Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.1 MEDIUM
CVE-2026-8628 — EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and ou…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-12095 — Kargo Takip <= 1.2 - Unauthenticated Server-Side Request Forgery via 'api_url' Parameter

The Kargo Takip plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2 via the 'api_url' parameter. This makes it possible for unauthenticated att…

Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-10552 — Blue Captcha <= 2.0.1 - Cross-Site Request Forgery via 'blcap_action' Parameter

The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-8614 — Assistio <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings …

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings()…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-7617 — Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'sec…

The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to …

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-9619 — Reviews and Rating <= 1.1.4 - Missing Authorization to Authenticated (Subscriber+) Arbitr…

The Reviews and Rating – Docplanner plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.4. This is due to the plugin not properly verifying that a use…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-9724 — MotorDesk <= 1.1.2 - Cross-Site Request Forgery to Settings Update

The MotorDesk plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the motordesk_admin…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
8.8 HIGH
CVE-2026-4297 — Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Upd…

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOptio…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-12094 — Advanced Contact Form 7 <= 1.0.0 - Missing Authorization to Unauthenticated Arbitrary Con…

The Advanced Contact Form 7 - Compact DB plugin for WordPress is vulnerable to unauthorized deletion of data due to a missing capability check on the cf7cdb_ajax_delete_user() function in versions up…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-10092 — Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting vi…

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insuffi…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.5 HIGH
CVE-2026-9179 — WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to …

Remote | Injection
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.4 MEDIUM
CVE-2026-11370 — WP Meta SEO <= 4.5.18 - Authenticated (Contributor+) Server-Side Request Forgery via 'new…

The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated a…

wp_meta_seo | Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
5.3 MEDIUM
CVE-2026-9175 — Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information…

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_a…

Remote | Authorization
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
4.3 MEDIUM
CVE-2026-9721 — Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the …

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-10091 — Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sa…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
7.2 HIGH
CVE-2026-12100 — URL Preview <= 1.0 - Unauthenticated Server-Side Request Forgery via 'url' Parameter

The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the 'url' parameter. This makes it possible for unauthenticated attacke…

Remote | Server-Side Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.1 MEDIUM
CVE-2026-8905 — Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scriptin…

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a funct…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
6.5 MEDIUM
CVE-2026-9539 — libslirp TCP URG OOB Read Information Leak

An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a pr…

| Memory Corruption
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
9.1 CRITICAL
CVE-2026-12851 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
9.1 CRITICAL
CVE-2026-12850 — GeoVision GV-I/O Box 4E libNetSetObj.so OS command injection vulnerability

Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker…

Remote | Injection
Jun 24, 2026 Jun 24, 2026
Jun 24, 2026
Jun 24, 2026
Showing 20 of 7794 Results