CVE-2026-39498

The Connected document identifies CVE-2026-39498-related details: a PHP Object Injection vulnerability in the WordPress YayMail plugin , affecting versions ≤ 4.3.3 and discovered by daroo . No additional root-cause, impact, exploit, or remediation details are provided in the sources. Monitor for ...

CVE-2026-39499

The connected PatchStack entry documents a PHP Object Injection vulnerability in the WordPress plugin “Advanced Product Fields (Product Addons) for WooCommerce” (versions

CVE-2026-39492

The CVE records an unauthenticated SQL Injection in WordPress WP Maps plugin

CVE-2026-39493

CVE-2026-39493 : The WordPress plugin Simply Schedule Appointments (versions

CVE-2026-39491

CVE-2026-39491 affects the WordPress JupiterX Core plugin (versions

CVE-2026-39489

The CVE-2026-39489 entry details a vulnerability in WordPress Download Monitor plugin versions

CVE-2026-39481

CVE-2026-39481 affects the WordPress plugin Modula Image Gallery (versions up to 2.14.18). The issue is described as a PHP Object Injection vulnerability in the plugin, with the author component cited in the initial description. Providing concrete exploit details, affected files, or remediation s...

CVE-2026-39480

CVE-2026-39480 affects the WordPress plugin Backup Migration (versions

CVE-2026-39474

The CVE CVE-2026-39474 concerns the WordPress Post Duplicator plugin (versions

CVE-2026-39478

CVE-2026-39478 concerns the WordPress plugin “Anti-Malware Security and Brute-Force Firewall” (versions

CVE-2026-39472

The CVE-2026-39472 affects the WordPress WooCommerce PDF Invoices & Packing Slips plugin prior to version 5.9.0, where a PHP Object Injection vulnerability was reported affecting shop manager operations. The root cause is a PHP Object Injection flaw in this plugin version, with CVSS 3.1 base metr...

CVE-2026-39471

CVE-2026-39471 affects the WordPress ShortPixel Image Optimizer plugin (

CVE-2026-39470

CVE-2026-39470 affects the WordPress plugin WooCommerce Cart Abandonment Recovery, specifically versions earlier than 2.1.0. The issue is a Privilege Escalation that allows a shop manager to gain higher privileges. The reported impact is Confidentiality, Integrity, and Availability at high severi...

CVE-2026-39468

WordPress Meta Box – WordPress Custom Fields Framework plugin

CVE-2026-39465

CVE-2026-39465 : The WordPress plugin Responsive Slider by MetaSlider (versions

CVE-2026-39463

CVE-2026-39463 affects the WordPress plugin ManageWP Worker (versions

CVE-2026-39451

CVE-2026-39451 concerns the WordPress WP Google Review Slider plugin (versions <= 18.0), with an unauthenticated Cross-Site Scripting (XSS) vulnerability reported. The Patchstack entry notes the vulnerability (discovered by hhhai) in versions

CVE-2026-39450

CVE-2026-39450 concerns the WordPress FunnelKit Automations plugin, version

CVE-2026-39449

CVE-2026-39449 is an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress plugin Contact Form to Any API for versions ≤ 3.0.3. The issue is documented by Patchstack and CVEs listed in connected records; affected component is the plugin and the root cause details are not discl...

CVE-2026-39447

CVE-2026-39447: Unauthenticated Cross-Site Scripting (XSS) in the WordPress plugin Simply Schedule Appointments (versions

CVE-2026-39435

CVE-2026-39435 affects WordPress CformsII plugin versions

CVE-2026-39441

CVE-2026-39441 affects the WordPress plugin Feed KuantoKusta for WooCommerce – Free, version

CVE-2026-34902

CVE-2026-34902 describes an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress plugin “WooCommerce Product Table Lite” up to version 4.6.3. The issue affects the plugin’s handling of input in the product table rendering, enabling XSS payloads to be executed in contexts wher...

CVE-2026-39434

CVE-2026-39434 affects WordPress CTX Feed plugin (WebAppick CTX Feed) versions

CVE-2026-34901

CVE-2026-34901 affects WordPress iControlWP plugin,

CVE-2026-34900

CVE-2026-34900 concerns the WordPress GiveWP plugin up to version 4.14.2, with an Unauthenticated Reflected Cross Site Scripting (XSS) vulnerability reported. The connected Patchstack entry confirms the affected product and vulnerability type (Reflected XSS) but does not provide specific exploit ...

CVE-2026-34898

The CVE-2026-34898 entry concerns the WordPress plugin “Event Tickets Manager for WooCommerce” (versions <= 1.5.3). It describes Unauthenticated Broken Access Control, with CVSS v3.1 base metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, base score 7.5 (HIGH). The vulnerability impacts integrity (...

CVE-2026-34892

The CVE-2026-34892 entry describes a Broken Access Control vulnerability in the WordPress Rank Math SEO plugin (versions

CVE-2026-34891

CVE-2026-34891 concerns the WordPress IDPay Payment Gateway for WooCommerce plugin (

CVE-2026-34886

The CVE-2026-34886 entry affects WordPress WordPress Simple Membership plugin versions

CVE-2026-27407

CVE-2026-27407 concerns the WordPress AI Engine plugin, affected versions

CVE-2026-27333

The CVE concerns the WordPress plugin “Paid Videochat Turnkey Site” (versions

CVE-2026-27089

WPTravelly plugin for WordPress, versions

CVE-2026-27053

The CVE concerns WordPress plugin Broadcast Live Video (versions

CVE-2026-25425

CVE-2026-25425 concerns the WordPress plugin User Registration (versions ≤ 5.1.2). The connected sources confirm an Unauthenticated Broken Access Control vulnerability in this plugin, affecting its ability to restrict access to certain functions or data. The CVE entry explicitly lists the issue a...

CVE-2026-25440

The CVE-2026-25440 entry concerns the WordPress plugin “Essential Addons for Elementor” (Lite) versions prior to 6.6.0, which contains an Unauthenticated Broken Access Control vulnerability. The issue is triggered in versions <6.6.0 and can be exploited without authentication, with no user int...

CVE-2026-24637

CVE-2026-24637 affects the WordPress PowerPress Podcasting plugin, specifically versions

CVE-2026-23970

The CVE covers WordPress plugin Redirection for Contact Form 7 (versions

CVE-2026-9691

The WordPress plugin “Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms” (vendor: WordPress ecosystem; affected component: PHP object injection vulnerability) is vulnerable in versions

CVE-2025-69332

The CVE-2025-69332 entry concerns the WordPress Bookify plugin (versions

CVE-2025-68851

CVE-2025-68851 refers to the WordPress Okay Toolkit plugin (<= 2.3) and describes an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was identified by Skalucy. The provided documents do not specify the exact vulnerable input, affected product version(s) be...

CVE-2025-68872

CVE-2025-68872 is a reflected XSS vulnerability in the WordPress plugin “Eli's WordCents adSense Widget with Analytics” (versions

CVE-2025-68840

CVE-2025-68840 is a reflected XSS vulnerability in the WordPress plugin iRobots.txt SEO, affected versions:

CVE-2025-68049

CVE-2025-68049 affects the WordPress bunny.net plugin, version up to 2.3.6, with a Broken Access Control flaw. The CVSS 3.1 base metrics indicate Low impact to confidentiality, integrity, and availability, and a network attack vector with low privileges required and no user interaction. The provi...

CVE-2025-60175

CVE-2025-60175 : WordPress PopAd plugin (≤1.0.4) contains a Server-Side Request Forgery (SSRF) vulnerability. The entry specifies an authenticated (Admin+) context, indicating exploitation requires user authorization, potentially enabling internal network requests to unintended targets. The avail...

CVE-2025-59133

CVE-2025-59133 describes an insecure direct object reference (IDOR) in the WordPress plugin Projectopia (WordPress Projectopia – projectopia-core) version

CVE-2026-48125

UAParser.js suffers a regular expression Denial of Service (ReDoS) when using Client Hints via UAParser(headers).withClientHints(). The issue is triggered by a crafted Sec-CH-UA-Model header, causing catastrophic backtracking in a server-side application and resulting in high CPU usage (availabil...

CVE-2026-48709

CVE-2026-48709 affects OliveTin’s ValidateArgumentType RPC endpoint (service/internal/api/api.go). In versions

CVE-2026-53633

CVE-2026-53633 relates to Vitest Browser Mode where the CDP bridge is exposed to the network. The connected advisory explains that the browser API can forward raw Chrome DevTools Protocol methods over a WebSocket RPC and is not gated by write/exec guards, enabling a remote attacker to perform act...

CVE-2026-49978

CVE-2026-49978 is not detailed in the initial entry, but a connected advisory (GHSA-RP9W-3FW7-7CWQ) describes a DOMPurify IN_PLACE Sanitization Bypass: if a template contains an element with an attached shadow DOM inside its .content, DOMPurify can skip sanitizing the shadow contents. This allows...