Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22971
Total
1632
Critical
7220
High
7324
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-14342 | MEDIUM | 4.9 | The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to time-based SQL Injection via the 'contact_ids' parameter … | Jul 09, 2026 |
| CVE-2026-14245 | CRITICAL | 9.8 | The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up … | Jul 09, 2026 |
| CVE-2026-13771 | MEDIUM | 6.4 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'color' Shortcode Attribute in all versions up to, and including, … | Jul 09, 2026 |
| CVE-2026-13450 | MEDIUM | 5.3 | The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in … | Jul 09, 2026 |
| CVE-2026-13334 | MEDIUM | 6.1 | The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'stag' parameter in all versions up to, and including, 2.3.4 … | Jul 09, 2026 |
| CVE-2026-13253 | MEDIUM | 6.4 | The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to … | Jul 09, 2026 |
| CVE-2026-13080 | MEDIUM | 6.6 | The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Local File Inclusion in all versions … | Jul 09, 2026 |
| CVE-2026-13011 | MEDIUM | 6.5 | The ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support plugin for WordPress is vulnerable to generic SQL Injection via the … | Jul 09, 2026 |
| CVE-2026-12418 | MEDIUM | 5.3 | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in … | Jul 09, 2026 |
| CVE-2026-12406 | MEDIUM | 5.3 | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions … | Jul 09, 2026 |
| CVE-2026-12170 | MEDIUM | 6.4 | The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' … | Jul 09, 2026 |
| CVE-2026-11359 | MEDIUM | 4.3 | The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up … | Jul 09, 2026 |
| CVE-2026-47840 | HIGH | 7.5 | A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP … | Jul 09, 2026 |
| CVE-2026-47831 | HIGH | 7.5 | Use of a cryptographically weak random number generator in the GenerateRandomPassword function in bosh-windows-stemcell-builder allows a remote attacker to brute-force the resulting SSH login via … | Jul 09, 2026 |
| CVE-2026-47830 | HIGH | 8.8 | Incorrect Permission Assignment in BOSH.Utils.psm1 in BOSH-Ecosystem bosh-windows-stemcell-builder allows low-privilege authenticated users to overwrite C:\bosh\service_wrapper.exe or C:\bosh\bosh-agent.exe and gain NT AUTHORITY\SYSTEM on the next service … | Jul 09, 2026 |
| CVE-2026-47829 | HIGH | 8.3 | Argument Injection in bosh-cli allows a compromised BOSH Director to inject arbitrary OpenSSH options into the locally-spawned ssh process when an operator runs bosh ssh … | Jul 09, 2026 |
| CVE-2026-47828 | HIGH | 7.1 | During bosh create-env and bosh delete-env, the CLI uploads compiled CPI packages and rendered job templates to the new VM's DAV blobstore over HTTPS without … | Jul 09, 2026 |
| CVE-2026-47826 | HIGH | 8.8 | The blobs.yml path key traversal vulnerability in the BOSH CLI tool allows an attacker to write arbitrary files and exfiltrate sensitive information. Affected versions: BOSH … | Jul 09, 2026 |
| CVE-2026-12517 | MEDIUM | 5.3 | The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated site-info endpoint before fetching it, … | Jul 09, 2026 |
| CVE-2026-12516 | MEDIUM | 5.3 | The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users … | Jul 09, 2026 |
| CVE-2026-12270 | MEDIUM | 6.5 | The Everest Forms WordPress plugin before 3.5.0 does not correctly restrict access to several REST API endpoints belonging to its onboarding assistant: the capability check … | Jul 09, 2026 |
| CVE-2026-11875 | MEDIUM | 5.3 | The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it … | Jul 09, 2026 |
| CVE-2026-11869 | MEDIUM | 5.3 | The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request … | Jul 09, 2026 |
| CVE-2026-11571 | HIGH | 7.5 | The Everest Forms WordPress plugin before 3.5.0 does not reliably delete temporary CSV files generated during email-notification processing and leaves them publicly accessible in the … | Jul 09, 2026 |
| CVE-2026-5523 | HIGH | 8.8 | The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the update_user() … | Jul 09, 2026 |