Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20386
Total
1466
Critical
6177
High
6480
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12732 | MEDIUM | 6.4 | The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_wrapper_form' shortcode attribute in versions up to, and including, 4.4.0. This is … | Jul 01, 2026 |
| CVE-2026-12577 | UNKNOWN | — | DVP80ES3 with Improperly Implemented Security Check for Standard vulnerability. | Jul 01, 2026 |
| CVE-2026-12576 | HIGH | 7.5 | DVP80ES3 with Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability. | Jul 01, 2026 |
| CVE-2026-12575 | HIGH | 7.5 | DVP80ES3 with Improper Resource Shutdown or Release vulnerability. | Jul 01, 2026 |
| CVE-2026-12435 | MEDIUM | 4.3 | The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. … | Jul 01, 2026 |
| CVE-2026-12408 | MEDIUM | 4.3 | The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions … | Jul 01, 2026 |
| CVE-2026-12224 | HIGH | 8.8 | The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is … | Jul 01, 2026 |
| CVE-2026-12158 | HIGH | 8.8 | The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This … | Jul 01, 2026 |
| CVE-2026-11387 | CRITICAL | 9.8 | The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account … | Jul 01, 2026 |
| CVE-2026-10540 | MEDIUM | 5.6 | The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password recovery attacks if credential data is obtained by an … | Jul 01, 2026 |
| CVE-2026-10539 | CRITICAL | 9.0 | A Control-M/Server communication command does not sufficiently filter or sanitize user-supplied input. Under certain conditions, this issue may allow an unauthenticated attacker to execute unauthorized … | Jul 01, 2026 |
| CVE-2026-10538 | HIGH | 8.0 | Messaging consumer functionality allows deserialization of user-controlled data without sufficient restriction of allowed object types in the out of support Control-M/Server and Control-M/Enterprise Manager versions … | Jul 01, 2026 |
| CVE-2026-10096 | MEDIUM | 4.3 | The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'page_id' parameter … | Jul 01, 2026 |
| CVE-2026-1239 | HIGH | 7.5 | The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a … | Jul 01, 2026 |
| CVE-2026-14193 | HIGH | 7.5 | DVP80ES300T with Improper Validation of Array Index Vulnerability | Jul 01, 2026 |
| CVE-2026-12579 | HIGH | 7.4 | AS228T with Authentication Bypass Vulnerability | Jul 01, 2026 |
| CVE-2026-11887 | MEDIUM | 4.3 | The Salon Booking System WordPress plugin before 10.30.20 does not have proper authorisation checks on one of its AJAX actions, allowing any authenticated user, such … | Jul 01, 2026 |
| CVE-2026-11883 | HIGH | 7.2 | The WebAuthn Provider for Two Factor WordPress plugin before 2.5.6 does not correctly validate the second-factor authentication response, allowing an attacker who already knows a … | Jul 01, 2026 |
| CVE-2026-11880 | LOW | 3.1 | The Fluent Forms WordPress plugin before 6.2.1 does not properly verify ownership before processing a subscription cancellation request, allowing authenticated users with a low-privilege account … | Jul 01, 2026 |
| CVE-2026-11823 | HIGH | 7.5 | The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to … | Jul 01, 2026 |
| CVE-2026-11794 | HIGH | 8.1 | The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a … | Jul 01, 2026 |
| CVE-2026-11570 | MEDIUM | 4.2 | The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display template, leading to a … | Jul 01, 2026 |
| CVE-2026-11568 | HIGH | 7.5 | The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning WooCommerce product data through a public … | Jul 01, 2026 |
| CVE-2026-11562 | MEDIUM | 4.3 | The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated users with subscriber-level … | Jul 01, 2026 |
| CVE-2026-10750 | HIGH | 8.1 | The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allowing authenticated users … | Jul 01, 2026 |