CVE-2026-27060
— WordPress ARMember Premium plugin <= 7.0 - PHP Object Injection vulnerability
Contributor PHP Object Injection in ARMember Premium <= 7.0 versions.
Remote
|
Injection
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69156
— WordPress Kids Zone - Children WordPress Theme theme <= 5.4 - Cross Site Scripting (XSS) …
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.
Remote
|
Cross-Site Scripting
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69155
— WordPress Fitness Zone WordPress Theme theme <= 5.7 - Cross Site Scripting (XSS) vulnerab…
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.
Remote
|
Cross-Site Scripting
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69154
— WordPress SpaLab | Beauty Salon WordPress Theme theme <= 6.7 - Cross Site Scripting (XSS)…
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
Remote
|
Cross-Site Scripting
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69153
— WordPress Trendy Travel theme <= 6.7 - Reflected Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
Remote
|
Cross-Site Scripting
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69152
— WordPress Artale | Wedding Photography WordPress theme <= 2.2.2 - Cross Site Scripting (X…
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
Remote
|
Cross-Site Scripting
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69134
— WordPress OpenAI Chatbot for WordPress – Helper plugin <= 1.1.4 - Arbitrary Content Delet…
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.
Remote
|
Authentication
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69133
— WordPress Tourmaster plugin <= 5.4.5 - Local File Inclusion vulnerability
Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.
Remote
|
Path Traversal
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69132
— WordPress Corpkit theme <= 1.0.5 - Sensitive Data Exposure vulnerability
Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.
Remote
|
Information Disclosure
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-69094
— WordPress Unicamp theme <= 2.2.2 - SQL Injection vulnerability
Subscriber SQL Injection in Unicamp <= 2.2.2 versions.
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-66076
— WordPress Woostify Sites Library plugin <= 1.6.2 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions.
Remote
|
Authorization
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2025-58902
— WordPress Lighthouse theme <= 1.2.12 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
Remote
|
Path Traversal
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
An unauthenticated remote attacker can exhaust
server memory via the GetEndpoints Discovery Service in open62541. The
endpointUrl field of GetEndpointsRequest is not validated for length. An
attacker…
Remote
|
Denial of Service
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
In liboauth2 the Demonstrating Proof-of-Possession (DPoP) verifier accepts a proof whose JSON Web Key (jwk) header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to …
|
Misconfiguration
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
liboauth2 is vulnerable to Server-Side Request Forgery in oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads both signer and kid from the unverified JWT
header. If signer matches…
|
Server-Side Request Forgery
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2026-13369
— Ninja Forms - File Uploads <= 3.3.29 - Unauthenticated Arbitrary File Read via File Uploa…
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and including, 3.3.29. This is due to the get_files_for_att…
Remote
|
Information Disclosure
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2026-8441
— WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter
The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprp_load_more_revs AJAX action in versions up to, and including, 12.7.2. The param…
Remote
|
Injection
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2026-9145
— Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrar…
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The fun…
Remote
|
Path Traversal
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
CVE-2026-13251
— Perfmatters <= 2.6.4 - Unauthenticated Arbitrary File Read via 's' Parameter
The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to re…
Remote
|
Path Traversal
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
A vulnerability was discovered on StormShield Network Security 4.3.0 to 4.3.41 (included), 4.8.0 to 4.8.15 (included) , 5.0.0 to 5.0.5 (included)
There is a possible leak of secret information if ad…
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026
Jul 02, 2026