9.8
CVE-2026-1357 - Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload
The Migration, Backup, Staging โ WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writinโฆ
6.4
CVE-2026-1893 - Orbisius Random Name Generator <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting โฆ
The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_label' parameter in the 'orbisius_random_name_generator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it โฆ
4.7
CVE-2026-26079 - roundcubemail: Roundcube Webmail: Cascading Style Sheets (CSS) injection via mishandled comments
Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.
7.2
CVE-2025-14541 - Lucky Wheel Giveaway <= 1.0.22 - Authenticated (Administrator+) Remote Code Execution via 'conditioโฆ
The Lucky Wheel Giveaway plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.22 via the conditional_tags parameter. This is due to the plugin using PHP's eval() function on user-controlled input without proper validation or sanitization. This makes โฆ
6.5
CVE-2025-13431 - SlimStat Analytics <= 5.3.1 - Authenticated (Subscriber+) SQL Injection via `args` Parameter
The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the โargsโ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possiblโฆ
6.4
CVE-2026-1231 - Beaver Builder Page Builder โ Drag and Drop Website Builder <= 2.10.0.5 - Authenticated (Custom+) Mโฆ
The Beaver Builder Page Builder โ Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficienโฆ
4.3
CVE-2025-15524 - Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Galโฆ
The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and aboโฆ
0.0
CVE-2026-2326 -
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.
5.3
CVE-2026-1571 - Reflected XSS Vulnerability on TP-Link Archer C60
User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL.ย An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actโฆ
5.3
CVE-2024-26478 -
An issue in Statping-ng v.0.91.0 allows an attacker to obtain sensitive information via a crafted request to the /api/users endpoint.