Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2026-1921 — Loco Translate <= 2.8.2 - Authenticated (Translator+) Path Traversal to Limited File Read…

The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the `fsReference` AJAX route. This is due to the `findSourceFile()` method norm…

| Path Traversal
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-5505 — WP-Clippy <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortco…

The WP-Clippy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `clippy` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sani…

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-6255 — Simple Owl Shortcodes <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting…

The Simple Owl Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'num' attribute of the 'owls_wrapper' shortcode in all versions up to, and including, 2.1.1 due to …

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-6704 — Blog Settings <= 1.0 - Reflected Cross-Site Scripting via 'page' Parameter

The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitizati…

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-2868 — Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem <= 3.5.3 - Authenticated (C…

The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'separatorIconSVG' parameter in versions up to, and includi…

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-6702 — Publish 2 Ping.fm <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via …

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admi…

| Cross-Site Request Forgery
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-6700 — DX Sources <= 2.0.1 - Cross-Site Request Forgery to Settings Update

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_…

| Cross-Site Request Forgery
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-5247 — Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, …

The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wrapper' attribute of the [futureaction] shortcode in all versions up to,…

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-4409 — Subscribe To Comments Reloaded <= 240119 - Improper Authorization to Unauthenticated Arbi…

The Subscribe To Comments Reloaded plugin for WordPress is vulnerable to unauthorized modification of data due to a leaked secret key and usage of a weak hash generation algorithm in all versions up …

| Authentication
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-5100 — AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplie…

| Injection
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2025-13618 — Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registrati…

The Mentoring plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.2.8. This is due to the plugin not properly restricting the roles that users can regis…

| Authorization
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-6696 — Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter

The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'first_name', 'last_name', and 'phone' parameters on the plugin's sign-up admin page in…

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-4730 — Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website <= 2.1…

The Charts Ninja: Create Beautiful Graphs & Charts and Easily Add Them to Your Website plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'chartid' shortcode attribute in all v…

| Cross-Site Scripting
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
0.0 NA
CVE-2026-6701 — addfreespace <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Set…

The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This…

| Cross-Site Request Forgery
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
9.8 CRITICAL
CVE-2026-5722 — MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token R…

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or r…

Remote | Authentication
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
5.3 MEDIUM
CVE-2026-44029 — Nix Directory Traversal Vulnerability

An issue was discovered in Nix before 2.34.7. Writing to arbitrary files can occur via "nix-prefetch-url --unpack" or "nix store prefetch-file --unpack" directory traversal. The fixed versions are 2.…

Remote | Path Traversal
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
7.5 HIGH
CVE-2026-44028 — Nix Lix Unbounded Recursion Stack-to-Heap Overflow

An issue was discovered in Nix before 2.34.7 and Lix before 2.95.2. Unbounded recursion in the NAR (Nix Archive) parser could lead to a stack-to-heap overflow when the parser is run on a coroutine st…

| Memory Corruption
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
7.5 HIGH
CVE-2026-7788 — Axle-Bucamp MCP-Docusaurus document.py get_content path traversal

A security flaw has been discovered in Axle-Bucamp MCP-Docusaurus up to 404bc028e15ec304c9a045528560f4b5f27a17e0. The affected element is the function update_document/continue_document/delete_documen…

Remote | Path Traversal
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
7.5 HIGH
CVE-2026-7785 — A-G-U-P-T-A wireshark-mcp pyshark_mcp.py quick_capture os command injection

A security flaw has been discovered in A-G-U-P-T-A wireshark-mcp edaf604416fbc94a201b4043092d4a1b09a12275/400c3da70074f22f3cce7ccb65304cafc7089c89. This affects the function quick_capture of the file…

Remote | Injection
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
7.5 HIGH
CVE-2026-7784 — RTGS2017 NagaAgent Skills Endpoint extensions.py path traversal

A vulnerability has been found in RTGS2017 NagaAgent up to 5.1.0. This issue affects some unknown processing of the file apiserver/routes/extensions.py of the component Skills Endpoint. Such manipula…

Remote | Path Traversal
May 05, 2026 May 05, 2026
May 05, 2026
May 05, 2026
Showing 20 of 5623 Results