7.1
CVE-2026-2466 - DukaPress <= 3.2.4 - Reflected XSS
The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
5.9
CVE-2026-1867 - WP Front User Submit < 5.0.6 - Unauthenticated Sensitive Information Exposure
The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posti…
6.8
CVE-2026-1753 - Gutena Forms < 1.6.1 - Contributor+ Arbitrary Limited Options Update
The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register).
6.4
CVE-2026-2707 - weForms <= 1.6.27 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Hidden Field Value …
The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitt…
7.5
CVE-2026-3222 - WP Maps <= 4.9.1 - Unauthenticated SQL Injection via 'location_id' Parameter
The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'location_id' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer (`FlipperCode_Model_Base::is_column()`) treating user input wrapped in backticks as co…
6.4
CVE-2026-2358 - WP ULike <= 5.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attribute
The WP ULike plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[wp_ulike_likers_box]` shortcode `template` attribute in all versions up to, and including, 5.0.1. This is due to the use of `html_entity_decode()` on shortcode attributes without subsequent output sanitization,…
9.3
CVE-2026-27842 - Authentication Bypass in Micro Research MR‑GM5 Devices Allowing Unauthorized Configuration Changes
Authentication bypass issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to bypass authentication and change the device configuration.
9.3
CVE-2026-24448 - Hard‑Coded Credentials Grant Administrative Access on MR‑GM5L‑S1 and MR‑GM5A‑L1 Devices
Use of hard-coded credentials issue exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker to obtain administrative access.
8.6
CVE-2026-20892 - Code injection in Micro Research MR‑GM5L‑S1 and MR‑GM5A‑L1 allowing command execution
Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands.
5.1
CVE-2026-3884 - Cross‑Site Scripting Vulnerability in spin.js via Prototype Pollution and Duplicate Alert Creation
Versions of the package spin.js before 3.0.0 are vulnerable to Cross-site Scripting (XSS) via the spin() function that allows a creation of more than 1 alert for each 'target' element. An attacker would need to set an arbitrary key-value pair on Object.prototype through a crafted URL achieving a pr…