Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.3 MEDIUM
CVE-2026-13116 — PDF Invoices & Packing Slips for WooCommerce <= 5.14.0 - Insecure Direct Object Reference…

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcod…

woocommerce_pdf_invoices\&_packing_slips | Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.9 MEDIUM
CVE-2026-12141 — Premium Addons for Elementor <= 4.11.84 - Authenticated (Contributor+) Stored Cross-Site …

The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up…

premium_addons_for_elementor | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2025-13968 — Starboard Suite Reservation Calendars <= 3.1.4 - Authenticated (Contributor+) Stored Cros…

The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to,…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-8678 — MyParcel <= 4.25.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order…

The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to per…

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-7544 — Mux Video Uploader <= 1.1.4 - Authenticated (Subscriber+) Information Exposure

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. This makes it possibl…

Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2026-5743 — Mixed Media Gallery Blocks <= 3.3.3.1 - Authenticated (Author+) Stored Cross-Site Scripti…

The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient i…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.4 MEDIUM
CVE-2026-3367 — Lockme OAuth2 calendars integration <= 2.11.0 - Authenticated (Administrator+) Stored Cro…

The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insuffi…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.5 HIGH
CVE-2026-15338 — LA-Studio Element Kit for Elementor <= 1.6.1 - Authenticated (Contributor+) Local File In…

The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. This makes it possib…

element_kit_for_elementor | Remote | Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.5 MEDIUM
CVE-2026-15073 — KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in Doct…

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insu…

kivicare | Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.5 MEDIUM
CVE-2026-15072 — KiviCare <= 4.5.0 - Authenticated (Doctor+) SQL Injection via 'orderby' Parameter in KCQu…

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insu…

kivicare | Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2026-13353 — WP Ultimate CSV Importer <= 8.0.1 - Missing Authorization to Authenticated (Subscriber+) …

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFi…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.5 MEDIUM
CVE-2026-13262 — Majestic Support <= 1.1.9 - Authenticated (Subscriber+) SQL Injection via 'val' Parameter

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1…

majestic_support | Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.2 HIGH
CVE-2026-13114 — Motors <= 1.4.112 - Unauthenticated Stored Cross-Site Scripting via Comment Content and U…

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and in…

motors_-_car_dealer\,_classifieds_\&_listing | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-12426 — Members <= 3.2.22 - Unauthenticated Sensitive Information Disclosure via REST API Paginat…

The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_p…

Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-10628 — Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Su…

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a…

points_and_rewards_for_woocommerce | Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2026-13756 — WP Grid Builder <= 2.3.3 - Authenticated (Subscriber+) Privilege Escalation via 'key' Par…

The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update…

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.5 MEDIUM
CVE-2026-11426 — UnderConstructionPage PRO <= 5.76 - Authenticated (Subscriber+) Arbitrary File Read via t…

The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in t…

Remote | Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.5 HIGH
CVE-2026-55175 — Spinnaker: Improper yaml processing on kustomize bake operations

Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow …

Remote | Injection
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-44383 — Hydro-Québec Le Circuit Electrique charging station backend Insufficient Session Expirati…

Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.

Remote | Denial of Service
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
8.7 HIGH
CVE-2026-42952 — Hydro-Québec Le Circuit Electrique charging station backend Improper Restriction of Exces…

Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.

Remote | Denial of Service
Jul 10, 2026 Jul 10, 2026
Jul 10, 2026
Jul 10, 2026
Showing 20 of 7402 Results