CVE-2026-40782 WordPress WPAdverts plugin <= 2.3.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in WPAdverts = 2.3.0 versions...

CVE-2026-40781 WordPress ReviewX plugin <= 2.3.6 - Broken Authentication vulnerability

Unauthenticated Broken Authentication in ReviewX = 2.3.6 versions...

CVE-2026-40781 WordPress ReviewX plugin <= 2.3.6 - Broken Authentication vulnerability

Unauthenticated Broken Authentication in ReviewX = 2.3.6 versions...

CVE-2026-40779

CVE-2026-40779 affects the WordPress WordPress Link Library plugin, version

CVE-2026-40776

CVE-2026-40776 affects the WP Event Solution (Eventin) plugin up to version 4.1.8, where unauthenticated requests can trigger Broken Access Control. The root cause involves three permission checks that accept a wp_rest nonce as authentication, plus an IDOR-prone Order endpoint and an open seat-bo...

CVE-2026-40771

CVE-2026-40771 affects the WordPress Contest Gallery plugin and is an unauthenticated SQL Injection vulnerability in versions

CVE-2026-40770 WordPress Coupon Affiliates plugin <= 7.5.3 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Coupon Affiliates = 7.5.3 versions...

CVE-2026-40770

CVE-2026-40770 concerns the WordPress plugin Coupon Affiliates (versions

CVE-2026-40762 WordPress WPGraphQL plugin < 2.11.1 - SQL Injection vulnerability

Unauthenticated SQL Injection in WPGraphQL 2.11.1 versions...

CVE-2026-40762

The WPGraphQL WordPress plugin is affected by an unauthenticated SQL Injection in versions earlier than 2.11.1. The issue originates in WPGraphQL

CVE-2026-40741 WordPress Redsys for WooCommerce Light plugin <= 7.0.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Redsys for WooCommerce Light = 7.0.0 versions...

CVE-2026-40732 WordPress Notification for Telegram plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Notification for Telegram = 3.5 versions...

CVE-2026-40727 WordPress Groundhogg plugin <= 4.4 - Arbitrary File Deletion vulnerability

Sales Representative Arbitrary File Deletion in Groundhogg = 4.4 versions...

CVE-2026-40727

The CVE covers WordPress Groundhogg plugin versions ≤ 4.4, vulnerable to Arbitrary File Deletion in the Sales Representative component. The root cause details are not fully provided, but the CVSSv3.1 score is 7.7 (HIGH) with Network attack vector, low attack complexity, privilege requirement, and...

CVE-2026-39591

The CVE-2026-39591 entry concerns the WordPress WP-BusinessDirectory plugin up to version 4.0.0, where a Subscriber Arbitrary File Upload vulnerability is reported. Connected sources confirm the affected product and vulnerability class but do not provide exploit details or mitigation steps beyond...

CVE-2026-39583

The CVE-2026-39583 entry concerns WordPress plugin Datalogics Ecommerce Delivery (versions

CVE-2026-39540

CVE-2026-39540 concerns WordPress plugin Shipment Tracker for Woocommerce (versions up to and including 1.5.3.2). The vulnerability is a Cross Site Scripting (XSS) issue in subscriber-facing context. Public sources indicate a CVSSv3.1 base score of 6.5 (Medium) with network attack vector, low att...

CVE-2026-39533

The CVE-2026-39533 entry concerns the WordPress AWP Classifieds plugin (versions

CVE-2026-39525 WordPress Booking Activities plugin <= 1.16.48.1 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Booking Activities = 1.16.48.1 versions...

CVE-2026-39519 WordPress GeekyBot plugin <= 1.2.0 - SQL Injection vulnerability

Unauthenticated SQL Injection in GeekyBot = 1.2.0 versions...