5.3

CVSS4.0

CVE-2026-28554 - wpForo Forum 2.4.14 Missing Authorization via Post Approval AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderationโ€ฆ

๐Ÿ“… Published: Feb. 28, 2026, 9:47 p.m. ๐Ÿ”„ Last Modified: Feb. 28, 2026, 9:47 p.m.

9.3

CVSS4.0

CVE-2026-3010 - TimePictra Stored Cross-Site Scripting

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Microchip TimePictra allows Query System for Information.This issue affects TimePictra: from 11.0 through 11.3 SP2.

๐Ÿ“… Published: Feb. 28, 2026, 11:45 a.m. ๐Ÿ”„ Last Modified: Feb. 28, 2026, 11:45 a.m.

9.3

CVSS4.0

CVE-2026-2844 - TimePictra Authentication Bypass Vulnerability

Missing Authentication for Critical Function vulnerability in Microchip TimePictra allows Configuration/Environment Manipulation.This issue affects TimePictra: from 11.0 through 11.3 SP2.

๐Ÿ“… Published: Feb. 28, 2026, 11:44 a.m. ๐Ÿ”„ Last Modified: Feb. 28, 2026, 11:44 a.m.

7.5

CVSS3.1

CVE-2025-13673 - Tutor LMS <= 3.9.6 - Unauthenticated SQL Injection via coupon_code

The Tutor LMS โ€“ eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL queโ€ฆ

๐Ÿ“… Published: Feb. 28, 2026, 7:25 a.m. ๐Ÿ”„ Last Modified: Feb. 28, 2026, 7:25 a.m.

7.5

CVSS3.1

CVE-2026-2471 - WP Mail Logging <= 1.15.0 - Unauthenticated PHP Object Injection via Email Log Message Field

The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the `BaseModel` class constructor calling `maybe_unserialize()` on all properties retriโ€ฆ

๐Ÿ“… Published: Feb. 28, 2026, 6:27 a.m. ๐Ÿ”„ Last Modified: Feb. 28, 2026, 6:27 a.m.

0.0

CVE-2026-1542 - Super Stage WP <= 1.0.1 - Unauthenticated PHP Object Injection

The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

๐Ÿ“… Published: Feb. 28, 2026, 6 a.m. ๐Ÿ”„ Last Modified: Feb. 28, 2026, 6 a.m.

8.7

CVSS3.1

CVE-2026-28426 - Statamic vulnerable to privilege escalation via stored cross-site scripting

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privilegโ€ฆ

๐Ÿ“… Published: Feb. 27, 2026, 10:23 p.m. ๐Ÿ”„ Last Modified: Feb. 27, 2026, 10:23 p.m.

8

CVSS3.1

CVE-2026-28425 - Statamic vulnerable to remote code execution via Antlers-enabled control panel inputs

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the appโ€ฆ

๐Ÿ“… Published: Feb. 27, 2026, 10:20 p.m. ๐Ÿ”„ Last Modified: Feb. 27, 2026, 10:20 p.m.

5.3

CVSS4.0

CVE-2026-27759 - Featured Image from Content < 1.7 Authenticated SSRF via save_post

Featured Image from Content (featured-image-from-content) WordPress plugin versions prior to 1.7 containย an authenticated server-side request forgery vulnerability that allows Author-level users to fetch internal HTTP resources. Attackers can exploit insecure URL fetching and file write operations โ€ฆ

๐Ÿ“… Published: Feb. 27, 2026, 10:17 p.m. ๐Ÿ”„ Last Modified: Feb. 27, 2026, 10:17 p.m.

6.5

CVSS3.1

CVE-2026-28424 - Statamic's missing authorization allows access to email addresses

Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtypeโ€™s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 aโ€ฆ

๐Ÿ“… Published: Feb. 27, 2026, 10:14 p.m. ๐Ÿ”„ Last Modified: Feb. 27, 2026, 10:14 p.m.
Total resulsts: 335190
Page 2 of 33,519
ยซ previous page ยป next page
Filters