Total
361770 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-8607 | 2026-06-17 | N/A | 6.4 MEDIUM | ||
| The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2026-40751 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions. | |||||
| CVE-2026-39547 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Getaway < 1.8 versions. | |||||
| CVE-2026-49073 | 2026-06-17 | N/A | 8.5 HIGH | ||
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3. | |||||
| CVE-2026-39522 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Solene <= 3.4 versions. | |||||
| CVE-2026-22334 | 2026-06-17 | N/A | 7.5 HIGH | ||
| Subscriber Arbitrary File Download in Woocommerce Book Price <= 1.3 versions. | |||||
| CVE-2026-39443 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions. | |||||
| CVE-2025-69163 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in WineShop <= 3.17 versions. | |||||
| CVE-2026-49075 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Contributor PHP Object Injection in JetEngine <= 3.8.9.1 versions. | |||||
| CVE-2026-12360 | 2026-06-17 | N/A | 7.5 HIGH | ||
| The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page. | |||||
| CVE-2026-54805 | 2026-06-17 | N/A | 8.8 HIGH | ||
| Subscriber Privilege Escalation in Falang multilanguage <= 1.4.2 versions. | |||||
| CVE-2026-39537 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Mikado Core <= 1.6 versions. | |||||
| CVE-2026-49058 | 2026-06-17 | N/A | 9.8 CRITICAL | ||
| Unauthenticated Privilege Escalation in LoginPress Pro <= 6.2.2 versions. | |||||
| CVE-2026-40761 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions. | |||||
| CVE-2026-48869 | 2026-06-17 | N/A | 7.1 HIGH | ||
| Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions. | |||||
| CVE-2026-54184 | 2026-06-17 | N/A | 8.2 HIGH | ||
| Unauthenticated Insecure Direct Object References (IDOR) in Clean Login <= 1.15 versions. | |||||
| CVE-2026-40736 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions. | |||||
| CVE-2025-69167 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Eros <= 1.3 versions. | |||||
| CVE-2026-49113 | 2026-06-17 | N/A | 8.5 HIGH | ||
| Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions. | |||||
| CVE-2025-69173 | 2026-06-17 | N/A | 8.1 HIGH | ||
| Unauthenticated Local File Inclusion in Tipsy <= 1.1 versions. | |||||