVE-2026-1748 — Invoct – PDF Invoices & Billing for WooCommerce <= 1.6 - Missing Authorization to Authent…

The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, an…

Remote | Authorization
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
8.8 HIGH
CVE-2026-1560 — Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Ex…

The Custom Block Builder – Lazy Blocks plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.0 via multiple functions in the 'LazyBlocks_Blocks' class.…

Remote | Injection
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
4.3 MEDIUM
CVE-2026-1215 — MMA Call Tracking <= 2.3.15 - Cross-Site Request Forgery to Plugin Settings Update

The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configu…

Remote | Cross-Site Request Forgery
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
4.4 MEDIUM
CVE-2026-0815 — Category Image <= 2.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'tag-imag…

The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
4.4 MEDIUM
CVE-2026-0724 — WPlyr Media Block <= 1.3.0 - Authenticated (Administrator+) Stored Cross-Site Scripting v…

The WPlyr Media Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wplyr_accent_color' parameter in all versions up to, and including, 1.3.0 due to insufficient input s…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
8.2 HIGH
CVE-2025-9986 — Improper Access Control in Vadi Corporate Information System's DIGIKENT

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vadi Corporate Information Systems Ltd. Co. DIGIKENT allows Excavation.This issue affects DIGIKENT: through…

Remote | Information Disclosure
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
7.2 HIGH
CVE-2025-15440 — iONE360 configurator <= 2.0.57 - Unauthenticated Stored Cross-Site Scripting via Contact …

The iONE360 configurator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Contact Form Parameters in all versions up to, and including, 2.0.57 due to insufficient input sani…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
6.9 MEDIUM
CVE-2025-13651 — LEAK OF SENSITIVE INFORMATION ON MICROCOM'S ZEUSWEB

Exposure of Sensitive System Information to an Unauthorized Actor vulnerability in Microcom ZeusWeb allows Web Application Fingerprinting of sensitive data. This issue affects ZeusWeb: 6.1.31.

zeusweb | Remote | Information Disclosure
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
5.1 MEDIUM
CVE-2025-13650 — REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could i…

zeusweb | Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
5.1 MEDIUM
CVE-2025-13649 — REFLECTED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is not necessary, but the action must be performed) who has the vulnerable software could…

zeusweb | Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
4.8 MEDIUM
CVE-2025-13648 — STORED CROSS-SITE SCRIPTING (XSS) ON MICROCOM'S ZEUSWEB

An attacker with access to the web application ZeusWeb of the provider Microcom (in this case, registration is required) who has the vulnerable software could introduce arbitrary JavaScript by inje…

zeusweb | Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
8.3 HIGH
CVE-2025-10913 — XSS in saastech.io's TemizlikYolda

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Cross-Site Scripting (XS…

Remote | Cross-Site Scripting
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
5.4 MEDIUM
CVE-2025-10912 — IDOR in saastech.io's TemizlikYolda

Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables.This issue affects TemizlikY…

Remote | Authorization
Feb 11, 2026 Feb 11, 2026
Feb 11, 2026
Feb 11, 2026
Showing 20 of 5087 Results