CVE-2026-8442
— WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via …
The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfb_hide_review and …
Remote
|
Path Traversal
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-8176
— LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDO…
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin cha…
Remote
|
Authentication
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resultin…
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-54198
— WordPress Media LIbrary Assistant plugin <= 3.35 - Reflected Cross Site Scripting (XSS) v…
Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-54197
— WordPress GetGenie plugin <= 4.4.1 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions.
Remote
|
Information Disclosure
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-54191
— WordPress Pods plugin <= 3.3.8 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Pods <= 3.3.8 versions.
Remote
|
Cross-Site Scripting
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-54190
— WordPress Envira Photo Gallery plugin <= 1.12.5 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Envira Photo Gallery <= 1.12.5 versions.
Remote
|
Authorization
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-52715
— WordPress GEO my WordPress plugin <= 4.5.5 - SQL Injection vulnerability
Unauthenticated SQL Injection in GEO my WordPress <= 4.5.5 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-52714
— WordPress SEO Plugin by Squirrly SEO plugin <= 12.4.16 - Broken Access Control vulnerabil…
Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.
Remote
|
Authorization
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-52712
— WordPress Attendance Manager plugin <= 0.6.2 - SQL Injection vulnerability
Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-52711
— WordPress WooCommerce POS plugin <= 1.8.14 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in WooCommerce POS <= 1.8.14 versions.
Remote
|
Authorization
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-49774
— WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability
Improper Control of Generation of Code ('Code Injection') vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion.
This issue affects RD Station: from n/a through 5.6.0.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-49772
— WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection.
This issue affects The Ev…
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-40809
— WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Metro Magazine: from n/a through 1.4.1.
Remote
|
Authorization
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-39581
— WordPress WP Sessions Time Monitoring Full Automatic plugin <= 1.1.4 - SQL Injection vuln…
Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-39574
— WordPress InPost Gallery plugin <= 2.1.4.6 - SQL Injection vulnerability
Unauthenticated SQL Injection in InPost Gallery <= 2.1.4.6 versions.
Remote
|
Injection
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-39490
— WordPress JupiterX Core plugin <= 4.14.1 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
Remote
|
Authorization
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-39437
— WordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.2.2 - Reflecte…
Unauthenticated Cross Site Scripting (XSS) in Min Max Step Quantity Limits Manager for WooCommerce <= 5.2.2 versions.
Remote
|
Cross-Site Scripting
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-2381
— WooCommerce Stripe Payment Gateway <= 10.7.0 - Missing Authorization to Unauthenticated O…
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions…
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
CVE-2026-10825
— Improper JSON Input Validation in WebSocket API Leads to Denial of Service
A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted …
Remote
|
Denial of Service
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
Jun 16, 2026
