6.1
CVE-2026-23768 -
lucy-xss-filter before commit 7c1de6d allows an attacker to induce server-side HEAD requests to arbitrary URLs when the ObjectSecurityListener or EmbedSecurityListener option is enabled and embed or object tags are used with a src attribute missing a file extension.
5.1
CVE-2026-0858 - plantuml: PlantUML: Arbitrary script execution via Stored Cross-Site Scripting in GraphViz diagrams
Versions of the package net.sourceforge.plantuml:plantuml before 1.2026.0 are vulnerable to Stored XSS due to insufficient sanitization of interactive attributes in GraphViz diagrams. As a result, a crafted PlantUML diagram can inject malicious JavaScript into generated SVG output, leading to arbitโฆ
4.3
CVE-2025-14384 - All in One SEO โ Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Auโฆ
The All in One SEO โ Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for autโฆ
6.5
CVE-2026-1000 - MailerLite - WooCommerce integration <= 3.1.3 - Missing Authorization to Data Deletion
The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, wiโฆ
4.3
CVE-2025-15370 - Shield Security <= 21.0.9 - Authenticated (Subscriber+) Insecure Direct Object Reference to Disableโฆ
The Shield: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 21.0.9 via the MfaGoogleAuthToggle class due to missing validation on a user controlled key. This makes it possible foโฆ
8.8
CVE-2025-12957 - All-in-One Video Gallery <= 4.5.7 - Authenticated (Author+) Arbitrary File Upload via VTT Upload Byโฆ
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT fileโฆ
6.5
CVE-2025-12641 - Awesome Support โ WordPress HelpDesk & Support Plugin <= 6.3.6 - Missing Authorization to Unauthentโฆ
The Awesome Support - WordPress HelpDesk & Support Plugin for WordPress is vulnerable to authorization bypass due to missing capability checks in all versions up to, and including, 6.3.6. This is due to the 'wpas_do_mr_activate_user' function not verifying that a user has permission to modify otherโฆ
5.3
CVE-2025-15526 - Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via โฆ
The Fancy Product Designer plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 6.4.8. This is due to improper error handling in the PDF upload functionality that exposes server filesystem paths and stack traces in error messages. This makes it possible fโฆ
4.3
CVE-2025-15527 - WP Recipe Maker <= 10.2.2 - Insecure Direct Object Reference to Sensitive Information Exposure
The WP Recipe Maker plugin for WordPress is vulnerable to Information Exposure in versions up to, and including, 10.2.2 via the api_get_post_summary function due to insufficient restrictions on which posts can be retrieved. This makes it possible for authenticated attackers, with Contributor-level โฆ
4.3
CVE-2025-14982 - Booking Calendar <= 10.14.11 - Missing Authorization to Sensitive Information Exposure
The Booking Calendar plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Exposure in all versions up to, and including, 10.14.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view all booking records in the dโฆ