Total CVEs

142,588

Critical Severity

4,002

High Severity

14,355

Last 7 Days

1,858
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 13,621 - 13,640 of 14,399 CVEs
CVE-2026-1003 MEDIUM - 4.3

The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access and ...

Published: Jan 16, 2026
Source: NVD
CVE-2025-14375 MEDIUM - 6.1

The RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the โ€˜classNameโ€™ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possib...

Vendor: rebelcode
Product: RSS Aggregator โ€“ RSS Import, News Feeds, Feed to Post, and Autoblogging
Published: Jan 16, 2026
Source: NVD
CVE-2026-0942 MEDIUM - 5.3

The Rede Itaรบ for WooCommerce โ€” Payment PIX, Credit Card and Debit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clearOrderLogs() function in all versions up to, and including, 5.1.2. This makes it possible for unauthenticated attack...

Published: Jan 16, 2026
Source: NVD
CVE-2026-0939 MEDIUM - 5.3

The Rede Itaรบ for WooCommerce plugin for WordPress is vulnerable to order status manipulation due to insufficient verification of data authenticity in all versions up to, and including, 5.1.2. This is due to the plugin failing to verify the authenticity of payment callbacks. This makes it possible f...

Published: Jan 16, 2026
Source: NVD
CVE-2026-0916 MEDIUM - 6.4

The Related Posts by Taxonomy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'related_posts_by_tax' shortcode in all versions up to, and including, 2.7.6 due to insufficient input sanitization and output escaping on user supplied attributes. This ma...

Published: Jan 16, 2026
Source: NVD
CVE-2025-14853 MEDIUM - 4.3

The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings v...

Vendor: smings
Product: LEAV Last Email Address Validator
Published: Jan 16, 2026
Source: NVD
CVE-2025-14793 MEDIUM - 5.0

The DK PDF โ€“ WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitr...

Vendor: torstenbulk
Product: DK PDF โ€“ WordPress PDF Generator
Published: Jan 16, 2026
Source: NVD
CVE-2026-23769 MEDIUM - 6.1

lucy-xss-filter before commit e5826c0 allows an attacker to execute malicious JavaScript due to improper sanitization caused by misconfigured default superset rule files.

Vendor: naver
Product: lucy-xss-filter
Published: Jan 16, 2026
Source: NVD
CVE-2026-23768 MEDIUM - 6.1

lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.

Vendor: naver
Product: lucy-xss-filter
Published: Jan 16, 2026
Source: NVD
CVE-2026-1000 MEDIUM - 6.5

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, wit...

Published: Jan 16, 2026
Source: NVD
CVE-2026-0858 MEDIUM - 6.1

Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitr...

Published: Jan 16, 2026
Source: NVD
CVE-2025-15527 MEDIUM - 4.3

The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level a...

Vendor: brechtvds
Product: WP Recipe Maker
Published: Jan 16, 2026
Source: NVD
CVE-2025-15526 MEDIUM - 5.3

The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible fo...

Vendor: radykal
Product: Fancy Product Designer
Published: Jan 16, 2026
Source: NVD
CVE-2025-15370 MEDIUM - 4.3

The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible for...

Vendor: paultgoodchild
Product: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Published: Jan 16, 2026
Source: NVD
CVE-2025-14982 MEDIUM - 4.3

The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the da...

Vendor: wpdevelop
Product: Booking Calendar
Published: Jan 16, 2026
Source: NVD
CVE-2025-14384 MEDIUM - 4.3

The All in One SEO โ€“ Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for ...

Vendor: smub
Product: All in One SEO โ€“ Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Published: Jan 16, 2026
Source: NVD
CVE-2025-12641 MEDIUM - 6.5

The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to...

Vendor: awesomesupport
Product: Awesome Support โ€“ WordPress HelpDesk & Support Plugin
Published: Jan 16, 2026
Source: NVD
CVE-2026-1020 MEDIUM - 5.3

Police Statistics Database System developed by Gotac has a Absolute Path Traversal vulnerability, allowing unauthenticated remote attackers to enumerate the system file directory.

Vendor: gotac
Product: police_statistics_database_system
Published: Jan 16, 2026
Source: NVD
CVE-2026-1011 MEDIUM - 6.1

A stored cross-site scripting (XSS) vulnerability exists in the Altium Support Center AddComment endpoint due to missing server-side input sanitization. Although the client interface applies HTML escaping, the backend accepts and stores arbitrary HTML and JavaScript supplied via modified POST reques...

Vendor: altium
Product: altium_live
Published: Jan 16, 2026
Source: NVD
CVE-2021-47800 MEDIUM - 5.3

b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpage.

Vendor: B2Evolution
Product: b2evolution
Published: Jan 16, 2026
Source: NVD