Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
3.9 LOW
CVE-2026-15028 — Libarchive: heap overflow oob read while parsing a tar archive contains a pax extended he…

A flaw was found in libarchive. This vulnerability allows a remote attacker to trigger a heap overflow by providing a specially crafted tar archive. The issue occurs during the parsing of a PAX exten…

Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.4 MEDIUM
CVE-2026-13710 — Jeg Kit for Elementor <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting…

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sg_body_desc…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.4 MEDIUM
CVE-2026-13247 — Logo Slider <= 5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'lgx_to…

The Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lgx_tooltip_position' parameter in all ve…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.5 MEDIUM
CVE-2026-13010 — JoomSport <= 5.7.9 - Authenticated (Contributor+) SQL Injection via 'event' Shortcode Att…

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including,…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.9 MEDIUM
CVE-2026-12918 — Mail Mint <= 1.24.1 - Authenticated (Administrator+) SQL Injection via 'recipients' Param…

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, an…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.3 MEDIUM
CVE-2026-11990 — KiviCare <= 4.4.0 - Missing Authorization to Unauthenticated Payment Bypass and Appointme…

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly …

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.1 MEDIUM
CVE-2026-9838 — ICS Calendar <= 12.0.9 - Reflected Cross-Site Scripting via 'htmltagtitle' Parameter

The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitizat…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
5.3 MEDIUM
CVE-2026-6802 — Easy Upload Files During Checkout <= 3.0.1 - Missing Authorization to Unauthenticated Arb…

The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdc_cu…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-6440 — GoodMeet <= 1.1.8 - Cross-Site Request Forgery to Google Meet Credential Reset via 'goodm…

The GoodMeet – Google Meet Integration for Webinar, Meeting & Video Conference plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.1.8. This is due to a…

Remote | Cross-Site Request Forgery
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.4 MEDIUM
CVE-2026-3907 — Hostel <= 1.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wphostel-…

The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitizatio…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-1946 — GW AI Website Builder <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arb…

The GW AI Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gwaiwebu_gravitywrite_disconnect_handler() function in all v…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.5 MEDIUM
CVE-2026-15104 — BetterDocs <= 4.6.0 - Authenticated (Custom+) SQL Injection via 'lang' Parameter

The BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin for WordPress is vulnerable to generic SQL Injection via the 'lang' parameter in all versions up to, and includ…

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-15026 — Import and export users and customers <= 2.4.0 - Missing Authorization to Authenticated (…

The Import and export users and customers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.0 via the email_template_selected. This makes …

import_and_export_users_and_customers | Remote | Information Disclosure
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.9 MEDIUM
CVE-2026-14475 — Cookie Banner for GDPR / CCPA <= 4.3.6 - Authenticated (Administrator+) SQL Injection via…

The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL Injection via the 'scan_id' parameter in all versions up to, and including, 4.3.6 due to insu…

wp_cookie_consent | Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-12955 — Cookie Banner for GDPR / CCPA <= 4.3.6 - Missing Authorization to Authenticated (Subscrib…

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdpr_cookie_consent_ajax_save_s…

wp_cookie_consent | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.4 MEDIUM
CVE-2026-12924 — Eventin <= 4.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'etn_faq…

The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions …

eventin | Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-12400 — FlowForms <= 1.1.1 - Authenticated (Contributor+) Insecure Direct Object Reference to Arb…

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the update_form due to missing valid…

Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.4 MEDIUM
CVE-2026-12108 — Highlighting Code Block <= 2.2.0 - Authenticated (Administrator+) Stored Cross-Site Scrip…

The Highlighting Code Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2.0 due to insufficient input sanitization and…

Remote | Cross-Site Scripting
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
4.3 MEDIUM
CVE-2026-11992 — Easy Appointments <= 3.12.27 - Missing Authorization to Authenticated (Author+) Bulk Appo…

The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authori…

easy_appointments | Remote | Authorization
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
6.6 MEDIUM
CVE-2025-11977 — HappyForms <= 1.26.12 - Authenticated (Admin+) Local File Inclusion

The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and in…

Remote | Path Traversal
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
Showing 20 of 7374 Results