5.3
CVE-2025-15511 - Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sendinโฆ
4.3
CVE-2026-1377 - imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update
The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged reqโฆ
6
CVE-2025-41351 - Weak encryption on Funambol's cloud server
Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate โself-signedโ access URLs.
8.8
CVE-2025-7740 - Use of default credentials vulnerability in Hitachi Energy SuprOS product
Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment.
7.2
CVE-2026-1400 - AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in updaโฆ
The AI Engine โ The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attaโฆ
4.4
CVE-2026-1053 - Ivory Search <= 5.5.13 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu_gcse'โฆ
The Ivory Search โ WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrโฆ
7.5
CVE-2026-0702 - VidShop โ Shoppable Videos for WooCommerce <= 1.1.4 - Unauthenticated Time-Based SQL Injection via โฆ
The VidShop โ Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the 'fields' parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL queโฆ
4.4
CVE-2026-1381 - Order Minimum/Maximum Amount Limits for WooCommerce <= 4.6.8 - Authenticated (Shop Manager+) Storedโฆ
The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shoโฆ
4.3
CVE-2026-0818 - CSS-based exfiltration of the content from partially encrypted emails when allowing remote content
When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If tโฆ
9.8
CVE-2025-40554 - SolarWinds Web Help Desk Authentication Bypass Vulnerability
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.