Total CVEs

144,714

Critical Severity

4,191

High Severity

15,264

Last 7 Days

1,831
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 4,421 - 4,440 of 41,119 CVEs
CVE-2026-3462 MEDIUM - 6.5

The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscri...

Published: Jun 27, 2026
Source: NVD
CVE-2026-13295 MEDIUM - 6.4

The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

Vendor: gpriday
Product: Page Builder by SiteOrigin
Published: Jun 27, 2026
Source: NVD
CVE-2026-12471 MEDIUM - 4.3

The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of ...

Vendor: templatescoderthemes
Product: Spexo
Published: Jun 27, 2026
Source: NVD
CVE-2026-12432 MEDIUM - 5.3

The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status...

Vendor: themeisle
Product: Stripe Payment Forms by WP Full Pay โ€“ Accept Credit Card Payments, Donations & Subscriptions
Published: Jun 27, 2026
Source: NVD
CVE-2026-12399 MEDIUM - 4.4

The Gutenverse โ€“ WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated atta...

Vendor: jegstudio
Product: Gutenverse โ€“ WordPress Blocks, Page Builder & Site Editor
Published: Jun 27, 2026
Source: NVD
CVE-2026-11987 MEDIUM - 4.3

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution โ€“ Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled ke...

Vendor: dokaninc
Product: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution โ€“ Build Your Own Amazon, eBay, Etsy
Published: Jun 27, 2026
Source: NVD
CVE-2026-11783 MEDIUM - 6.4

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution โ€“ Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes ...

Vendor: dokaninc
Product: Dokan: AI Powered WooCommerce Multivendor Marketplace Solution โ€“ Build Your Own Amazon, eBay, Etsy
Published: Jun 27, 2026
Source: NVD
CVE-2026-11773 MEDIUM - 4.3

The Masteriyo LMS โ€“ LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authe...

Vendor: masteriyo
Product: Masteriyo LMS โ€“ LMS Course Builder, Quizzes & Certificates
Published: Jun 27, 2026
Source: NVD
CVE-2026-11597 MEDIUM - 6.4

The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and &...

Vendor: surbma
Product: Surbma | Infusionsoft Shortcode
Published: Jun 27, 2026
Source: NVD
CVE-2026-11364 MEDIUM - 4.3

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupCo...

Vendor: dornaweb
Product: Product Specifications for Woocommerce
Published: Jun 27, 2026
Source: NVD
CVE-2026-9677 MEDIUM - 4.8

The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting atta...

Published: Jun 27, 2026
Source: NVD
CVE-2026-13245 MEDIUM - 6.1

The MaxButtons โ€“ Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...

Vendor: maxfoundry
Product: MaxButtons โ€“ Create buttons
Published: Jun 27, 2026
Source: NVD
CVE-2026-12404 MEDIUM - 5.3

The NEX-Forms โ€“ Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated atta...

Vendor: webaways
Product: NEX-Forms โ€“ Ultimate Forms Plugin for WordPress
Published: Jun 27, 2026
Source: NVD
CVE-2026-10820 HIGH - 8.1

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other...

Vendor: Unknown
Product: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content
Published: Jun 27, 2026
Source: NVD
CVE-2026-12415 CRITICAL - 9.8

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-cont...

Vendor: pravel
Product: Invoice Generator
Published: Jun 27, 2026
Source: NVD
CVE-2026-13422 MEDIUM - 4.3

The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new...

Vendor: harmonic_design
Product: HD Quiz
Published: Jun 27, 2026
Source: NVD
CVE-2026-13335 MEDIUM - 6.4

The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, wi...

Vendor: codepeople
Product: CodePeople Post Map for Google Maps
Published: Jun 27, 2026
Source: NVD
CVE-2026-13333 MEDIUM - 6.5

The Groundhogg โ€” CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation o...

Vendor: trainingbusinesspros
Product: Groundhogg โ€” CRM, Newsletters, and Marketing Automation
Published: Jun 27, 2026
Source: NVD
CVE-2026-13331 MEDIUM - 6.5

The Groundhogg โ€” CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

Vendor: trainingbusinesspros
Product: Groundhogg โ€” CRM, Newsletters, and Marketing Automation
Published: Jun 27, 2026
Source: NVD
CVE-2026-11356 MEDIUM - 4.4

The Ivory Search โ€“ WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it...

Vendor: vinod-dalvi
Product: Ivory Search โ€“ WordPress Search Plugin
Published: Jun 27, 2026
Source: NVD