CVE-2026-8688

The Advance Nav Menu Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

Astra Linux – Vulnerability in json-smart

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4, which causes a denial of service DOS through a crafted web request...

EUVD-2026-37656

Subscriber Arbitrary File Download in Woocommerce Book Price = 1.3 versions...

CVE-2026-40755

Unauthenticated PHP Object Injection in TechLink = 1.3 versions...

CVE-2025-69171

Unauthenticated Local File Inclusion in Orpheus = 1.3 versions...

EUVD-2026-37693

Unauthenticated PHP Object Injection in ShiftUp = 1.3 versions...

CVE-2026-22334

CVE-2026-22334 concerns the WordPress Woocommerce Book Price plugin (<= 1.3). The vulnerability is an Arbitrary File Download that requires authentication (Subscriber level or higher). The CVE entry notes an authenticated path to download arbitrary files, with a base CVSS v3.1 score of 7.5 (HI...

CVE-2025-69171 WordPress Orpheus theme <= 1.3 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Orpheus = 1.3 versions...

PT-2026-50404

Name of the Vulnerable Software and Affected Versions ShiftUp versions 1.3 and earlier Description An unauthenticated PHP Object Injection issue exists in the software. PHP Object Injection occurs when user-supplied input is passed to the unserialize function without proper validation, potentiall...

CVE-2026-3998

The WM JqMath plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' shortcode attribute of the jqmath shortcode in all versions up to and including 1.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The...

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

WordPress Orpheus theme <= 1.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Orpheus versions = 1.3...

CVE-2026-8846

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...

CVE-2026-8846

CVE-2026-8846 affects the WordPress Tuxquote plugin (versions ≤ 1.3). The vulnerability is a Stored Cross-Site Scripting (XSS) in the TUXQUOTE shortcode, caused by insufficient input sanitization and output escaping for attributes (title, align, width) in tuxquote_build_format(), which are concat...

PT-2026-43514

The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes userid, albumid, authkey, imgmax,...

PT-2026-43539

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset stats function in versions up to, and including, 1.3. The function is hooked to both the wp ajax wpp-reset stats and wp ajax nopriv wpp-reset stats actions and...

WordPress WP Promoter plugin <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset vulnerability

Missing Authorization to Unauthenticated Statistics Reset vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin WP Promoter versions = 1.3...

WordPress Tuxquote plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Tuxquote versions = 1.3...

WordPress Food Drop theme <= 1.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Food Drop versions = 1.3...