Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
9.8 CRITICAL
CVE-2026-9695 — Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through R…

An Improper Authentication vulnerability affecting DELMIA Apriso from Release 2020 through Release 2026 could allow an attacker to gain privileged access to the server.

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
0.0 NA
CVE-2026-12378 — BookingPress <= 1.1.28 - Unauthenticated PHP Object Injection

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin through 1.1.28 does not validate data before passing it to a PHP deserialization function, allowing unauthenticated att…

| Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.3 MEDIUM
CVE-2026-9731 — Wp Js Detect <= 1.0.9 - Cross-Site Request Forgery to Plugin Settings Update

The Wp Js Detect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.9. This is due to missing or incorrect nonce validation on the plugin_setti…

Remote | Cross-Site Request Forgery
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-9700 — Eventer <= 4.4.2 - Unauthenticated SQL Injection via 'code' Parameter

The Eventer plugin for WordPress is vulnerable to time-based SQL Injection via the ‘code’ parameter in all versions up to, and including, 4.4.2 due to insufficient escaping on the user supplied param…

Remote | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.8 HIGH
CVE-2026-57895 — Pupsman Insecure File Permissions Arbitrary Code Execution

Incorrect default permissions issue exists in Pupsman versions prior to 3.9.0. An attacker can place a malicious executable in the installation folder, which results in arbitrary code execution with …

| Misconfiguration
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.8 HIGH
CVE-2026-56437 — Pupsman DLL Hijacking Vulnerability

Uncontrolled search path element issue exists in Pupsman versions prior to 3.9.0. If a crafted DLL file is placed in the same folder as the affected installer and the installer is executed, arbitrary…

| Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-14500 — Bulk Order Update for WooCommerce <= 1.6 - Unauthenticated Arbitrary File Read via 'csv_u…

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouw_fetch_csv_data() AJAX handler being regi…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-14495 — DoLogin Security <= 4.3 - Unauthenticated Authentication Bypass via Insufficient Randomne…

The DoLogin Security plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Randomness in all versions up to, and including, 4.3. The vulnerability exists because `dologin\s::rr…

dologin_security | Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-14489 — WHMCS Bridge <= 6.9 - Unauthenticated Arbitrary File Upload via 'ccce' Parameter

The WHMCS Bridge plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the connect() function in all versions up to, and including, 6.9. This makes it po…

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.8 CRITICAL
CVE-2026-12153 — WP Learn Manager <= 1.1.8 - Missing Authorization to Unauthenticated Arbitrary Plugin Ins…

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
5.3 MEDIUM
CVE-2026-12097 — User Management <= 1.2 - Missing Authorization to Unauthenticated Plugin Settings Modific…

The User Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2. This is due to the plugin not properly verifying that a user is authorized to…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
4.4 MEDIUM
CVE-2026-12041 — Chatra Live Chat + ChatBot + Cart Saver <= 1.0.12 - Authenticated (Administrator+) Stored…

The Chatra Live Chat + ChatBot + Cart Saver plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.1 MEDIUM
CVE-2026-11798 — Social Share, Social Login and Social Comments Plugin <= 7.14.5 - Reflected Cross-Site Sc…

The Social Share, Social Login and Social Comments Plugin – Super Socializer plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'heateor_mastodon_share' parameter in all ver…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
6.4 MEDIUM
CVE-2026-10570 — Sympl Repeater for ACF and Elementor <= 2.3 - Authenticated (Author+) Stored Cross-Site S…

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insu…

Remote | Cross-Site Scripting
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-9842 — Backstage <= 1.4.2 - Unauthenticated Privilege Escalation via Permissive Demo Role Capabi…

The Backstage - Customizer Demo Access plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.2. This is due to the plugin assigning the `manage_options`…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.8 CRITICAL
CVE-2026-9701 — Eventer <= 4.4.2 - Insecure Password Reset Mechanism to Unauthenticated Privilege Escalat…

The Eventer plugin for WordPress is vulnerable to an insecure password reset mechanism in all versions up to, and including, 4.4.2. The plugin stores a plaintext copy of the password reset key in the…

Remote | Authentication
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
9.1 CRITICAL
CVE-2026-14487 — Simple Coherent Form <= 2.4.13 - Unauthenticated Arbitrary File Deletion via 'id' Paramet…

The Simple Coherent Form plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the removeUploadDir function in all versions up to, and including, 2…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-14482 — 多说社会化评论框 <= 1.2 - Unauthenticated Privilege Escalation via api.php 'option'/'value' Param…

The 多说社会化评论框 plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. The vulnerability exists due to a missing capability and nonce check on a directly w…

Remote | Authorization
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
7.5 HIGH
CVE-2026-14244 — Jssor Slider by jssor.com <= 3.1.24 - Unauthenticated Arbitrary File Read via 'url' Param…

The Jssor Slider by jssor.com plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.1.24 via the 'url' parameter parameter. This makes it possible for unau…

Remote | Path Traversal
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
8.8 HIGH
CVE-2026-14158 — Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv…

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widget_logic_visual_check_visibility function. This is due to mi…

Remote | Injection
Jul 08, 2026 Jul 08, 2026
Jul 08, 2026
Jul 08, 2026
Showing 20 of 7681 Results