Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-52912 — netfilter: nf_queue: hold bridge skb->dev while queued

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: hold bridge skb->dev while queued br_pass_frame_up() rewrites skb->dev from the ingress port to the bridge m…

| Memory Corruption
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
8.8 HIGH
CVE-2026-7761 — Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Re…

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: (…

Remote | Authentication
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.7 HIGH
CVE-2026-9710 — Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User …

The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.7 HIGH
CVE-2026-9709 — Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User …

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including r…

Remote | Information Disclosure
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
2.7 LOW
CVE-2026-10753 — Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-10749 — Post Duplicator < 3.0.15 - Contributor+ PHP Object Injection via customMetaData

The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double…

Remote | Injection
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-10735 — ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-…

Remote | Supply Chain
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
5.4 MEDIUM
CVE-2026-10531 — AI Share & Summarize < 2.0.4 - Contributor+ Stored XSS via title_style Shortcode Attribute

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and abo…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.0 HIGH
CVE-2026-13006 — Incomplete protection against CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.34 in Java applications, allows an attacker to execute arbitrary code circumvent…

logback-core | Injection
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-8690 — RentMy Real-Time Rental Management Plugin <= 4.0.4.1 - Missing Authorization to Unauthent…

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifyin…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-9178 — WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure…

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDet…

Remote | Information Disclosure
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-11997 — Bulk SEO Image <= 1.1 - Cross-Site Request Forgery to Settings Update

The Bulk SEO Image plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1. This is due to missing or incorrect nonce validation on the plugin's settings …

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.1 MEDIUM
CVE-2026-8622 — Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitiz…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-9612 — WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invo…

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdev_generate_order_pdf.…

Remote | Information Disclosure
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-8688 — Advance Nav Menu Manager <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Na…

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is auth…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.4 MEDIUM
CVE-2026-9620 — WP Latest Posts <= 5.0.11 - Authenticated (Author+) Stored Cross-Site Scripting via Post …

The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insuffi…

wp_latest_posts | Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.4 MEDIUM
CVE-2026-8865 — Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored C…

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23_qr' shortcode in all versions up to, and including, 1.1.6. This is due…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.4 MEDIUM
CVE-2026-8896 — MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scrip…

The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shor…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-9183 — 24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Bl…

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function…

Remote | Information Disclosure
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
9.8 CRITICAL
CVE-2026-12416 — Invoice Generator <= 1.0.0 - Unauthenticated Account Takeover via Weak Password Reset Val…

The Invoice Generator plugin for WordPress is vulnerable to Account Takeover via Password Reset in all versions up to, and including, 1.0.0. This is due to the `pravel_invoice_change_password()` func…

Remote | Authentication
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
Showing 20 of 7988 Results