Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
20648
Total
1489
Critical
6270
High
6549
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12471 | MEDIUM | 4.3 | The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, … | Jun 27, 2026 |
| CVE-2026-12432 | MEDIUM | 5.3 | The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. … | Jun 27, 2026 |
| CVE-2026-12399 | MEDIUM | 4.4 | The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions … | Jun 27, 2026 |
| CVE-2026-11987 | MEDIUM | 4.3 | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference … | Jun 27, 2026 |
| CVE-2026-11783 | MEDIUM | 6.4 | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via … | Jun 27, 2026 |
| CVE-2026-11773 | MEDIUM | 4.3 | The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, … | Jun 27, 2026 |
| CVE-2026-11597 | MEDIUM | 6.4 | The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. … | Jun 27, 2026 |
| CVE-2026-11364 | MEDIUM | 4.3 | The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. … | Jun 27, 2026 |
| CVE-2026-9677 | UNKNOWN | — | The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML … | Jun 27, 2026 |
| CVE-2026-13245 | MEDIUM | 6.1 | The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, … | Jun 27, 2026 |
| CVE-2026-12404 | MEDIUM | 5.3 | The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This … | Jun 27, 2026 |
| CVE-2026-10820 | UNKNOWN | — | The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user … | Jun 27, 2026 |
| CVE-2026-12415 | CRITICAL | 9.8 | The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up … | Jun 27, 2026 |
| CVE-2026-13422 | MEDIUM | 4.3 | The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce … | Jun 27, 2026 |
| CVE-2026-13335 | MEDIUM | 6.4 | The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, … | Jun 27, 2026 |
| CVE-2026-13333 | MEDIUM | 6.5 | The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, … | Jun 27, 2026 |
| CVE-2026-13331 | MEDIUM | 6.5 | The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up … | Jun 27, 2026 |
| CVE-2026-11356 | MEDIUM | 4.4 | The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up … | Jun 27, 2026 |
| CVE-2025-59868 | MEDIUM | 5.5 | HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then … | Jun 27, 2026 |
| CVE-2023-37524 | HIGH | 7.7 | HCL Traveler for Microsoft Outlook (HTMO) is susceptible to vulnerabilities due to .NET Framework 4.5 being out of service. Since .NET Framework 4.5 has reached … | Jun 27, 2026 |
| CVE-2026-56414 | HIGH | 7.2 | A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating … | Jun 26, 2026 |
| CVE-2026-55975 | HIGH | 7.2 | A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which … | Jun 26, 2026 |
| CVE-2026-33560 | HIGH | 7.1 | The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without … | Jun 26, 2026 |
| CVE-2026-31928 | HIGH | 8.1 | The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration … | Jun 26, 2026 |
| CVE-2026-28701 | CRITICAL | 9.8 | Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths. | Jun 26, 2026 |