6.4
CVE-2026-0703 - NextMove Lite - Thank You Page for WooCommerce <= 2.23.0 - Authenticated (Contributor+) Stored Cros…
The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. …
8.1
CVE-2026-2554 - WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible <= 6.7…
The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user…
5.3
CVE-2026-3504 - Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 4.3.1 - Unauthenticated Informati…
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'prepare_reviews_for_response' method inc…
6.9
CVE-2026-7630 - innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication
A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote explo…
5.3
CVE-2026-7629 - kleneway awesome-cursor-mpc-server Ccode-Review Tool codeReview.ts runCodeReviewTool command inject…
A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has be…
5.3
CVE-2026-7628 - crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection
A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The ex…
5.5
CVE-2026-6525 - NULL Pointer Dereference in Wireshark
IEEE 802.11 protocol dissector crash in Wireshark 4.6.0 to 4.6.4
5.8
CVE-2026-6817 - Quiz Maker by AYS <= 6.7.1.29 - Unauthenticated Stored Cross-Site Scripting via 'rate_reason'
The Quiz Maker by AYS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rate_reason' parameter in all versions up to, and including, 6.7.1.29 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary…
7.5
CVE-2026-6320 - Salon Booking System – Free Version <= 10.30.25 - Unauthenticated Arbitrary File Read via Booking F…
The Salon Booking System – Free Version plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 10.30.25. This is due to the public booking flow accepting attacker-controlled file-field values and later using those stored values as trusted paths for email attachm…
7.5
CVE-2026-4061 - Geo Mashup <= 1.13.18 - Unauthenticated Time-Based SQL Injection via 'map_post_type' Parameter
The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the 'map_post_type' parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, foll…