Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
23287
Total
1655
Critical
7324
High
7394
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12433 | MEDIUM | 4.3 | The Hydra Booking – Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, … | Jul 09, 2026 |
| CVE-2026-8996 | MEDIUM | 6.5 | The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 … | Jul 09, 2026 |
| CVE-2026-8848 | HIGH | 7.2 | The Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popup Builder plugin for WordPress is vulnerable to authorization bypass in all … | Jul 09, 2026 |
| CVE-2026-7558 | MEDIUM | 5.3 | The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to unauthorized access in all versions up to and including … | Jul 09, 2026 |
| CVE-2026-6910 | MEDIUM | 6.4 | The Bookero.pl – system rezerwacji online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `bookero_products` shortcode's `hide_products` (and `filter_products`) attributes in versions … | Jul 09, 2026 |
| CVE-2026-59269 | LOW | 3.8 | A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were … | Jul 09, 2026 |
| CVE-2026-57111 | HIGH | 7.5 | Permissive Cross-Origin Resource Sharing (CORS) in the REST API (helix-rest, org.apache.helix.rest.server.filters.CORSFilter) in Apache Helix through 2.0.0 on all platforms allows a remote attacker controlling a … | Jul 09, 2026 |
| CVE-2026-4653 | MEDIUM | 6.4 | The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including … | Jul 09, 2026 |
| CVE-2026-33390 | HIGH | 8.1 | An Incorrect Privilege Assignment vulnerability was discovered in the synchronization functionality due to Arc sensors receiving CLI permissions. An authenticated user with limited privileges can … | Jul 09, 2026 |
| CVE-2026-31985 | HIGH | 8.1 | When the upstream Guardian or CMC was configured in the Remote Collector via n2os-tui, the generated configuration disabled TLS certificate verification, and no option was … | Jul 09, 2026 |
| CVE-2026-31984 | HIGH | 7.5 | A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into … | Jul 09, 2026 |
| CVE-2026-31983 | MEDIUM | 5.3 | A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint … | Jul 09, 2026 |
| CVE-2026-31982 | HIGH | 7.1 | An Open Redirect vulnerability was discovered in the SAML Single Sign-On functionality due to insufficient validation of a user-controlled redirection parameter. An unauthenticated attacker can … | Jul 09, 2026 |
| CVE-2026-31981 | MEDIUM | 5.9 | A Stored HTML Injection vulnerability was discovered in the Diagram tab and Graph view due to a shared input validation function being insufficiently restrictive. An … | Jul 09, 2026 |
| CVE-2026-15000 | HIGH | 7.2 | The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up … | Jul 09, 2026 |
| CVE-2026-14343 | MEDIUM | 6.4 | The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes in all versions up to, and including, … | Jul 09, 2026 |
| CVE-2026-14342 | MEDIUM | 4.9 | The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to time-based SQL Injection via the 'contact_ids' parameter … | Jul 09, 2026 |
| CVE-2026-14245 | CRITICAL | 9.8 | The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up … | Jul 09, 2026 |
| CVE-2026-13771 | MEDIUM | 6.4 | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'color' Shortcode Attribute in all versions up to, and including, … | Jul 09, 2026 |
| CVE-2026-13450 | MEDIUM | 5.3 | The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in … | Jul 09, 2026 |
| CVE-2026-13334 | MEDIUM | 6.1 | The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'stag' parameter in all versions up to, and including, 2.3.4 … | Jul 09, 2026 |
| CVE-2026-13253 | MEDIUM | 6.4 | The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to … | Jul 09, 2026 |
| CVE-2026-13080 | MEDIUM | 6.6 | The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Local File Inclusion in all versions … | Jul 09, 2026 |
| CVE-2026-13011 | MEDIUM | 6.5 | The ERP: Complete HR, Accounting & CRM Suite with Recruitment and WooCommerce CRM Support plugin for WordPress is vulnerable to generic SQL Injection via the … | Jul 09, 2026 |
| CVE-2026-12418 | MEDIUM | 5.3 | The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in … | Jul 09, 2026 |