Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-9282 — W3 Total Cache <= 2.9.4 - Unauthenticated Arbitrary File Read via 'f_array[]' Parameter

The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated atta…

w3_total_cache | Remote | Path Traversal
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-9017 — NEX-Forms <= 9.2.2 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modifi…

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly veri…

nex-forms | Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.2 HIGH
CVE-2026-6939 — CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Unauthenticated Stored Cross-Site Script…

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insuff…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-6801 — Context Blog <= 1.3.5 - Unauthenticated Sensitive Information Exposure via 'postID' Param…

The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it possible for unauthent…

Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
7.5 HIGH
CVE-2026-4661 — WP CTA <= 2.2.2 - Unauthenticated Time-Based Blind SQL Injection via 'fildname' Parameter

The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, …

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2026-1382 — fresh Podcaster <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via '…

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitiza…

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2026-15155 — Essential Addons for Elementor <= 6.6.10 - Authenticated (Contributor+) Account Takeover …

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and i…

essential_addons_for_elementor | Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2026-15010 — bbp style pack <= 6.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Top…

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient …

Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-12994 — WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Missing Authorization to Unauthentica…

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying t…

Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-12738 — WP Easy Pay <= 4.5.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Pos…

The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not pr…

wp_easypay | Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
6.4 MEDIUM
CVE-2026-12126 — WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attac…

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.…

wcfm_marketplace | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-12103 — Wallet for WooCommerce <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Us…

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is auth…

terawallet | Remote | Authorization
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-11901 — WP Hotel Booking <= 2.3.1 - Unauthenticated Insufficient Verification of Data Authenticit…

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_stan…

wp_hotel_booking | Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.4 MEDIUM
CVE-2026-11898 — White Label CMS <= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting vi…

The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output…

white_label_cms | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.4 MEDIUM
CVE-2026-11591 — Widgets for Google Reviews <= 13.3 - Authenticated (Editor+) Stored Cross-Site Scripting …

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization a…

widgets_for_google_reviews widgets_for_google_reviews | Remote | Cross-Site Scripting
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
5.3 MEDIUM
CVE-2026-10865 — Cost Calculator Builder <= 4.0.11 - Unauthenticated Sensitive Information Exposure of Pay…

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it possible for unaut…

cost_calculator_builder | Remote | Information Disclosure
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.3 MEDIUM
CVE-2026-10041 — WCFM – Frontend Manager for WooCommerce <= 6.7.27 - Authenticated (Subscriber+) Missing A…

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to mis…

Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.8 HIGH
CVE-2025-6784 — Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting acce…

Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
4.9 MEDIUM
CVE-2025-5017 — Catalyst Connect Zoho CRM Client Portal <= 2.2.0 - Authenticated (Administrator+) SQL Inj…

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient esca…

Remote | Injection
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
8.1 HIGH
CVE-2026-7655 — SureCart <= 4.2.3 - Unauthenticated Linked WordPress Account Takeover via Forged customer…

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identi…

Remote | Authentication
Jul 11, 2026 Jul 11, 2026
Jul 11, 2026
Jul 11, 2026
Showing 20 of 7211 Results