Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 4.2 CVE-2026-11570

User Submitted Posts < 20260608 - Unauthenticated Stored XSS via Author Name_CVE-2026-11570

The User Submitted Posts WordPress plugin before 20260608 does not escape a submitted value before outputting it in an admin-configured display te...

Unknown User Submitted Posts CVE
HIGH 7.5 CVE-2026-11568

Product Configurator for WooCommerce < 1.7.3 - Unauthenticated Private/Draft Product Data Disclosure via pc_get_data_CVE-2026-11568

The Product Configurator for WooCommerce WordPress plugin before 1.7.3 does not perform any authorisation or post-status check before returning Woo...

Unknown Product Configurator for WooCommerce CVE
MEDIUM 4.3 CVE-2026-11562

WS Form LITE < 1.11.8 - Subscriber+ Arbitrary Settings Update_CVE-2026-11562

The WS Form LITE WordPress plugin before 1.11.8 does not have a capability check on one of its settings-update actions, allowing authenticated use...

Unknown WS Form LITE CVE
HIGH 8.1 CVE-2026-10750

Royal MCP < 1.4.26 - Subscriber+ Insufficient Authorization in MCP Tools_CVE-2026-10750

The Royal MCP WordPress plugin before 1.4.26 does not perform capability checks on the majority of its MCP tools after token authentication, allow...

Unknown Royal MCP CVE
MEDIUM 6.5 CVE-2026-14258

Dhcpcd: dhcpcd infinite loop and out-of-bounds read via zero-length ipv6 nd option in router advertisement handling_CVE-2026-14258

A flaw was found in dhcpcd's IPv6 Neighbor Discovery Router Advertisement processing. A specially crafted IPv6 Router Advertisement containing a ze...

Red Hat Red Hat Enterprise Linux 10 CVE
HIGH 8.8 CVE-2026-13228

LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' Parameter_CVE-2026-13228

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in ...

latepoint LatePoint – Calendar Booking Plugin for Appointments and Events CVE
HIGH 7.2 CVE-2026-12142

NEX-Forms <= 9.2.2 - Unauthenticated Stored Cross-Site Scripting via '_name[]' Array Parameter_CVE-2026-12142

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via '_name[]' Array Parameter...

webaways NEX-Forms – Ultimate Forms Plugin for WordPress CVE
MEDIUM 6.4 CVE-2026-10095

WP Photo Album Plus <= 9.1.13.005 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'subtext' Shortcode Attribute_CVE-2026-10095

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and in...

opajaap WP Photo Album Plus CVE
MEDIUM 5.3 CVE-2026-27435

WordPress Woffice theme < 5.4.33 - Broken Access Control vulnerability_CVE-2026-27435

Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affec...

WofficeIO Woffice n/a CVE
MEDIUM 6.5 CVE-2026-13454

MotoPress Appointment Booking <= 2.4.5 - Authenticated (Staff+) SQL Injection via 's' Parameter_CVE-2026-13454

The MotoPress Appointment Booking plugin for WordPress is vulnerable to generic SQL Injection via the 's' parameter in all versions up to, and incl...

jetmonsters MotoPress Appointment Booking CVE