Total CVEs

143,793

Critical Severity

4,093

High Severity

14,778

Last 7 Days

1,504
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 2,521 - 2,540 of 40,198 CVEs
CVE-2026-13468 HIGH - 7.5

The Visualizer โ€“ Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for ...

Vendor: themeisle
Product: Visualizer โ€“ Tables & Charts Manager with Built-in AI Generator
Published: Jul 01, 2026
Source: NVD
CVE-2026-13443 MEDIUM - 6.4

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacke...

Vendor: themeum
Product: Tutor LMS โ€“ eLearning and online course solution
Published: Jul 01, 2026
Source: NVD
CVE-2026-13246 MEDIUM - 6.4

The GiveWP โ€“ Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'block_id' (and other) shortcode attributes of the 'givewp_campaign_comments' shortcode in versions up to, and including, 4.16.0. This is due to insuffi...

Vendor: stellarwp
Product: GiveWP โ€“ Donation Plugin and Fundraising Platform
Published: Jul 01, 2026
Source: NVD
CVE-2026-13015 MEDIUM - 6.1

The Wp Google Places Review Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'place' parameter in versions up to, and including, 18.1. This is due to insufficient input sanitization and output escaping in admin/partials/googlecrawl_dfs.php, where the $_GE...

Vendor: jgwhite33
Product: WP Google Review Slider
Published: Jul 01, 2026
Source: NVD
CVE-2026-12923 HIGH - 7.5

The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed...

Vendor: emarket-design
Product: Video Gallery โ€“ YouTube Gallery, Playlist & Video Grid
Published: Jul 01, 2026
Source: NVD
CVE-2026-12904 MEDIUM - 4.3

The Kadence Blocks โ€“ Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the Optimize_Rest_Cont...

Vendor: stellarwp
Product: Kadence Blocks โ€” Page Builder Toolkit for Gutenberg Editor
Published: Jul 01, 2026
Source: NVD
CVE-2026-12902 MEDIUM - 4.3

The Kadence Blocks โ€” Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authentic...

Vendor: stellarwp
Product: Kadence Blocks โ€” Page Builder Toolkit for Gutenberg Editor
Published: Jul 01, 2026
Source: NVD
CVE-2026-12135 MEDIUM - 6.4

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'video_player' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attrib...

Vendor: foliovision
Product: FV Flowplayer Video Player
Published: Jul 01, 2026
Source: NVD
CVE-2026-12133 MEDIUM - 4.3

The JoomSport โ€“ for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsport_season_groupdel() AJAX handler, which...

Vendor: beardev
Product: JoomSport โ€“ for Sports: Team & League, Football, Hockey & more
Published: Jul 01, 2026
Source: NVD
CVE-2026-12127 MEDIUM - 5.3

The WPForms โ€“ Easy Form Builder for WordPress โ€“ Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 1.10.2 This is due to `get_reply_to_address()` processi...

Vendor: smub
Product: WPForms โ€“ AI Form Builder for WordPress โ€“ Contact Forms, Payment Forms, Survey Form, Quiz & More
Published: Jul 01, 2026
Source: NVD
CVE-2026-12113 MEDIUM - 4.3

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.02 via the cpabc_appointments_filter_list. This makes it possible for authenticated attackers, with contributor-level access and above, to extract customer ...

Vendor: codepeople
Product: Appointment Booking Calendar
Published: Jul 01, 2026
Source: NVD
CVE-2026-12110 MEDIUM - 6.5

The Taskbuilder โ€“ Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'task_search' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of ...

Vendor: taskbuilder
Product: Taskbuilder โ€“ Project Management & Task Management Tool With Kanban Board
Published: Jul 01, 2026
Source: NVD
CVE-2026-12090 MEDIUM - 6.5

The Taskbuilder โ€“ Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lac...

Vendor: taskbuilder
Product: Taskbuilder โ€“ Project Management & Task Management Tool With Kanban Board
Published: Jul 01, 2026
Source: NVD
CVE-2026-11988 MEDIUM - 6.5

The LearnPress โ€“ WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possibl...

Vendor: thimpress
Product: LearnPress โ€“ WordPress LMS Plugin for Create and Sell Online Courses
Published: Jul 01, 2026
Source: NVD
CVE-2026-11981 MEDIUM - 4.3

The GiveWP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.15.3 This is due to missing nonce validation on the give_set_notification_status_handler() function. This makes it possible for unauthenticated attackers to disable donation email notifica...

Vendor: stellarwp
Product: GiveWP โ€“ Donation Plugin and Fundraising Platform
Published: Jul 01, 2026
Source: NVD
CVE-2026-11380 MEDIUM - 6.4

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animation_effect setting before it is rendered insid...

Vendor: jetmonsters
Product: JetWidgets For Elementor
Published: Jul 01, 2026
Source: NVD
CVE-2026-20463 MEDIUM - 6.7

In Modem, there is a possible escalation of privilege due to a permissions bypass. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: MOLY01716533; Issue ID: MSV-6309.

Vendor: MediaTek, Inc.
Product: MediaTek chipset
Published: Jul 01, 2026
Source: NVD
CVE-2026-20462 MEDIUM - 6.7

In Telephony, there is a possible memory corruption due to a heap buffer overflow. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS11006447; Issue ID: MSV-7871.

Vendor: MediaTek, Inc.
Product: MediaTek chipset
Published: Jul 01, 2026
Source: NVD
CVE-2026-20461 MEDIUM - 5.3

In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Pat...

Vendor: MediaTek, Inc.
Product: MediaTek chipset
Published: Jul 01, 2026
Source: NVD
CVE-2026-20460 MEDIUM - 5.3

In Modem, there is a possible information disclosure due to improper input validation. This could lead to remote information disclosure, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploi...

Vendor: MediaTek, Inc.
Product: MediaTek chipset
Published: Jul 01, 2026
Source: NVD