Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-9184 — 24liveblog <= 2.2 - Missing Authorization to Authenticated (Author+) Settings Modificatio…

The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_lb24_token() AJAX function in versions up to, a…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-9183 — 24liveblog <= 2.2 - Authenticated (Contributor+) Exposure of Sensitive Information via Bl…

The 24liveblog - live blog tool plugin for WordPress is vulnerable to Exposure of Sensitive Information in versions up to, and including, 2.2. This is due to the lb24_block_enqueue_scripts() function…

Remote | Information Disclosure
Jun 24, 2026 Jun 29, 2026
Jun 24, 2026
Jun 29, 2026
7.5 HIGH
CVE-2026-9179 — WP Forms Connector <= 1.8 - Unauthenticated SQL Injection via 'order' Parameter

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to …

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-9178 — WP Forms Connector <= 1.8 - Missing Authorization to Unauthenticated Information Exposure…

The WP Forms Connector plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.8. The plugin registers the REST route wp/v3/user/list/<id> (callback userDet…

Remote | Information Disclosure
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-9175 — Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information…

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the get_single_a…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-9172 — Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Account Deletion via …

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the delete_single_…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.1 MEDIUM
CVE-2026-8905 — Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scriptin…

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a funct…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.4 MEDIUM
CVE-2026-8896 — MIR blocks and shortcodes <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scrip…

The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shor…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 30, 2026
Jun 24, 2026
Jun 30, 2026
6.4 MEDIUM
CVE-2026-8865 — Avalon23 Products Filter for WooCommerce <= 1.1.6 - Authenticated (Contributor+) Stored C…

The Avalon23 Products Filter for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'avalon23_qr' shortcode in all versions up to, and including, 1.1.6. This is due…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.5 HIGH
CVE-2026-8705 — ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the `pagseguro[metodo]` POST parameter of the `clearsale_total_push` AJAX action in all versions up to, and including, 3.4.…

Remote | Injection
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-8690 — RentMy Real-Time Rental Management Plugin <= 4.0.4.1 - Missing Authorization to Unauthent…

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifyin…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-8688 — Advance Nav Menu Manager <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Na…

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is auth…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.1 MEDIUM
CVE-2026-8628 — EntreDroppers <= 1.1.2 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The EntreDroppers plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Parameter in all versions up to, and including, 1.1.2 due to insufficient input sanitization and ou…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
6.1 MEDIUM
CVE-2026-8622 — Image Sizes on Demand <= 1.3 - Reflected Cross-Site Scripting via PHP_SELF Server Variable

The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitiz…

Remote | Cross-Site Scripting
Jun 24, 2026 Jun 29, 2026
Jun 24, 2026
Jun 29, 2026
5.3 MEDIUM
CVE-2026-8617 — SearchPlus <= 1.7.1 - Missing Authorization to Unauthenticated Settings Modification and …

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonc…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-8614 — Assistio <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings …

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistio_plugin_delete_assistio_settings()…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
5.3 MEDIUM
CVE-2026-7617 — Secufor_OAuth <= 1.0.7 - Missing Authorization to Unauthenticated Account Logout via 'sec…

The Secufor_OAuth plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.7. This is due to the plugin not properly verifying that a user is authorized to …

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
4.3 MEDIUM
CVE-2026-6292 — MP Customize Login Page <= 1.0 - Cross-Site Request Forgery to Settings Update

The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 1.0. This is due to a completely broken nonce validation in the…

Remote | Cross-Site Request Forgery
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
8.8 HIGH
CVE-2026-4297 — Welcome Software Publishing <= 0.0.31 - Authenticated (Subscriber+) Arbitrary Options Upd…

The Welcome Software Publishing plugin for WordPress is vulnerable to Arbitrary Options Update in all versions up to and including 0.0.31. This is due to a missing capability check in the nc_setOptio…

Remote | Authorization
Jun 24, 2026 Jun 25, 2026
Jun 24, 2026
Jun 25, 2026
7.0 HIGH
CVE-2026-13006 — Incomplete protection against CVE-2025-11226

ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.36 in Java applications, allows an attacker to execute arbitrary code circumvent…

logback-core | Injection
Jun 24, 2026 Jul 01, 2026
Jun 24, 2026
Jul 01, 2026
Showing 20 of 7990 Results