CVE-2026-5113

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wpkses, combined with insufficient output...

CVE-2026-6812

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the onaactivatechildtheme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...

CVE-2026-5109

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

CVE-2026-5110

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are...

CVE-2026-5112

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validat...

CVE-2026-5110

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are...

EUVD-2026-26746

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-6447 Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

EUVD-2026-26741

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient validation and output escaping of Product Option field values. The vulnerability exists because the state validation function accepts submitted...

CVE-2026-5112 Gravity Forms <= 2.10.0 - Unauthenticated Stored Cross-Site Scripting via Calculation Product Field in Repeater

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validat...

CVE-2026-5113

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wpkses, combined with insufficient output...

CVE-2026-5112

CVE-2026-5112 affects Gravity Forms for WordPress up to v2.10.0. An unauthenticated Stored XSS exists in the Calculation Product field within Repeater fields due to weak input validation and output escaping: validate() only checks the quantity field, sanitize_entry_value() returns raw HTML for no...

EUVD-2026-26736

The WP Mail Gateway plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the wmgsaveproviderconfig AJAX action in all versions up to, and including, 1.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update...

CVE-2026-6378

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/maxi-blocks/v1.0/style-card REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the scstyles parameter. This makes it possible...

EUVD-2026-26728

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/maxi-blocks/v1.0/style-card REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the scstyles parameter. This makes it possible...

PT-2026-36579

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona activate child theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations...

PT-2026-36578

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-36591

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circuit flaw in authorization logic that causes token validation to be entirely skipped when a booking...

Linux Distros Unpatched Vulnerability : CVE-2013-0266

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the puppetlabs-cinder module, as used in PackStack. This vulnerability is due to incorrect file permissions, specifically world-readable...

PT-2026-36594

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...