Total CVEs

141,537

Critical Severity

3,871

High Severity

13,923

Last 7 Days

1,576
Quick preset (or use dates below)
Clear Filters
📅 Showing Year: 2026 (January 1 - December 31, 2026) View All Years →
Showing 13,461 - 13,480 of 13,618 CVEs
CVE-2025-13801 HIGH - 7.5

The Yoco Payments plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 3.8.8 via the file parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Published: Jan 07, 2026
Source: NVD
CVE-2025-13493 HIGH - 7.5

The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_m...

Published: Jan 07, 2026
Source: NVD
CVE-2025-13371 HIGH - 8.6

The MoneySpace plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.13.9. This is due to the plugin storing full payment card details (PAN, card holder name, expiry month/year, and CVV) in WordPress post_meta using base64_encode(), and then emb...

Published: Jan 07, 2026
Source: NVD
CVE-2025-11877 HIGH - 7.5

The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenti...

Published: Jan 07, 2026
Source: NVD
CVE-2025-31642 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0.

Published: Jan 07, 2026
Source: NVD
CVE-2025-30631 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Fun...

Published: Jan 06, 2026
Source: NVD
CVE-2025-29004 HIGH - 8.8

Incorrect Privilege Assignment vulnerability in AA-Team Premium Age Verification / Restriction for WordPress, AA-Team Responsive Coming Soon Landing Page / Holding Page for WordPress allows Privilege Escalation.This issue affects Premium Age Verification / Restriction for WordPress: from n/a through...

Published: Jan 06, 2026
Source: NVD
CVE-2026-21494 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It re...

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2026-21491 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It re...

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2026-21490 HIGH - 7.1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium (ICC) color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It re...

Vendor: color
Product: iccdev
Published: Jan 06, 2026
Source: NVD
CVE-2026-0641 HIGH - 8.8

A security vulnerability has been detected in TOTOLINK WA300 5.2cu.7112_B20190227. This vulnerability affects the function sub_401510 of the file cstecgi.cgi. The manipulation of the argument UPLOAD_FILENAME leads to command injection. The attack may be initiated remotely. The exploit has been discl...

Vendor: totolink
Product: wa300_firmware
Published: Jan 06, 2026
Source: NVD
CVE-2025-32304 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0.

Published: Jan 06, 2026
Source: NVD
CVE-2025-15382 HIGH - 8.1

A heap buffer over-read vulnerability exists in the wolfSSH_CleanPath() function in wolfSSH. An authenticated remote attacker can trigger the issue via crafted SCP path input containing '/./' sequences, resulting in a heap over read by 1 byte.

Vendor: wolfssh
Product: wolfssh
Published: Jan 06, 2026
Source: NVD
CVE-2025-69356 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): fro...

Published: Jan 06, 2026
Source: NVD
CVE-2025-69342 HIGH - 7.5

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Calafate calafate allows PHP Local File Inclusion.This issue affects Calafate: from n/a through <= 1.7.7.

Published: Jan 06, 2026
Source: NVD
CVE-2025-69086 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Jwsthemes Issabella allows PHP Local File Inclusion.This issue affects Issabella: from n/a through 1.1.2.

Published: Jan 06, 2026
Source: NVD
CVE-2025-69085 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins JobBank allows Reflected XSS.This issue affects JobBank: from n/a through 1.2.2.

Published: Jan 06, 2026
Source: NVD
CVE-2025-69084 HIGH - 7.1

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3 themes Photo Gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through 2.7.7.26.

Published: Jan 06, 2026
Source: NVD
CVE-2025-69083 HIGH - 8.1

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Frappé allows PHP Local File Inclusion.This issue affects Frappé: from n/a through 1.8.

Published: Jan 06, 2026
Source: NVD
CVE-2025-47553 HIGH - 8.8

Deserialization of Untrusted Data vulnerability in Digital zoom studio DZS Video Gallery allows Object Injection.This issue affects DZS Video Gallery: from n/a through 12.25.

Published: Jan 06, 2026
Source: NVD