PT-2026-49142

Name of the Vulnerable Software and Affected Versions WP User Manager versions prior to 2.9.17 Description A flaw allows a user with Subscriber privileges to perform arbitrary file deletion. Recommendations Update to a version newer than 2.9.16...

PT-2026-49140

Name of the Vulnerable Software and Affected Versions Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons versions prior to 1.4.9 Description An issue exists that leads to the exposure of sensitive subscriber data. Recommendations Update to a version...

PT-2026-49106

The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use TOCTOU race condition between the file existence check and the actual file write operation, an...

PT-2026-49139

Name of the Vulnerable Software and Affected Versions JetSearch versions prior to 3.5.18 Description An unauthenticated SQL Injection allows an attacker to interfere with the queries that an application makes to its database. This occurs in the JetSearch WordPress plugin. Recommendations Update t...

PT-2026-49114

Name of the Vulnerable Software and Affected Versions User Registration Stripe versions prior to 1.3.13 Description Unauthenticated broken access control allows unauthorized users to bypass security restrictions within the plugin. Recommendations Update to a version later than 1.3.12...

PT-2026-49117

Name of the Vulnerable Software and Affected Versions Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms versions prior to 1.1.2 Description An unauthenticated PHP Object Injection issue exists in the software. PHP Object Injection occurs when user-supplied input i...

PT-2026-49107

Name of the Vulnerable Software and Affected Versions WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms versions prior to 1.1.5 Description An unauthenticated PHP Object Injection issue exists in the plugin. PHP Object Injection occurs when user-supplied input is...

PT-2026-49143

Name of the Vulnerable Software and Affected Versions WP Go Maps versions prior to 10.0.10 Description The plugin fails to properly enforce the marker approval filter on the admin-ajax fallback for its datatables route. This allows unauthenticated visitors to retrieve marker records that the site...

PT-2026-49116

Name of the Vulnerable Software and Affected Versions Shared Files versions prior to 1.7.65 Description An unauthenticated path traversal issue exists, allowing an attacker to access files and directories outside the intended folder on the server. Recommendations Update to a version newer than...

PT-2026-49115

Name of the Vulnerable Software and Affected Versions Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms versions prior to 1.2.2 Description An unauthenticated PHP Object Injection issue exists in the software. PHP Object Injection occurs when...

PT-2026-49169

Name of the Vulnerable Software and Affected Versions WP Travel Engine versions prior to 6.7.11 Description An unauthenticated issue exists in the WP Travel Engine plugin that allows for an unspecified vulnerability type to be exploited without requiring user authentication. Recommendations Updat...

PT-2026-49141

Name of the Vulnerable Software and Affected Versions LatePoint versions prior to 5.5.2 Description A privilege escalation issue exists where users with Contributor roles can gain higher privileges. Recommendations Update to version 5.5.2 or later...

Exploit for Authentication Bypass Using an Alternate Path or Channel in Gitlab

CVE-2025-4524...

Exploit for CVE-2026-42647

CVE-2026-42647 - JoomSport Unauthenticated Time-Based Blind SQ...

Exploit for CVE-2026-1555

CVE-2026-1555: Unauthenticated Arbitrary File Upload in WebSta...

CVE-2026-5513

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for...

Exploit for CVE-2026-48907

CVE-2026-48907 Description هذا الملف CVE-2025-9209.py هو أداة...

EUVD-2026-36651

The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-5513

The Bookly WordPress plugin (Online Scheduling and Appointment Booking System) is vulnerable to Stored XSS in versions up to 27.2 via the bookly-customer-full-name cookie due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary scripts that execut...

CVE-2026-1291

The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...