5.3
CVE-2025-14757 - Cost Calculator Builder <= 3.6.9 - Missing Authorization to Unauthenticated Payment Status Bypass
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, maโฆ
7.2
CVE-2025-12006 - Supermicro BMC firmware update validation bypass
There is a vulnerability in the Supermicro BMC firmware validation logic at Supermicro MBD-X12STW-F . An attacker can update the system firmware with a specially crafted image.
6.4
CVE-2026-0913 - User Submitted Posts <= 20260110 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'usโฆ
The User Submitted Posts โ Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user suppโฆ
5.3
CVE-2026-1004 - Essential Addons for Elementor <= 6.5.5 - Missing Authorization to Unauthenticated Sensitive Informโฆ
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for proโฆ
7.1
CVE-2026-22876 -
Path Traversal vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If this vulnerability is exploited, arbitrary files on the affected product may be retrieved by a logged-in user with the low("monitoring user") or higher privilege.
4.8
CVE-2026-20894 -
Cross-site scripting vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation. If an attacking administrator configures the affected product with some malicious input, an arbitrary script may be executed on the web browser of a victim administrator who accesses โฆ
8.7
CVE-2026-20759 -
OS Command Injection vulnerability exists in multiple Network Cameras TRIFORA 3 series provided by TOA Corporation, which may allow a logged-in user with the low("monitoring user") or higher privilege to execute an arbitrary OS command.
6.1
CVE-2025-14375 - RSS Aggregator โ RSS Import, News Feeds, Feed to Post, and Autoblogging <= 5.0.10 - Reflected Crossโฆ
The RSS Aggregator โ RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the โclassNameโ parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping. This makes it possiโฆ
4.3
CVE-2026-1003 - GetGenie โ AI Content Writer with Keyword Research & SEO Tracking Tools <= 4.3.0 - Missing Authorizโฆ
The GetGenie plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.0. This is due to the plugin not properly verifying that a user is authorized to delete a specific post. This makes it possible for authenticated attackers, with Author-level access andโฆ
5
CVE-2025-14793 - DK PDF โ WordPress PDF Generator <= 2.3.0 - Authenticated (Author+) Server-Side Request Forgery
The DK PDF โ WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary locatโฆ