Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.2 HIGH
CVE-2026-5324 — Brizy – Page Builder <= 2.8.11 - Unauthenticated Stored Cross-Site Scripting via FileUplo…

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce v…

Remote | Cross-Site Scripting
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
5.3 MEDIUM
CVE-2026-4024 — Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Ac…

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versio…

Remote | Authorization
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
7.5 HIGH
CVE-2026-7649 — ARMember <= 4.0.60 - Unauthenticated SQL Injection via 'orderby' Parameter

The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in al…

Remote | Injection
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
9.0 HIGH
CVE-2026-7607 — TRENDnet TEW-821DAP Firmware Udpate auto_update_firmware buffer overflow

A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of the argument str leads t…

Remote | Memory Corruption
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
6.3 MEDIUM
CVE-2026-7606 — TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware data authenticity

A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_firmware of the component Firmware Update Handler. Executing a manipulation of …

Remote
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
6.5 MEDIUM
CVE-2026-6457 — Geo Mashup <= 1.13.19 - Authenticated (Subscriber+) SQL Injection via 'geo_mashup_null_fi…

The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and including, 1.13.19 due to insufficient escapi…

Remote | Injection
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
5.3 MEDIUM
CVE-2026-6449 — Booking for Appointments and Events Calendar – Amelia <= 2.1.2 - Unauthenticated Authoriz…

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circ…

Remote | Authorization
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
7.2 HIGH
CVE-2026-6229 — Royal Addons for Elementor <= 1.7.1057 - Authenticated (Contributor+) Server-Side Request…

The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs i…

Remote | Server-Side Request Forgery
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
5.3 MEDIUM
CVE-2026-4650 — FundPress <= 2.0.8 - Missing Authorization to Unauthenticated Arbitrary Donation Status M…

The FundPress – WordPress Donation Plugin for WordPress is vulnerable to authorization bypass in versions up to and including 2.0.8. This is due to missing authorization and nonce verification in the…

Remote | Authorization
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
8.8 HIGH
CVE-2026-2052 — Widget Options <= 4.2.2 - Authenticated (Contributor+) Remote Code Execution via Display …

The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via…

Remote | Injection
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
6.5 MEDIUM
CVE-2026-7605 — JeecgBoot uploadImgByHttpEndpoint CommonController.java HttpFileToMultipartFileUtil.downl…

A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMu…

Remote | Server-Side Request Forgery
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
0.0 NA
CVE-2026-43058 — media: vidtv: fix pass-by-value structs causing MSAN warnings

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: fix pass-by-value structs causing MSAN warnings vidtv_ts_null_write_into() and vidtv_ts_pcr_write_into() take their…

| Memory Corruption
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
8.1 HIGH
CVE-2026-7647 — Profile Builder Pro <= 3.14.5 - Unauthenticated PHP Object Injection

The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the atta…

Remote | Injection
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
7.2 HIGH
CVE-2026-7049 — PixelYourSite Pro <= 12.5.0.1 - Unauthenticated Blind Server-Side Request Forgery via 'ur…

The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes …

Remote | Server-Side Request Forgery
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
6.4 MEDIUM
CVE-2026-6916 — Jeg Kit for Elementor <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting…

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' param…

Remote | Cross-Site Scripting
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
4.4 MEDIUM
CVE-2026-6812 — Ona <= 1.26 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'downl…

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attacker…

Remote | Server-Side Request Forgery
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
4.4 MEDIUM
CVE-2026-6447 — Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Sit…

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitizat…

Remote | Cross-Site Scripting
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
7.2 HIGH
CVE-2026-5113 — Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Consent Field H…

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation me…

Remote | Cross-Site Scripting
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
7.2 HIGH
CVE-2026-5112 — Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Calculation Pro…

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output esc…

Remote | Cross-Site Scripting
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
7.2 HIGH
CVE-2026-5111 — Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Hidden Product …

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping on Hidden …

Remote | Cross-Site Scripting
May 02, 2026 May 02, 2026
May 02, 2026
May 02, 2026
Showing 20 of 5657 Results