MEDIUM - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 4.9	CVE-2026-10736	Tutor LMS <= 3.9.11 - Authenticated (Administrator+) SQL Injection via 'data' Parameter_CVE-2026-10736 The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all ve...	themeum	Tutor LMS – eLearning and online course solution	Jun 18, 2026	CVE
MEDIUM 4.3	CVE-2026-10623	PressPrimer Quiz <= 2.3.0 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Modification via 'quiz_id', 'item_id', and 'rule_id' Parameters_CVE-2026-10623 The PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference i...	pressprimer	PressPrimer Quiz – AI Quiz Maker, Exam Builder & LMS Assessment Plugin	Jun 18, 2026	CVE
MEDIUM 5.3	CVE-2026-10029	Event Koi Lite <= 1.3.13.1 - Missing Authorization to Unauthenticated Sensitive Information Exposure via REST API Endpoints_CVE-2026-10029 The Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in a...	eventkoi	Event Koi Lite – Events Calendar, Event Management, RSVP, and Tickets	Jun 18, 2026	CVE
MEDIUM 6.5	CVE-2026-9815	MagicForm <= 0.1.3 - Unauthenticated Arbitrary File Upload to RCE_CVE-2026-9815 The MagicForm WordPress plugin through 0.1.3 does not properly validate the type of files uploaded through an unauthenticated AJAX action when a fo...	Unknown	MagicForm	Jun 18, 2026	CVE
MEDIUM 5.4	CVE-2026-55745	Cotonti CSRF in PFS folder edit allows unauthorized folder modification_CVE-2026-55745 Cotonti 1.0.0 (master branch, commit f43f1fc3) is vulnerable to Cross-Site Request Forgery in the Personal File Storage (PFS) module. In modules/pf...	Cotonti	Cotonti 1.0.0	Jun 18, 2026	CVE
MEDIUM 6.1	CVE-2026-12137	SysBasics Customize My Account for WooCommerce <= 4.3.6 - Reflected Cross-Site Scripting via 'tab' Parameter_CVE-2026-12137 The SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager plugin for WordPress is vulnerable to Reflected Cr...	phppoet	SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager	Jun 18, 2026	CVE
MEDIUM 6.4	CVE-2026-12136	SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes_CVE-2026-12136 The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasics_user_avatar' shortcod...	phppoet	SysBasics Customize My Account for WooCommerce – Dashboard, Endpoints, Avatar & Menu Manager	Jun 18, 2026	CVE
MEDIUM 4.3	CVE-2026-12111	Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter_CVE-2026-12111 The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. Thi...	codepeople	Appointment Booking Calendar	Jun 18, 2026	CVE
MEDIUM 6.4	CVE-2026-12098	PowerPress Podcasting plugin by Blubrry <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'embed' Episode Meta Field_CVE-2026-12098 The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all...	blubrry	PowerPress Podcasting plugin by Blubrry	Jun 18, 2026	CVE
MEDIUM 6.4	CVE-2026-8039	Fancy Testimonials <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting_CVE-2026-8039 The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' ...	dijitul	Fancy Testimonials	Jun 18, 2026	CVE