Recent Advisories

Severity ID Title Vendor Product Date Type
HIGH 7.5 CVE-2026-13369

Ninja Forms – File Uploads <= 3.3.29 - Unauthenticated Arbitrary File Read via File Upload Field 'files[].data.file_path' Parameter_CVE-2026-13369

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attach_files() function in versions up to, and inc...

SaturdayDrive Ninja Forms - File Uploads CVE
MEDIUM 6.4 CVE-2026-13252

RSS Aggregator by Feedzy <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aspectRatio' Attribute_CVE-2026-13252

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross...

themeisle RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE
HIGH 7.5 CVE-2026-13251

Perfmatters <= 2.6.4 - Unauthenticated Arbitrary File Read via 's' Parameter_CVE-2026-13251

The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This m...

perfmatters Perfmatters CVE
MEDIUM 5.3 CVE-2026-12657

LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter_CVE-2026-12657

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all v...

latepoint LatePoint – Calendar Booking Plugin for Appointments and Events CVE
MEDIUM 5.3 CVE-2026-12472

Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters_CVE-2026-12472

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, a...

themeum Kirki – Freeform Page Builder, Website Builder & Customizer CVE
MEDIUM 4.3 CVE-2026-12134

JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Creation/Modification via season_groupedit AJAX action_CVE-2026-12134

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to...

beardev JoomSport – for Sports: Team & League, Football, Hockey & more CVE
MEDIUM 5.3 CVE-2026-12122

Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Sensitive Information Exposure via kirki_post_apis_nopriv AJAX Action_CVE-2026-12122

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all version...

themeum Kirki – Freeform Page Builder, Website Builder & Customizer CVE
MEDIUM 5.3 CVE-2026-11896

My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter_CVE-2026-11896

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and includ...

joedolson My Calendar – Accessible Event Manager CVE
MEDIUM 4.4 CVE-2026-10104

Product Video Gallery for Woocommerce <= 1.5.1.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via custom_thumbnail Parameter_CVE-2026-10104

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all v...

nikhilgadhiya Product Video Gallery for Woocommerce CVE
HIGH 8.1 CVE-2026-5821

Image Optimizer <= 1.7.4 - Authenticated (Author+) Arbitrary File Deletion via Post Meta Field Injection_CVE-2026-5821

The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficien...

elemntor Image Optimizer – Optimize Images and Convert to WebP or AVIF CVE