CVE-2026-39480

CVE-2026-39480 affects the WordPress plugin Backup Migration (versions

CVE-2026-39474

The CVE CVE-2026-39474 concerns the WordPress Post Duplicator plugin (versions

CVE-2026-39478

CVE-2026-39478 concerns the WordPress plugin “Anti-Malware Security and Brute-Force Firewall” (versions

CVE-2026-39472

The CVE-2026-39472 affects the WordPress WooCommerce PDF Invoices & Packing Slips plugin prior to version 5.9.0, where a PHP Object Injection vulnerability was reported affecting shop manager operations. The root cause is a PHP Object Injection flaw in this plugin version, with CVSS 3.1 base metr...

CVE-2026-39471

CVE-2026-39471 affects the WordPress ShortPixel Image Optimizer plugin (

CVE-2026-39470

CVE-2026-39470 affects the WordPress plugin WooCommerce Cart Abandonment Recovery, specifically versions earlier than 2.1.0. The issue is a Privilege Escalation that allows a shop manager to gain higher privileges. The reported impact is Confidentiality, Integrity, and Availability at high severi...

CVE-2026-39468

WordPress Meta Box – WordPress Custom Fields Framework plugin

CVE-2026-39465

CVE-2026-39465 : The WordPress plugin Responsive Slider by MetaSlider (versions

CVE-2026-39463

CVE-2026-39463 affects the WordPress plugin ManageWP Worker (versions

CVE-2026-39451

CVE-2026-39451 concerns the WordPress WP Google Review Slider plugin (versions <= 18.0), with an unauthenticated Cross-Site Scripting (XSS) vulnerability reported. The Patchstack entry notes the vulnerability (discovered by hhhai) in versions

CVE-2026-39449

CVE-2026-39449 is an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress plugin Contact Form to Any API for versions ≤ 3.0.3. The issue is documented by Patchstack and CVEs listed in connected records; affected component is the plugin and the root cause details are not discl...

CVE-2026-39450

CVE-2026-39450 concerns the WordPress FunnelKit Automations plugin, version

CVE-2026-39447

CVE-2026-39447: Unauthenticated Cross-Site Scripting (XSS) in the WordPress plugin Simply Schedule Appointments (versions

CVE-2026-39441

CVE-2026-39441 affects the WordPress plugin Feed KuantoKusta for WooCommerce – Free, version

CVE-2026-39435

CVE-2026-39435 affects WordPress CformsII plugin versions

CVE-2026-34902

CVE-2026-34902 describes an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress plugin “WooCommerce Product Table Lite” up to version 4.6.3. The issue affects the plugin’s handling of input in the product table rendering, enabling XSS payloads to be executed in contexts wher...

CVE-2026-39434

CVE-2026-39434 affects WordPress CTX Feed plugin (WebAppick CTX Feed) versions

CVE-2026-34901

CVE-2026-34901 affects WordPress iControlWP plugin,

CVE-2026-34898

The CVE-2026-34898 entry concerns the WordPress plugin “Event Tickets Manager for WooCommerce” (versions <= 1.5.3). It describes Unauthenticated Broken Access Control, with CVSS v3.1 base metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, base score 7.5 (HIGH). The vulnerability impacts integrity (...

CVE-2026-34900

CVE-2026-34900 concerns the WordPress GiveWP plugin up to version 4.14.2, with an Unauthenticated Reflected Cross Site Scripting (XSS) vulnerability reported. The connected Patchstack entry confirms the affected product and vulnerability type (Reflected XSS) but does not provide specific exploit ...

CVE-2026-34892

The CVE-2026-34892 entry describes a Broken Access Control vulnerability in the WordPress Rank Math SEO plugin (versions

CVE-2026-34891

CVE-2026-34891 concerns the WordPress IDPay Payment Gateway for WooCommerce plugin (

CVE-2026-34886

The CVE-2026-34886 entry affects WordPress WordPress Simple Membership plugin versions

CVE-2026-27407

CVE-2026-27407 concerns the WordPress AI Engine plugin, affected versions

CVE-2026-27333

The CVE concerns the WordPress plugin “Paid Videochat Turnkey Site” (versions

CVE-2026-27089

WPTravelly plugin for WordPress, versions

CVE-2026-27053

The CVE concerns WordPress plugin Broadcast Live Video (versions

CVE-2026-25425

CVE-2026-25425 concerns the WordPress plugin User Registration (versions ≤ 5.1.2). The connected sources confirm an Unauthenticated Broken Access Control vulnerability in this plugin, affecting its ability to restrict access to certain functions or data. The CVE entry explicitly lists the issue a...

CVE-2026-25440

The CVE-2026-25440 entry concerns the WordPress plugin “Essential Addons for Elementor” (Lite) versions prior to 6.6.0, which contains an Unauthenticated Broken Access Control vulnerability. The issue is triggered in versions <6.6.0 and can be exploited without authentication, with no user int...

CVE-2026-24637

CVE-2026-24637 affects the WordPress PowerPress Podcasting plugin, specifically versions

CVE-2026-23970

The CVE covers WordPress plugin Redirection for Contact Form 7 (versions

CVE-2026-9691

The WordPress plugin “Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms” (vendor: WordPress ecosystem; affected component: PHP object injection vulnerability) is vulnerable in versions

CVE-2025-69332

The CVE-2025-69332 entry concerns the WordPress Bookify plugin (versions

CVE-2025-68851

CVE-2025-68851 refers to the WordPress Okay Toolkit plugin (<= 2.3) and describes an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was identified by Skalucy. The provided documents do not specify the exact vulnerable input, affected product version(s) be...

CVE-2025-68872

CVE-2025-68872 is a reflected XSS vulnerability in the WordPress plugin “Eli's WordCents adSense Widget with Analytics” (versions

CVE-2025-68840

CVE-2025-68840 is a reflected XSS vulnerability in the WordPress plugin iRobots.txt SEO, affected versions:

CVE-2025-68049

CVE-2025-68049 affects the WordPress bunny.net plugin, version up to 2.3.6, with a Broken Access Control flaw. The CVSS 3.1 base metrics indicate Low impact to confidentiality, integrity, and availability, and a network attack vector with low privileges required and no user interaction. The provi...

CVE-2025-60175

CVE-2025-60175 : WordPress PopAd plugin (≤1.0.4) contains a Server-Side Request Forgery (SSRF) vulnerability. The entry specifies an authenticated (Admin+) context, indicating exploitation requires user authorization, potentially enabling internal network requests to unintended targets. The avail...

CVE-2025-59133

CVE-2025-59133 describes an insecure direct object reference (IDOR) in the WordPress plugin Projectopia (WordPress Projectopia – projectopia-core) version

CVE-2026-48125

UAParser.js suffers a regular expression Denial of Service (ReDoS) when using Client Hints via UAParser(headers).withClientHints(). The issue is triggered by a crafted Sec-CH-UA-Model header, causing catastrophic backtracking in a server-side application and resulting in high CPU usage (availabil...

CVE-2026-48709

CVE-2026-48709 affects OliveTin’s ValidateArgumentType RPC endpoint (service/internal/api/api.go). In versions

CVE-2026-53633

CVE-2026-53633 relates to Vitest Browser Mode where the CDP bridge is exposed to the network. The connected advisory explains that the browser API can forward raw Chrome DevTools Protocol methods over a WebSocket RPC and is not gated by write/exec guards, enabling a remote attacker to perform act...

CVE-2026-49978

CVE-2026-49978 is not detailed in the initial entry, but a connected advisory (GHSA-RP9W-3FW7-7CWQ) describes a DOMPurify IN_PLACE Sanitization Bypass: if a template contains an element with an attached shadow DOM inside its .content, DOMPurify can skip sanitizing the shadow contents. This allows...

CVE-2026-48708

OliveTin is affected by a race condition in the template engine. In versions up to 3000.0.0, a single shared text/template.Template instance (tpl) is used across all goroutines, and actions perform tpl.Parse(source) followed by t.Execute() without synchronization. Under concurrent ExecRequests, t...

CVE-2026-49458

CVE-2026-49458 is reported as a reserved candidate with no public details in the Initial document, but the Connected Document GHSA-HPCV-96WG-7VJ8 provides concrete technical details showing a cross-realm IN_PLACE sanitization vulnerability in DOMPurify. The issue arises because DOMPurify accepts ...

CVE-2026-48124

The CVE-2026-48124 affects Cursor Desktop prior to version 3.0.0. A workspace-defined Claude hook can be configured via .claude/settings.local.json to execute local commands without dedicated user approval, enabling possible sandbox escape, persistence across turns, and local data access if an ag...

CVE-2026-49459

The connected GitHub advisory describes a DOMPurify IN_PLACE bypass: when sanitizing a detached root node (e.g., a form) with IN_PLACE: true, certain clobbering conditions let the root survive with attributes intact, enabling XSS. The root cause is a mismatch between _forceRemove and _sanitizeAtt...

CVE-2026-47261

CVE-2026-47261 : Wasmtime-wasi WASI path_open(TRUNCATE) bypasses FilePerms::WRITE host restriction. Root cause: when OpenFlags::TRUNCATE is used, open_mode was not OR-ed with WRITE, allowing a READ-only preopen with DirPerms::all() to bypass access checks via wasip1 path_open or wasip2 descriptor...

CVE-2026-47825

The CVE affects Spring Cloud Gateway Server components (WebMVC and WebFlux gateways) where headers from untrusted proxies (X-Forwarded-For, Forwarded) are forwarded in certain configurations. Root cause: forwarded-header handling without a trusted-proxy basis allows forged headers to reach downst...

CVE-2026-48518

Affected software: MultiJuicer (versions 8.0.0–10.0.0) running on a central Kubernetes deployment. Vulnerability: CSRF in the team join endpoint (POST /multi-juicer/api/teams/{team}/join) that accepts any Content-Type, bypassing CORS preflight and enabling a cross-site form to force a victim to j...