Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
4.4 MEDIUM
CVE-2026-11591 — Widgets for Google Reviews <= 13.3 - Authenticated (Editor+) Stored Cross-Site Scripting …

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization a…

widgets_for_google_reviews widgets_for_google_reviews | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-10865 — Cost Calculator Builder <= 4.0.11 - Unauthenticated Sensitive Information Exposure of Pay…

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it possible for unaut…

cost_calculator_builder | Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-10041 — WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing A…

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to mis…

Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2025-6784 — Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting acce…

Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.9 MEDIUM
CVE-2025-5017 — Catalyst Connect Zoho CRM Client Portal <= 2.2.0 - Authenticated (Administrator+) SQL Inj…

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient esca…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.1 HIGH
CVE-2026-7655 — SureCart <= 4.2.3 - Unauthenticated Linked WordPress Account Takeover via Forged customer…

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identi…

Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.2 HIGH
CVE-2026-13378 — Form Vibes <= 1.5.2 - Unauthenticated Stored Cross-Site Scripting via Contact Form 7 Form…

The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insuffic…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.4 MEDIUM
CVE-2026-9738 — Print, PDF, Email by PrintFriendly <= 5.5.10 - Authenticated (Administrator+) Stored Cros…

The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content_position_css' parameter in all versions up to, and including, 5.5.10 due to i…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-7620 — Notification for Telegram <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+)…

The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. This is due to the plugin not properly verifying that a user is a…

notification_for_telegram | Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-7559 — Affilia <= 3.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Status …

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not …

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-6804 — AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthentic…

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying …

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-6803 — AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthentic…

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and non…

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.2 HIGH
CVE-2026-3576 — Planyo online reservation system <= 3.0 - Unauthenticated Server-Side Request Forgery via…

The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file act…

Remote | Server-Side Request Forgery
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-3552 — SurfLink < 2.6.0 - Missing Authorization to Authenticated (Subscriber+) 410 Gone URL Impo…

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6…

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2026-2354 — Swiss Toolkit For WP <= 1.4.6 - Authenticated (Author+) Arbitrary File Upload via upload_…

The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and …

Remote | Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-1832 — ThriveDesk <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Cache Deletion

The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' A…

Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.5 HIGH
CVE-2026-15335 — Booking Package <= 1.7.20 - Unauthenticated SQL Injection via 'email' Form Parameter

The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form<N>) in all versions up to, and including, 1.7.20 due to insufficient escaping on the u…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2026-15097 — Themify Builder <= 7.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via '…

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input san…

builder | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2026-15096 — Themify Builder <= 7.7.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via M…

The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitiza…

builder | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2026-14262 — Simple JWT Login <= 3.6.6 - Authenticated (Subscriber+) Authentication Bypass to Privileg…

The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the…

Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
Showing 20 of 7300 Results