EUVD-2026-33933

Missing Authorization vulnerability in Elementor Elementor Website Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Elementor Website Builder: from n/a through 4.1.0...

CVE-2025-68886 WordPress Cookiteer theme <= 1.4.8 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in androThemes Cookiteer allows PHP Local File Inclusion. This issue affects Cookiteer: from n/a through 1.4.8...

CVE-2026-3620

CVE-2026-3620 – Word Replacer (WordPress) is vulnerable to Stored Cross-Site Scripting via the replacement parameter in all versions up to 0.4. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with Administrator-level access and above to inje...

CVE-2026-10567

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site...

Linux Distros Unpatched Vulnerability : CVE-2026-10197

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was detected in Assimp up to 6.0.4. Affected is the function glTF2Importer::ImportEmbeddedTextures in the library...

CVE-2026-42672 WordPress WP Directory Kit plugin <= 1.5.1 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Wp Directory Kit WP Directory Kit allows Blind SQL Injection. This issue affects WP Directory Kit: from n/a through 1.5.1...

WordPress StatCounter – Free Real Time Visitor Stats plugin <= 2.1.1 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by ZAST.AI - ZAST.AI in WordPress Plugin StatCounter versions = 2.1.1...

CVE-2026-9673

CVE-2026-9673 affects json-2-csv versions 3.15.0 and earlier up to 5.5.11, vulnerable to CSV Injection via the preventCsvInjection option, which can be bypassed. An attacker can inject formulas into CSV files that execute when opened in spreadsheet apps. The SNYK entry describes a PoC and recomme...

Exploit for Improper Input Validation in Hoverfly

CVE-2025-54123 — Hoverfly Middleware API Remote Code Execution...

WordPress LiveSmart Video Chat Live Video Chat plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin LiveSmart Video Chat Live Video Chat versions = 1.2...

WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by she11f in WordPress Plugin Smart Online Order for Clover versions = 1.6.0...

WordPress ITactics theme <= 1.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme ITactics versions = 1.0...

CVE-2026-8868

The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes autocomplete, label,...

CVE-2026-9200 Query Shortcode <= 0.2.1 - Authenticated (Contributor+) Local File Inclusion via 'lens' Shortcode Attribute

The Query Shortcode plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.2.1 via the shortcode function. This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary .php files on the...

CVE-2026-8870 Team Master <= 1.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-24520 WordPress Tiktok Feed plugin <= 1.0.24 - Broken Access Control vulnerability

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24...

WordPress jQuery googleslides plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin jQuery googleslides versions = 1.3...

WordPress Iona theme <= 1.0.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Iona versions = 1.0.8...

CVE-2026-9376 JPress UCenter Article Submission Endpoint doWriteSave improper authorization

A vulnerability was determined in JPress up to 1.0.3. The affected element is an unknown function of the file /ucenter/article/doWriteSave of the component UCenter Article Submission Endpoint. Executing a manipulation of the argument id/userId can lead to improper authorization. The attack may be...

WordPress WP ERP Pro plugin <= 1.5.1 - Unauthenticated SQL Injection vulnerability

Unauthenticated SQL Injection vulnerability discovered by kudasav in WordPress Plugin WP ERP Pro versions = 1.5.1...