{"total":3785,"page":1,"count":50,"advisories":[{"id":"9175f8ed-5f61-4613-96d1-cf71ab103f1e","num":244849,"source_id":"nvd","external_id":"CVE-2026-57828","title":"CVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.","summary":"The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-57828","severity":"unknown","cvss":null,"cves":["CVE-2026-57828"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T10:16:35.71+00:00"},{"id":"42c51c64-2f27-495d-acee-2f3dd1f33c34","num":244848,"source_id":"nvd","external_id":"CVE-2026-57827","title":"CVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.","summary":"The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-57827","severity":"unknown","cvss":null,"cves":["CVE-2026-57827"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T10:16:34.057+00:00"},{"id":"ee165089-194d-450c-a5a3-61c2f3fd124e","num":244847,"source_id":"nvd","external_id":"CVE-2026-1359","title":"CVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() functio","summary":"The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary WordPress options, including enabling user registration and setting the default role to administrator, resulting in privilege escalation.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-1359","severity":"high","cvss":8.8,"cves":["CVE-2026-1359"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T09:16:16.02+00:00"},{"id":"b7c0e397-75ed-4475-8e9a-5a2bb06ccd33","num":240169,"source_id":"nvd","external_id":"CVE-2026-9282","title":"CVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for u","summary":"The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires enabling manual minify mode and supplying a manual-format minify filename so that the hash is empty and the f_array[] entries are not overwritten before reaching setupSources().","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-9282","severity":"high","cvss":7.5,"cves":["CVE-2026-9282"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:47.07+00:00"},{"id":"41e142c6-735f-4174-ae41-658bd285921f","num":240168,"source_id":"nvd","external_id":"CVE-2026-9017","title":"CVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugi","summary":"The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the saved_admin_email, saved_user_email, and saved_user_email_address fields of arbitrary form entries belonging to other users, and cause the site to dispatch attacker-controlled email content to attacker-chosen recipient addresses.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-9017","severity":"medium","cvss":5.3,"cves":["CVE-2026-9017"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.923+00:00"},{"id":"c5be8af2-35ad-424a-8e63-640a8bede6ad","num":240167,"source_id":"nvd","external_id":"CVE-2026-6939","title":"CVE-2026-6939: The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including,","summary":"The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approval_code' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The unauthenticated REST endpoint POST /wp-json/corvuspay/success/ is registered with permission_callback set to __return_true, and although a signature validation step exists it only logs the result without halting execution, meaning an attacker can supply a completely arbitrary signature and have a malicious approval_code stored in the database unchallenged.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-6939","severity":"high","cvss":7.2,"cves":["CVE-2026-6939"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.787+00:00"},{"id":"5ff483db-2d9a-4149-a0a2-b5a4acd7a678","num":240166,"source_id":"nvd","external_id":"CVE-2026-6801","title":"CVE-2026-6801: The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it pos","summary":"The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-6801","severity":"medium","cvss":5.3,"cves":["CVE-2026-6801"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.65+00:00"},{"id":"fa8e7ed5-2ee7-41d2-ac31-07905e33e2b7","num":240165,"source_id":"nvd","external_id":"CVE-2026-4661","title":"CVE-2026-4661: The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up","summary":"The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-4661","severity":"high","cvss":7.5,"cves":["CVE-2026-4661"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.513+00:00"},{"id":"f2c78f6c-629e-4df6-919d-3a2ceed501b4","num":240164,"source_id":"nvd","external_id":"CVE-2026-1382","title":"CVE-2026-1382: The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insuffic","summary":"The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-1382","severity":"medium","cvss":6.4,"cves":["CVE-2026-1382"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.307+00:00"},{"id":"5bedb9ac-dd8b-4dec-9431-e60fc305562c","num":240163,"source_id":"nvd","external_id":"CVE-2026-15155","title":"CVE-2026-15155: The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all ve","summary":"The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget setting used to construct outgoing email headers — the allowed-values restriction is enforced only in the client-side editor UI and not on the server, and the applied sanitization does not strip or encode CR/LF characters, allowing CRLF sequences stored in that setting to survive into raw mail headers. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject an additional Bcc header into the WordPress administrator's password-reset notification email, receive a copy of a valid administrator password-reset link, and achieve full administrator account takeover.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15155","severity":"high","cvss":8.8,"cves":["CVE-2026-15155"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.17+00:00"},{"id":"5c529986-c6cf-4b73-9f97-5a73ac981c3e","num":240162,"source_id":"nvd","external_id":"CVE-2026-15010","title":"CVE-2026-15010: The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is d","summary":"The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() (which writes $_POST['bsp_topic_fields_label{n}'] directly to post meta via update_post_meta() with no filtering) and missing output escaping in bsp_topic_content_append_topic_fields() (which concatenates the stored meta value into an HTML <span> and echoes it via apply_filters/echo without esc_html()). This makes it possible for authenticated attackers, with Subscriber-level access and above (who have bbPress topic-creation privileges), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, including unauthenticated visitors.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15010","severity":"medium","cvss":6.4,"cves":["CVE-2026-15010"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:46.033+00:00"},{"id":"216b7d8a-e664-4992-a87f-efb2e229eebc","num":240161,"source_id":"nvd","external_id":"CVE-2026-12994","title":"CVE-2026-12994: The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not p","summary":"The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.7.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to inject arbitrary reply content into any store inquiry, overwrite the main inquiry record in wp_wcfm_enquiries, and trigger unsolicited notification emails to customers and vendors. Unlike sibling controller branches (wcfm-enquiry and wcfm-enquiry-manage), the wcfm-my-account-enquiry-manage branch performs no is_user_logged_in() or current_user_can() check, and the nonce that serves as the sole barrier is embedded into every public page load without any login gate.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-12994","severity":"medium","cvss":5.3,"cves":["CVE-2026-12994"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.9+00:00"},{"id":"c56483da-377a-4a1c-a137-acc47c522339","num":240160,"source_id":"nvd","external_id":"CVE-2026-12738","title":"CVE-2026-12738: The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due t","summary":"The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to set the status of arbitrary posts and pages to 'draft', effectively unpublishing arbitrary site content.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-12738","severity":"medium","cvss":4.3,"cves":["CVE-2026-12738"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.77+00:00"},{"id":"17bca940-6b3d-44fd-923a-e1f0d0595bff","num":240159,"source_id":"nvd","external_id":"CVE-2026-12126","title":"CVE-2026-12126: The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to,","summary":"The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-12126","severity":"medium","cvss":6.4,"cves":["CVE-2026-12126"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.633+00:00"},{"id":"a785ffb5-b0e8-4e8c-9bec-95e723c987bd","num":240158,"source_id":"nvd","external_id":"CVE-2026-12103","title":"CVE-2026-12103: The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying","summary":"The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to enumerate the login name, email address, and user ID of all WordPress accounts — including administrators — by submitting arbitrary search terms to the AJAX handler. The required 'search-user' nonce is localized into the wallet_param object on the standard WooCommerce My Account page, which is accessible to any authenticated user, making it trivially obtainable by a Subscriber.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-12103","severity":"medium","cvss":4.3,"cves":["CVE-2026-12103"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.49+00:00"},{"id":"b431e635-62be-442e-afca-d1265b99d447","num":240157,"source_id":"nvd","external_id":"CVE-2026-11901","title":"CVE-2026-11901: The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_","summary":"The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the web_hook_process_paypal_standard() IPN handler selecting its PayPal validation endpoint from the attacker-controlled $_REQUEST['test_ipn'] parameter, force-upgrading any pending transaction to completed when test_ipn=1, and omitting post-verification checks on receiver_email, mc_currency, and txn_id uniqueness after receiving a VERIFIED response from PayPal. This makes it possible for unauthenticated attackers to mark arbitrary hotel bookings as fully paid without submitting genuine payment to the merchant — either by routing IPN validation through PayPal's sandbox using a free sandbox account, or by replaying a previously verified IPN from a nominal payment to an attacker-controlled PayPal account. An attacker requires only a free PayPal sandbox account (or any PayPal account) to obtain a VERIFIED response; no site credentials or special configuration are needed.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-11901","severity":"medium","cvss":5.3,"cves":["CVE-2026-11901"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.347+00:00"},{"id":"300b0fd8-3d19-42c2-bc68-c3a70ac0194d","num":240156,"source_id":"nvd","external_id":"CVE-2026-11898","title":"CVE-2026-11898: The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sani","summary":"The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-11898","severity":"medium","cvss":4.4,"cves":["CVE-2026-11898"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.213+00:00"},{"id":"2e4694e1-dc71-4f61-bba4-0284103a37ae","num":240155,"source_id":"nvd","external_id":"CVE-2026-11591","title":"CVE-2026-11591: The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient i","summary":"The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-11591","severity":"medium","cvss":4.4,"cves":["CVE-2026-11591"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:45.073+00:00"},{"id":"6f3d6763-c675-4264-9ebb-a3a75cf85093","num":240154,"source_id":"nvd","external_id":"CVE-2026-10865","title":"CVE-2026-10865: The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it","summary":"The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal client_secret embedded in the page source of any page containing a calculator, enabling full control of the merchant's payment gateway accounts. This exposure only occurs when the 'use in all calculators' option is enabled for one or more payment gateways in the plugin's global settings.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-10865","severity":"medium","cvss":5.3,"cves":["CVE-2026-10865"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:44.927+00:00"},{"id":"ae7b9489-4d41-4a12-b81d-8b5b18eb5dd0","num":240153,"source_id":"nvd","external_id":"CVE-2026-10041","title":"CVE-2026-10041: The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product","summary":"The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-10041","severity":"medium","cvss":4.3,"cves":["CVE-2026-10041"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:44.783+00:00"},{"id":"c3ca8f56-d7fb-432a-836b-5d7dea6e62bd","num":240152,"source_id":"nvd","external_id":"CVE-2025-6784","title":"CVE-2025-6784: The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin n","summary":"The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.","link":"https://nvd.nist.gov/vuln/detail/CVE-2025-6784","severity":"high","cvss":8.8,"cves":["CVE-2025-6784"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:44.637+00:00"},{"id":"7b413ccf-54b1-45a0-927a-e958bb964cb5","num":240151,"source_id":"nvd","external_id":"CVE-2025-5017","title":"CVE-2025-5017: The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due t","summary":"The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","link":"https://nvd.nist.gov/vuln/detail/CVE-2025-5017","severity":"medium","cvss":4.9,"cves":["CVE-2025-5017"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T07:16:44.453+00:00"},{"id":"c46d2c24-597b-4da5-bcf2-0f870a6a49e6","num":240150,"source_id":"nvd","external_id":"CVE-2026-7655","title":"CVE-2026-7655: The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validat","summary":"The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-7655","severity":"high","cvss":8.1,"cves":["CVE-2026-7655"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T06:16:10.657+00:00"},{"id":"1538216f-57e9-49f6-8fcc-0eb4813e56f9","num":240149,"source_id":"nvd","external_id":"CVE-2026-13378","title":"CVE-2026-13378: The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.","summary":"The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-13378","severity":"high","cvss":7.2,"cves":["CVE-2026-13378"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T06:16:08.93+00:00"},{"id":"5c6cf198-ae98-4456-85ab-32fa789d89e5","num":240148,"source_id":"nvd","external_id":"CVE-2026-9738","title":"CVE-2026-9738: The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content_position_css' parameter in all versions up to, and includi","summary":"The Print, PDF, Email by PrintFriendly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content_position_css' parameter in all versions up to, and including, 5.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-9738","severity":"medium","cvss":4.4,"cves":["CVE-2026-9738"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:34.91+00:00"},{"id":"bf014efb-e88e-48cd-929a-8e8707b12d8b","num":240147,"source_id":"nvd","external_id":"CVE-2026-7620","title":"CVE-2026-7620: The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. This is due to the plugin not properly verifyi","summary":"The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create, modify, or reschedule the nftb_cron_hook WordPress cron event, enabling unauthorized manipulation of the plugin's background task scheduling logic.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-7620","severity":"medium","cvss":4.3,"cves":["CVE-2026-7620"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:34.79+00:00"},{"id":"5940ea81-a579-48c0-be5b-819ec74d848e","num":240146,"source_id":"nvd","external_id":"CVE-2026-7559","title":"CVE-2026-7559: The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due","summary":"The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to approve or reject affiliate referrals, credit commissions to affiliate wallets, delete referral records, and modify custom banner plugin options, enabling financial fraud. The nonce required to pass the only authentication check is embedded in every frontend page load via rtwalwm_global_params.rtwalwm_nonce, making it trivially accessible to any authenticated user regardless of role.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-7559","severity":"medium","cvss":4.3,"cves":["CVE-2026-7559"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:34.673+00:00"},{"id":"bf0c751a-3fb6-4e6a-aea9-0f71c7ad97d5","num":240145,"source_id":"nvd","external_id":"CVE-2026-6804","title":"CVE-2026-6804: The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not","summary":"The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.12. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to publish draft WordPress posts, exposing unpublished content, or unpublish live content, causing service disruption, by supplying arbitrary scenario IDs.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-6804","severity":"medium","cvss":5.3,"cves":["CVE-2026-6804"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:34.553+00:00"},{"id":"34417402-5c0f-4ee6-b7ad-1a3cf3e4e593","num":240144,"source_id":"nvd","external_id":"CVE-2026-6803","title":"CVE-2026-6803: The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capabi","summary":"The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table by unauthenticated attackers.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-6803","severity":"medium","cvss":5.3,"cves":["CVE-2026-6803"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:34.43+00:00"},{"id":"a0e61a0f-4b46-4931-b5ef-d897c7bc0c1c","num":240143,"source_id":"nvd","external_id":"CVE-2026-3576","title":"CVE-2026-3576: The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. Th","summary":"The Planyo Online Reservation System plugin for WordPress is vulnerable to Server-Side Request Forgery leading to Local File Inclusion in all versions up to, and including, 3.0. The ulap.php file acts as an AJAX proxy and is directly accessible without WordPress bootstrapping or any authentication. The send_http_post() function validates the host of the provided URL against an allowlist that includes 'localhost', but critically fails to validate the URL scheme/protocol. This makes it possible for unauthenticated attackers to supply a file:// URL (e.g., file://localhost/etc/passwd) which bypasses the host allowlist check because parse_url() returns 'localhost' as the host. The URL is then passed to curl_init() or fopen(), both of which support the file:// protocol, allowing the attacker to read arbitrary local files on the server and have their contents returned in the HTTP response. This can lead to disclosure of sensitive files such as /etc/passwd, wp-config.php (containing database credentials and authentication keys), and other server-side files.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-3576","severity":"high","cvss":7.2,"cves":["CVE-2026-3576"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:34.013+00:00"},{"id":"5093dba4-5c80-454a-91b5-37d1812d1d6e","num":240142,"source_id":"nvd","external_id":"CVE-2026-3552","title":"CVE-2026-3552: The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all","summary":"The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajax_import_410() function in all versions up to 2.6.0. This is due to a missing capability check (current_user_can()) and missing nonce verification (check_ajax_referer()) in the ajax_import_410() function, while all other AJAX handlers in the same class (ajax_add_single_410, ajax_save_editted_410, ajax_delete_410, ajax_bulk_410_delete, ajax_empty_410, ajax_export_410) properly implement both authorization and nonce checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import arbitrary URLs into the 410 Gone database table via the surfl_import_410 AJAX action. Injected URLs will cause the site to return HTTP 410 Gone responses to all visitors accessing those paths, potentially causing denial of service for legitimate pages and SEO damage through search engine delisting.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-3552","severity":"medium","cvss":4.3,"cves":["CVE-2026-3552"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:33.897+00:00"},{"id":"99de448f-ac57-41ee-a5ee-97d66ec5e27e","num":240141,"source_id":"nvd","external_id":"CVE-2026-2354","title":"CVE-2026-2354: The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all v","summary":"The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the upload_extension_files() function in all versions up to, and including, 1.4.6. The upload_extension_files() function hooks into WordPress's wp_check_filetype_and_ext filter and uses strpos() to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the \"Enhanced Multi-Format Image Support\" feature is enabled with at least one extension (e.g., avif) in the allowed formats.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-2354","severity":"high","cvss":8.8,"cves":["CVE-2026-2354"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:33.777+00:00"},{"id":"564ff2ed-1d80-44b3-af77-518ee59d2424","num":240140,"source_id":"nvd","external_id":"CVE-2026-1832","title":"CVE-2026-1832: The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrive","summary":"The ThriveDesk – Live Chat, AI Chatbot, Helpdesk & Knowledge Base plugin for WordPress is vulnerable to unauthorized cache deletion due to a missing capability check on the 'thrivedesk_clear_cache' AJAX action in all versions up to, and including, 2.1.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's cache.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-1832","severity":"medium","cvss":4.3,"cves":["CVE-2026-1832"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:33.043+00:00"},{"id":"a880bdc0-24dc-44c7-a93f-729aaaf6f1d6","num":240139,"source_id":"nvd","external_id":"CVE-2026-15335","title":"CVE-2026-15335: The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form ) in all versions up to, and including, 1.7.20 due to insufficien","summary":"The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter (form<N>) in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerable REST API endpoint /wp-json/booking-package/v1/request is registered with permission_callback: __return_true and wp_magic_quotes does not apply to REST-sourced $_POST values, meaning single quotes in the payload reach the SQL sink intact without any authentication requirement. The impact of this is severely limited as the vulnerable parameter goes through is_email.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15335","severity":"high","cvss":7.5,"cves":["CVE-2026-15335"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32.923+00:00"},{"id":"dc2bb639-9039-494c-bb3d-026aa29dcb1f","num":240138,"source_id":"nvd","external_id":"CVE-2026-15097","title":"CVE-2026-15097: The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to ins","summary":"The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'height_slider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15097","severity":"medium","cvss":6.4,"cves":["CVE-2026-15097"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32.793+00:00"},{"id":"39cbb92c-165c-456d-bec0-4b48ba98a89f","num":240137,"source_id":"nvd","external_id":"CVE-2026-15096","title":"CVE-2026-15096: The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insuffic","summary":"The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Map Module 'b_width_map' Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15096","severity":"medium","cvss":6.4,"cves":["CVE-2026-15096"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32.67+00:00"},{"id":"beaf2095-c436-4725-891f-56f0c7d74ed2","num":240136,"source_id":"nvd","external_id":"CVE-2026-14262","title":"CVE-2026-14262: The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and inclu","summary":"The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the payload parameter. The vulnerability exists because AuthenticateService::generatePayload() only overwrites JWT payload keys whose names appear in the admin-configured jwt_payload list — leaving any attacker-supplied identity claims such as email, id, or username intact and signed into the JWT with the site's HS256 secret. This makes it possible for authenticated attackers, with subscriber-level access and above, to escalate their privileges to that of an Administrator by injecting a target administrator's email address into the payload parameter at the /wp-json/simple-jwt-login/v1/auth endpoint, then redeeming the resulting JWT at the /autologin endpoint to obtain a fully authenticated session as that administrator.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-14262","severity":"high","cvss":8.8,"cves":["CVE-2026-14262"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32.367+00:00"},{"id":"504ed9cd-1405-4cbf-90fb-d2f47ce93ca2","num":240135,"source_id":"nvd","external_id":"CVE-2026-13250","title":"CVE-2026-13250: The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a use","summary":"The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all content previously imported via the Starter Template feature, including posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The required nonce is emitted on every wp-admin page via wp_localize_script() hooked to admin_enqueue_scripts without a page guard, meaning any Subscriber visiting /wp-admin/profile.php can obtain it; the handler is additionally registered via wp_ajax_nopriv_, making it reachable by fully unauthenticated users as well.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-13250","severity":"medium","cvss":5.3,"cves":["CVE-2026-13250"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32.243+00:00"},{"id":"e33df2ac-46d2-4c1a-bc4f-5cc31ac3fb1e","num":240134,"source_id":"nvd","external_id":"CVE-2026-13116","title":"CVE-2026-13116: The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generat","summary":"The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.14.0 via the generate_document_shortcode due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with contributor-level access and above, to mint publicly accessible, session-free download links for arbitrary third-party orders, exposing customer names, billing and shipping addresses, email addresses, phone numbers, order and invoice numbers, line items, totals, payment details, and customer notes contained in those orders' invoices and packing slips. Exploitation requires the plugin's Document link access type setting to be configured to 'full'; with the default 'logged_in' value, generated URLs are signed with a per-session nonce rather than the order_key, making the shortcode path unexploitable for unauthorized access to third-party orders.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-13116","severity":"medium","cvss":4.3,"cves":["CVE-2026-13116"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32.123+00:00"},{"id":"c62f907b-1e57-46c8-b73c-4f10b01a1b19","num":240133,"source_id":"nvd","external_id":"CVE-2026-12141","title":"CVE-2026-12141: The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter","summary":"The Premium Addons for Elementor – Powerful Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'premium_tooltip_text' parameter in all versions up to, and including, 4.11.84 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is specifically triggered when an administrator or higher-privileged user opens the affected post in the Elementor editor, as the raw unescaped output occurs via the print_template() method registered on the 'elementor/section/print_template' hook rather than on the public-facing frontend.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-12141","severity":"medium","cvss":4.9,"cves":["CVE-2026-12141"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:32+00:00"},{"id":"75bf69c2-0e1c-4bf8-9d9c-d954ea733935","num":240132,"source_id":"nvd","external_id":"CVE-2025-13968","title":"CVE-2025-13968: The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in","summary":"The Starboard Suite Reservation Calendars plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in the [starboard-suite-lightbox] shortcode in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2025-13968","severity":"medium","cvss":6.4,"cves":["CVE-2025-13968"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T05:16:30.19+00:00"},{"id":"7c903b9f-26a4-473b-92fe-826a179793a4","num":240131,"source_id":"nvd","external_id":"CVE-2026-8678","title":"CVE-2026-8678: The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user i","summary":"The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view and modify shipment options — including carrier, delivery type, package type, number of labels, weight, signature requirement, and insurance — on any arbitrary order.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-8678","severity":"medium","cvss":4.3,"cves":["CVE-2026-8678"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:26.903+00:00"},{"id":"7cc9ba22-75a7-4488-90a0-73a2e0983526","num":240130,"source_id":"nvd","external_id":"CVE-2026-7544","title":"CVE-2026-7544: The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. Th","summary":"The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data including Mux API credentials.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-7544","severity":"medium","cvss":4.3,"cves":["CVE-2026-7544"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:23.993+00:00"},{"id":"d71f0e13-d15d-439e-b47e-4c89e57bac93","num":240129,"source_id":"nvd","external_id":"CVE-2026-5743","title":"CVE-2026-5743: The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is du","summary":"The SimpLy Gallery Block & Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via block attributes in all versions up to, and including, 3.3.3.2. This is due to insufficient input sanitization and output escaping on the sliderMaxHeight block attribute in the pgc_sgb_render_callback() function. The vulnerability exists because the pgc_sgb_sanitize_custom_css() function uses a flawed regex pattern that only removes event handlers with quoted values (e.g., onfocus=\"alert()\") but fails to catch unquoted event handlers (e.g., onfocus=alert(document.cookie)), allowing the malicious code to bypass sanitization. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages via block attributes that will execute whenever a user accesses an injected page.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-5743","severity":"medium","cvss":6.4,"cves":["CVE-2026-5743"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:23.843+00:00"},{"id":"fdca4371-7cc7-4d8a-8f99-5d2d8275afe5","num":240128,"source_id":"nvd","external_id":"CVE-2026-3367","title":"CVE-2026-3367: The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. Thi","summary":"The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-3367","severity":"medium","cvss":4.4,"cves":["CVE-2026-3367"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:23.67+00:00"},{"id":"dff70cb3-9c03-4765-8260-541902b261c9","num":240127,"source_id":"nvd","external_id":"CVE-2026-15338","title":"CVE-2026-15338: The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. T","summary":"The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.6.1 via the get_type_template function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. The wp_normalize_path function used in get_template only normalizes directory separators and does not resolve or reject path traversal sequences, while the extension check is trivially bypassed because the caller already appends the required extension to the traversal payload.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15338","severity":"high","cvss":7.5,"cves":["CVE-2026-15338"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:22.537+00:00"},{"id":"4bb2c5bd-122a-4687-bbf1-a07c83790647","num":240126,"source_id":"nvd","external_id":"CVE-2026-15073","title":"CVE-2026-15073: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including","summary":"The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a KiviCare Doctor, Receptionist, or Clinic Admin role at minimum, as the vulnerable REST endpoint is restricted to authenticated users with custom plugin-level access.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15073","severity":"medium","cvss":6.5,"cves":["CVE-2026-15073"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:21.943+00:00"},{"id":"72b4f403-bd41-4305-8631-14b57e2cbdba","num":240125,"source_id":"nvd","external_id":"CVE-2026-15072","title":"CVE-2026-15072: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including","summary":"The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This requires that the attacker hold at minimum a KiviCare Doctor-level account, or a Receptionist or Clinic Admin role that grants the doctor_session_list capability.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-15072","severity":"medium","cvss":6.5,"cves":["CVE-2026-15072"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:19.953+00:00"},{"id":"87f6fe53-e3b8-4823-aa50-c1f9392e13eb","num":240124,"source_id":"nvd","external_id":"CVE-2026-13353","title":"CVE-2026-13353: The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.","summary":"The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-13353","severity":"high","cvss":8.8,"cves":["CVE-2026-13353"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:16.937+00:00"},{"id":"e8a0b0ad-d8a8-4032-80ae-1f08cbe924ea","num":240123,"source_id":"nvd","external_id":"CVE-2026-13262","title":"CVE-2026-13262: The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up t","summary":"The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user.","link":"https://nvd.nist.gov/vuln/detail/CVE-2026-13262","severity":"medium","cvss":6.5,"cves":["CVE-2026-13262"],"exploited":false,"has_exploit":false,"published_at":"2026-07-11T04:17:16.793+00:00"}]}