5.4
CVE-2025-14718 - Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Cat…
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attack…
5.3
CVE-2025-14720 - Booking for Appointments and Events Calendar – Amelia <= 1.2.38 - Missing Authorization to Unauthen…
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refund…
6.4
CVE-2026-0563 - WP Google Street View (with 360° virtual tour) & Google maps + Local SEO <= 1.1.8 - Authenticated (…
The WP Google Street View (with 360° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output escaping. This makes it possible…
5.3
CVE-2025-14782 - Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.49.1 - Missing Authorizati…
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to per…
6.5
CVE-2025-14980 - BetterDocs <= 4.3.3 - Authenticated (Contributor+) Sensitive Information Exposure
The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API…
6.4
CVE-2025-15019 - BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce <= 2.2.1 - Authe…
The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This mak…
9.8
CVE-2025-14736 - Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via…
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role values in the 'validate_value', 'pre_update_value', and 'get_fields_display' functions. This makes …
5.1
CVE-2026-20976 -
Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script.
2.1
CVE-2026-20975 -
Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path.
5.2
CVE-2026-20974 -
Improper input validation in data related to network restrictions prior to SMR Jan-2026 Release 1 allows physical attackers to bypass Carrier Relock.