6.1
CVE-2025-14063 - SEO Links Interlinking <= 1.7.9.9.1 - Reflected Cross-Site Scripting via 'google_error' Parameter
The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'google_error' parameter in all versions up to, and including, 1.7.9.9.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to injectโฆ
8.8
CVE-2026-0844 - Simple User Registration <= 6.7 - Authenticated (Subscriber+) Privilege Escalation via profile_saveโฆ
The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the 'profile_save_field' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to mโฆ
8.8
CVE-2025-14386 - Search Atlas SEO โ Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization 2.4.โฆ
The Search Atlas SEO โ Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. This makes it poโฆ
4.3
CVE-2026-1380 - Bitcoin Donate Button <= 1.0 - Cross-Site Request Forgery to Settings Update
The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin's settings, inclโฆ
5.3
CVE-2026-1391 - Vzaar Media Management <= 1.2 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']
The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER['PHP_SELF'] variable. This makes it possible for unauthenticated attackers to inject aโฆ
5.3
CVE-2025-15511 - Rupantorpay <= 2.0.0 - Missing Authorization to Unauthenticated Order Status Modification
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sendinโฆ
4.3
CVE-2026-1377 - imwptip <= 1.1 - Cross-Site Request Forgery to Settings Update
The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged reqโฆ
6
CVE-2025-41351 - Weak encryption on Funambol's cloud server
Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate โself-signedโ access URLs.
8.8
CVE-2025-7740 - Use of default credentials vulnerability in Hitachi Energy SuprOS product
Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment.
7.2
CVE-2026-1400 - AI Engine <= 3.3.2 - Authenticated (Editor+) Arbitrary File Upload via 'filename' Parameter in updaโฆ
The AI Engine โ The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attaโฆ