Loading market data...

CVE Feed

Latest vulnerabilities from the National Vulnerability Database.

20346
Total
1466
Critical
6163
High
6464
Medium
CVE ID Severity Score Description Published
CVE-2026-13251 HIGH 7.5 The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it … Jul 02, 2026
CVE-2026-12657 MEDIUM 5.3 The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, … Jul 02, 2026
CVE-2026-12472 MEDIUM 5.3 The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, … Jul 02, 2026
CVE-2026-12134 MEDIUM 4.3 The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, … Jul 02, 2026
CVE-2026-12122 MEDIUM 5.3 The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and … Jul 02, 2026
CVE-2026-11896 MEDIUM 5.3 The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 … Jul 02, 2026
CVE-2026-10104 MEDIUM 4.4 The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, … Jul 02, 2026
CVE-2026-9563 HIGH 7.5 In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed … Jul 02, 2026
CVE-2026-8147 HIGH 8.1 In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to … Jul 02, 2026
CVE-2026-33592 HIGH 7.5 An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length … Jul 02, 2026
CVE-2026-5821 HIGH 8.1 The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path … Jul 02, 2026
CVE-2026-5348 MEDIUM 5.3 The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, … Jul 02, 2026
CVE-2026-14249 HIGH 7.5 The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This … Jul 02, 2026
CVE-2026-13704 MEDIUM 6.4 The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up … Jul 02, 2026
CVE-2026-13357 MEDIUM 4.9 The Houzez Property Feed plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.5.46 due … Jul 02, 2026
CVE-2026-11965 MEDIUM 6.5 The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering … Jul 02, 2026
CVE-2026-11781 LOW 2.7 The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users … Jul 02, 2026
CVE-2026-11600 MEDIUM 4.3 The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check … Jul 02, 2026
CVE-2026-11592 MEDIUM 4.3 The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all … Jul 02, 2026
CVE-2026-11578 LOW 2.7 The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized … Jul 02, 2026
CVE-2026-10089 MEDIUM 6.4 The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, … Jul 02, 2026
CVE-2026-10077 MEDIUM 6.8 The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, … Jul 02, 2026
CVE-2026-57278 HIGH 8.3 GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software … Jul 02, 2026
CVE-2026-57277 HIGH 8.3 GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software … Jul 02, 2026
CVE-2026-57276 HIGH 8.3 GeoWebPlayer (also called "Web Plugin" in the GV-VMS documentation and "WS Player" for VMS-Cloud) is an addon that can be installed with various GeoVision software … Jul 02, 2026