Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-15022 — Tutor LMS <= 4.0.0 - Authenticated (Subscriber+) SQL Injection via Stored Quiz Answer Arr…

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via Stored Quiz Answer Array in all versions up to, and including, 4.0.0 due to insuff…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.4 MEDIUM
CVE-2026-15021 — wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'loca…

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and …

Remote | Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2026-15008 — Uncanny Automator <= 7.3.1.4 - Unauthenticated PHP Object Injection to Arbitrary File Del…

The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the …

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.8 HIGH
CVE-2026-15005 — Loco Translate <= 2.8.5 - Cross-Site Request Forgery to Remote Code Execution via 'templa…

The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTempla…

Remote | Cross-Site Request Forgery
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-13767 — Quiz and Survey Master (QSM) <= 11.2.0 - Authenticated (Custom+) SQL Injection via 'pages…

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied …

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.4 MEDIUM
CVE-2026-13755 — Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_…

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due …

Remote | Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-13754 — Tickera <= 3.6.0.0 - Authenticated (Staff+) SQL Injection via 's' Parameter

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and including, 3.6.0.0 due to insufficient escaping…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.8 HIGH
CVE-2026-13741 — Digits: WordPress Mobile Number Signup and Login <= 9.1.0.5 - Authenticated (Subscriber+)…

The Digits: WordPress Mobile Number Signup and Login plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 9.1.0.5. This is due to missing authorization and…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.2 CRITICAL
CVE-2026-15925 — Improper TLS Hostname Verification in Snowflake Connector for Python

Improper TLS hostname verification in Snowflake Connector for Python versions prior to 4.7.1 and 3.18.1 may have allowed a network-positioned attacker to bypass certificate hostname validation on HTT…

Remote | Misconfiguration
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.5 MEDIUM
CVE-2026-12979 — FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Impo…

The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delet…

Remote | Path Traversal
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
7.1 HIGH
CVE-2026-12978 — FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form

The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated…

Remote | Cross-Site Scripting
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
2.7 LOW
CVE-2026-12907 — RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation a…

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wid…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
2.7 LOW
CVE-2026-12906 — RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Cont…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.1 MEDIUM
CVE-2026-12869 — Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Cont…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-12684 — Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via c…

The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachm…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.1 HIGH
CVE-2026-12585 — Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Mallea…

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attac…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
8.8 HIGH
CVE-2026-12525 — Redux Framework < 4.5.13 - Subscriber+ Privilege Escalation to Administrator

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalat…

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
5.9 MEDIUM
CVE-2026-12510 — AI Engine < 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR

The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read …

Remote | Authorization
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
9.8 CRITICAL
CVE-2026-12492 — Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp…

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, all…

Remote | Authentication
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
6.5 MEDIUM
CVE-2026-12395 — WP Job Portal < 2.5.5 - Subscriber+ SQL Injection via Applied Resumes 'ta' Parameter

The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registera…

Remote | Injection
Jul 16, 2026 Jul 16, 2026
Jul 16, 2026
Jul 16, 2026
Showing 20 of 8284 Results