Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-25312 — WordPress EventPrime plugin <= 4.2.8.3 - Payment Bypass vulnerability

Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through 4.2.8.3.

Remote | Authorization
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
8.1 HIGH
CVE-2026-25471 — WordPress Admin Safety Guard plugin <= 1.2.6 - Broken Authentication vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through 1…

Remote | Authentication
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
6.4 MEDIUM
CVE-2026-4120 — Info Cards <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block …

The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and…

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
4.3 MEDIUM
CVE-2026-4068 — Add Custom Fields to Media <= 2.0.3 - Cross-Site Request Forgery to Custom Field Deletion…

The Add Custom Fields to Media plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.3. This is due to missing nonce validation on the field delet…

Remote | Cross-Site Request Forgery
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
6.4 MEDIUM
CVE-2026-4006 — Draft List <= 2.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'displ…

The Simple Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'display_name' post meta (Custom Field) in all versions up to and including 2.6.2. This is due to insuf…

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
4.3 MEDIUM
CVE-2026-2571 — Download Manager <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Em…

The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.4…

Remote | Authorization
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
8.1 HIGH
CVE-2026-27093 — WordPress Tripgo theme < 1.5.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ovatheme Tripgo allows PHP Local File Inclusion.This issue affects Tripgo: fro…

Remote | Path Traversal
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
6.3 MEDIUM
CVE-2026-27091 — WordPress UiPress lite plugin <= 3.5.09 - Broken Access Control vulnerability

Missing Authorization vulnerability in UiPress UiPress lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through 3.5.09.

Remote | Authorization
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
7.1 HIGH
CVE-2026-28073 — WordPress WP eMember theme <= v10.2.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tips and Tricks HQ WP eMember allows Reflected XSS.This issue affects WP eMember: from n/a throug…

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
5.3 MEDIUM
CVE-2026-28070 — WordPress WP eMember plugin <= v10.2.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Tips and Tricks HQ WP eMember allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP eMember: from n/a through v10.2.2.

Remote | Authorization
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
5.9 MEDIUM
CVE-2026-28044 — WordPress WP Rocket plugin <= 3.19.4 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Media WP Rocket allows Stored XSS.This issue affects WP Rocket: from n/a through 3.19.4.

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
9.8 CRITICAL
CVE-2026-27542 — WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Privilege Escalation vul…

Incorrect Privilege Assignment vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Privilege Escalation.This issue affects Woocommerce Wholesale Lead Capture: from n/a t…

Remote | Authorization
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
9.0 CRITICAL
CVE-2026-27540 — WordPress Woocommerce Wholesale Lead Capture plugin <= 2.0.3.1 - Arbitrary File Upload vu…

Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead C…

Remote | Misconfiguration
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
9.3 CRITICAL
CVE-2026-27413 — WordPress Profile Builder Pro plugin <= 3.13.9 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Profile Builder Pro allows Blind SQL Injection.This issue affects Profile Builder Pro:…

Remote | Injection
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
6.5 MEDIUM
CVE-2026-27397 — WordPress Really Simple Security Pro plugin <= 9.5.4.0 - Insecure Direct Object Reference…

Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This is…

Remote | Authorization
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
8.1 HIGH
CVE-2026-27096 — WordPress ColorFolio - Freelance Designer WordPress Theme theme <= 1.3 - Deserialization …

Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Th…

Remote | Injection
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
7.2 HIGH
CVE-2026-1238 — SlimStat Analytics <= 5.3.5 - Unauthenticated Stored Cross-Site Scripting via 'fh'

The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fh' (fingerprint) parameter in all versions up to, and including, 5.3.5 due to insufficient input san…

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
5.4 MEDIUM
CVE-2026-1276 — IBM QRadar SIEM Cross-Site Scripting

IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus alte…

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
6.2 MEDIUM
CVE-2025-36051 — IBM QRadar SIEM Information Disclosure

IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 stores potentially sensitive information in configuration files that could be read by a local user.

| Information Disclosure
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
5.4 MEDIUM
CVE-2025-15051 — IBM QRadar SIEM Cross-Site Scripting

IBM QRadar SIEM 7.5.0 through 7.5.0 Update Package 14 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intende…

Remote | Cross-Site Scripting
Mar 19, 2026 Mar 19, 2026
Mar 19, 2026
Mar 19, 2026
Showing 20 of 5527 Results