CVE-2026-40750 WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server. This issue affects Kids Online Store: from n/a through 0.8.9...

CVE-2026-8442

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfbhidereview and wprpsavereviewadmin AJAX handlers combined with insufficient path validation in the wpfbhidereviewaj...

CVE-2026-8176

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

CVE-2026-52715

Unauthenticated SQL Injection in GEO my WordPress = 4.5.5 versions...

CVE-2026-39581

Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic = 1.1.4 versions...

CVE-2025-68045

Unauthenticated Broken Access Control in WP Event SOlution = 4.1.12 versions...

EUVD-2026-37060

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

CVE-2026-8442

The WP Review Slider Pro plugin for WordPress is affected up to version 12.6.8 by Arbitrary File Deletion due to missing authorization on the wpfb_hide_review and wprp_save_review_admin AJAX handlers and inadequate path validation in wpfb_hidereview_ajax(), which uses strpos() to verify the URL p...

CVE-2026-2381

The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...

CVE-2026-8176

CVE-2026-8176 affects the LatePoint – Calendar Booking Plugin for WordPress. In versions up to 5.5.1, three independent flaws allow an authenticated Agent+ to overwrite a WordPress Administrator’s password without using an Administrator-only API, enabling privilege escalation to Administrator. Th...

CVE-2026-8442 WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via 'myaction' Parameter

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfbhidereview and wprpsavereviewadmin AJAX handlers combined with insufficient path validation in the wpfbhidereviewaj...

CVE-2026-8176 LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

EUVD-2026-37061

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfbhidereview and wprpsavereviewadmin AJAX handlers combined with insufficient path validation in the wpfbhidereviewaj...

CVE-2026-40809 WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1...

CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2...

CVE-2026-49774 WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0...

WordPress WooCommerce Stripe Payment Gateway plugin <= 10.7.0 - Missing Authorization to Unauthenticated Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce Stripe Payment Gateway versions = 10.7.0...

WordPress Secure Client Portal and Private File Sharing Plugin – User Private Files plugin <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by pham quang huy Zibanana in WordPress Plugin User Private Files versions = 2.1.6...

CVE-2026-54198 WordPress Media LIbrary Assistant plugin <= 3.35 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Media LIbrary Assistant = 3.35 versions...

CVE-2026-54197 WordPress GetGenie plugin <= 4.4.1 - Sensitive Data Exposure vulnerability

Unauthenticated Sensitive Data Exposure in GetGenie = 4.4.1 versions...