Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-12399 — Gutenverse <= 3.8.0 - Authenticated (Editor+) Stored Cross-Site Scripting via 'fonts[].fo…

The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to i…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-3462 — Frisbii Pay <= 1.8.9 - Missing Authorization to Authenticated (Subscriber+) Payment Token…

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and i…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-12432 — Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated P…

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is regis…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-11597 — Surbma | Infusionsoft Shortcode <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site…

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to ins…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-13295 — Page Builder by SiteOrigin <= 2.34.3 - Authenticated (Contributor+) Stored Cross-Site Scr…

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanit…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-12471 — Spexo <= 2.0.11 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Act…

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possib…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-11773 — Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Cour…

The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not pr…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-9233 — Quiz and Survey Master (QSM) <= 11.1.4 - Missing Authorization to Authenticated (Contribu…

The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 11.1.4. This is due to the plugin not pr…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-11364 — Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated …

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a miss…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-11783 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all version…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-9242 — RegistrationMagic <= 6.0.8.6 - Authenticated (Subscriber+) Authentication Bypass via Forg…

The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authent…

| Authentication
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-11987 — Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.4 - Authenticated (…

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, an…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-9677 — Shariff for WordPress <= 1.0.11 - Admin+ Stored Cross-Site Scripting

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() funct…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-10820 — ProfilePress < 4.16.17 - Subscriber+ Subscription Cancellation via IDOR

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription act…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-12404 — NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Sensitive Information Discl…

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly veri…

| Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
0.0 NA
CVE-2026-13245 — MaxButtons <= 9.8.5 - Reflected Cross-Site Scripting via 'view' Parameter

The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input san…

| Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
9.8 CRITICAL
CVE-2026-12415 — Invoice Generator <= 1.0.0 - Unauthenticated Privilege Escalation via Account Takeover vi…

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1…

Remote | Authorization
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
5.5 MEDIUM
CVE-2025-59868 — HCL Traveler for Microsoft Outlook (HTMO) is susceptible to sensitive data exposure

HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks…

| Information Disclosure
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.3 MEDIUM
CVE-2026-13422 — HD Quiz 2.2.0 - 2.2.1 - Cross-Site Request Forgery via Multiple AJAX Handlers

The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This …

hd_quiz | Remote | Cross-Site Request Forgery
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
4.4 MEDIUM
CVE-2026-11356 — Ivory Search <= 5.5.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via '…

The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including,…

Remote | Cross-Site Scripting
Jun 27, 2026 Jun 27, 2026
Jun 27, 2026
Jun 27, 2026
Showing 20 of 7894 Results