Recent Advisories

Severity ID Title Vendor Product Date Type
MEDIUM 5.3 CVE-2026-13459

JetFormBuilder <= 3.6.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via 'context' Parameter_CVE-2026-13459

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3...

jetmonsters JetFormBuilder — Dynamic Blocks Form Builder CVE
MEDIUM 6.4 CVE-2026-13252

RSS Aggregator by Feedzy <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aspectRatio' Attribute_CVE-2026-13252

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross...

themeisle RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator CVE
MEDIUM 5.3 CVE-2026-12657

LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter_CVE-2026-12657

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all v...

latepoint LatePoint – Calendar Booking Plugin for Appointments and Events CVE
MEDIUM 5.3 CVE-2026-12472

Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters_CVE-2026-12472

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, a...

themeum Kirki – Freeform Page Builder, Website Builder & Customizer CVE
MEDIUM 4.3 CVE-2026-12134

JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Creation/Modification via season_groupedit AJAX action_CVE-2026-12134

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to...

beardev JoomSport – for Sports: Team & League, Football, Hockey & more CVE
MEDIUM 5.3 CVE-2026-12122

Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Sensitive Information Exposure via kirki_post_apis_nopriv AJAX Action_CVE-2026-12122

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all version...

themeum Kirki – Freeform Page Builder, Website Builder & Customizer CVE
MEDIUM 5.3 CVE-2026-11896

My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter_CVE-2026-11896

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and includ...

joedolson My Calendar – Accessible Event Manager CVE
MEDIUM 4.4 CVE-2026-10104

Product Video Gallery for Woocommerce <= 1.5.1.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via custom_thumbnail Parameter_CVE-2026-10104

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all v...

nikhilgadhiya Product Video Gallery for Woocommerce CVE
MEDIUM 5.3 CVE-2026-5348

Academy LMS <= 3.8.1 - Unauthenticated Insecure Direct Object Reference to Private Topic Disclosure_CVE-2026-5348

The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in ve...

kodezen Academy LMS – WordPress LMS Plugin for Complete eLearning Solution CVE
MEDIUM 6.4 CVE-2026-13704

GiveWP <= 4.16.1 - Authenticated (Give Worker+) Stored Cross-Site Scripting via Sequioa Form_CVE-2026-13704

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introducti...

stellarwp GiveWP – Donation Plugin and Fundraising Platform CVE