Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.4 MEDIUM
CVE-2026-8039 — Fancy Testimonials <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 …

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-12111 — Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Informati…

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing p…

appointment_booking_calendar | Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
7.2 HIGH
CVE-2026-11395 — CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Place…

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pull_the_trigger. This makes it possible for unauthenticated a…

Remote | Server-Side Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
6.4 MEDIUM
CVE-2026-12098 — PowerPress Podcasting plugin by Blubrry <= 11.16.8 - Authenticated (Author+) Stored Cross…

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insuf…

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
6.1 MEDIUM
CVE-2026-12137 — SysBasics Customize My Account for WooCommerce <= 4.3.6 - Reflected Cross-Site Scripting …

The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all ve…

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
2.7 LOW
CVE-2026-12102 — UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary…

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and…

Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
6.4 MEDIUM
CVE-2026-12136 — SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) St…

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcode in versions up to, and including, 4.3.6. This is d…

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
7.6 HIGH
CVE-2026-55746 — Cotonti stored XSS via PFS folder title

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to stored Cross-Site Scripting in the Personal File Storage (PFS) module. A folder title (pff_title) is imported with the 'TXT' filter, wh…

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
10.0 CRITICAL
CVE-2026-28573 — Android Persistent Denial of Service

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. …

android | Remote | Denial of Service
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
5.4 MEDIUM
CVE-2026-55745 — Cotonti CSRF in PFS folder edit allows unauthorized folder modification

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.editfolder.php, the folder update action (…

Remote | Cross-Site Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
8.6 HIGH
CVE-2026-55744 — Cotonti CSRF in PFS allows forced arbitrary file upload

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pfs/inc/pfs.main.php, the file upload action ('a=uploa…

Remote | Cross-Site Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.6 CRITICAL
CVE-2026-55742 — Cotonti CSRF in admin.rights.php allows privilege escalation

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration rights handler. In system/admin/admin.rights.php, the rights update action ('a=update'…

Remote | Cross-Site Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
8.8 HIGH
CVE-2026-55741 — Cotonti CSRF in admin.config.php allows unauthorized configuration changes

Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update acti…

Remote | Cross-Site Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
6.5 MEDIUM
CVE-2026-9815 — MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE

The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a form's per-field extension allowlist is left empty, al…

Remote | Misconfiguration
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
9.8 CRITICAL
CVE-2026-55740 — SQL Injection in Nur-Alam39 bus-ticket bus_info.php via busid parameter

Nur-Alam39 bus-ticket (no released versions; latest commit 459cabdbeb99c00225b26e46e3c2c30ae1de7bad) contains an unauthenticated SQL injection vulnerability in bus_info.php. The busid parameter recei…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.4 MEDIUM
CVE-2026-11358 — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <=…

The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, …

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
6.4 MEDIUM
CVE-2026-11402 — Services Section Block <= 1.4.4 - Authenticated (Contributor+) Stored Cross-Site Scriptin…

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and includ…

Remote | Cross-Site Scripting
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.3 MEDIUM
CVE-2026-11784 — Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <…

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.…

Remote | Cross-Site Request Forgery
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
5.3 MEDIUM
CVE-2026-12093 — Simple Membership <= 4.7.5 - Missing Authorization to Unauthenticated Arbitrary Member Ac…

The Simple Membership plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.7.5. This is due to the plugin not properly verifying that a user is authorize…

Remote | Authorization
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
4.9 MEDIUM
CVE-2026-10736 — Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insuffici…

Remote | Injection
Jun 18, 2026 Jun 18, 2026
Jun 18, 2026
Jun 18, 2026
Showing 20 of 7594 Results