Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.1 HIGH
CVE-2025-69123 — WordPress Snow Club theme <= 1.1 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions.

Remote | Path Traversal
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2025-69120 — WordPress Dazzle theme <= 1.0.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Dazzle <= 1.0.0 versions.

Remote | Path Traversal
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2025-69115 — WordPress LuxMed | Medicine & Healthcare Doctor WordPress Theme theme <= 1.2.2 - Local Fi…

Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme <= 1.2.2 versions.

Remote | Path Traversal
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-69111 — WordPress Reisen theme <= 1.4.1 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Reisen <= 1.4.1 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.1 HIGH
CVE-2025-69106 — WordPress Imba theme <= 1.5.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Imba <= 1.5.0 versions.

Remote | Path Traversal
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2025-68524 — WordPress Avante theme < 3.0.5 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting (XSS) in Avante < 3.0.5 versions.

Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.8 HIGH

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-contro…

Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-60236 — WordPress Creatify theme <= 1.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection. This issue affects Creatify: from n/a through 1.5.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-60231 — WordPress The Hospital theme <= 1.8.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in EMV The Hospital nrghospital allows Object Injection. This issue affects The Hospital: from n/a through 1.8.1.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-60230 — WordPress The Barber Shop theme <= 1.9 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Themeton The Barber Shop allows Object Injection. This issue affects The Barber Shop: from n/a through 1.9.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.8 CRITICAL
CVE-2025-60229 — WordPress Lagom theme <= 2.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Themeton Lagom allows Object Injection. This issue affects Lagom: from n/a through 2.0.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
9.3 CRITICAL
CVE-2025-59554 — WordPress Advanced Ads – Tracking plugin < 3.0.7 - SQL Injection vulnerability

Unauthenticated SQL Injection in Advanced Ads – Tracking < 3.0.7 versions.

Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
5.3 MEDIUM
CVE-2025-15657 — WordPress School Management plugin <= 93.1.0 - Insecure Direct Object References (IDOR) v…

Unauthenticated Insecure Direct Object References (IDOR) in School Management <= 93.1.0 versions.

Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
8.6 HIGH
CVE-2026-11311 — NGINX Gateway Fabric vulnerability

When NGINX Plus is configured as the data plane for NGINX Gateway Fabric, an injection vulnerability exists in the NGINX configuration generator component of NGINX Gateway Fabric. User-supplied strin…

nginx_gateway_fabric | Remote | Injection
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.5 HIGH
CVE-2026-9690 — WordPress WP Media folder Addon plugin <= 4.0.1 - Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.

Remote | Path Traversal
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-9570 — Taskbuilder < 5.0.8 - Reflected XSS via Shortcode

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Re…

taskbuilder | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.4 MEDIUM
CVE-2026-8607 — myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Pr…

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in …

mycred | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
6.4 MEDIUM
CVE-2026-8494 — Permalink Manager Lite <= 2.5.3.3 - Authenticated (Contributor+) Stored Cross-Site Script…

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to ins…

permalink_manager_lite | Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
5.3 MEDIUM
CVE-2026-8383 — LearnPress < 4.3.7 - Unauthenticated Sensitive User Information Disclosure via REST API

The LearnPress WordPress plugin before 4.3.7 does not gate the `edit` context on one of its REST endpoint behind the `edit_users` capability, allowing unauthenticated visitors to retrieve each retur…

learnpress | Remote | Authorization
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
7.1 HIGH
CVE-2026-8089 — weMail < 2.1.3 - Reflected Cross-Site Scripting

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecti…

Remote | Cross-Site Scripting
Jun 17, 2026 Jun 17, 2026
Jun 17, 2026
Jun 17, 2026
Showing 20 of 7988 Results