| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-39513 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions. | ||
| CVE-2026-39512 | Cri | 0.53 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions. | ||
| CVE-2026-39511 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. | ||
| CVE-2026-39507 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions. | ||
| CVE-2026-39503 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions. | ||
| CVE-2026-39502 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions. | ||
| CVE-2026-39499 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions. | ||
| CVE-2026-39498 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in YayMail <= 4.3.3 versions. | ||
| CVE-2026-39493 | Cri | 0.53 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. | ||
| CVE-2026-39492 | Cri | 0.60 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions. | ||
| CVE-2026-39491 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions. | ||
| CVE-2026-39489 | Med | 0.29 | 4.4 | 0.00 | Jun 15, 2026 | Author Arbitrary File Download in Download Monitor <= 5.1.9 versions. | ||
| CVE-2026-39481 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions. | ||
| CVE-2026-39480 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions. | ||
| CVE-2026-39478 | Hig | 0.57 | 8.8 | 0.00 | Jun 15, 2026 | Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. | ||
| CVE-2026-39474 | Hig | 0.50 | 8.8 | 0.00 | Jun 15, 2026 | Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions. | ||
| CVE-2026-39472 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions. | ||
| CVE-2026-39471 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions. | ||
| CVE-2026-39470 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions. | ||
| CVE-2026-39468 | Med | 0.37 | 6.8 | 0.00 | Jun 15, 2026 | Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework <= 5.11.1 versions. | ||
| CVE-2026-39465 | Cri | 0.59 | 9.1 | 0.01 | Jun 15, 2026 | Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. | ||
| CVE-2026-39463 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions. | ||
| CVE-2026-39451 | Med | 0.41 | 6.3 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions. | ||
| CVE-2026-39450 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions. | ||
| CVE-2026-39449 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions. | ||
| CVE-2026-39447 | Hig | 0.39 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions. | ||
| CVE-2026-39441 | Cri | 0.53 | 9.3 | 0.00 | Jun 15, 2026 | Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. | ||
| CVE-2026-39435 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions. | ||
| CVE-2026-39434 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions. | ||
| CVE-2026-34902 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions. | ||
| CVE-2026-34901 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions. | ||
| CVE-2026-34900 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions. | ||
| CVE-2026-34898 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | ||
| CVE-2026-34892 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions. | ||
| CVE-2026-34891 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions. | ||
| CVE-2026-34886 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions. | ||
| CVE-2026-27407 | Hig | 0.47 | 7.2 | 0.00 | Jun 15, 2026 | Editor Privilege Escalation in AI Engine <= 3.4.9 versions. | ||
| CVE-2026-27333 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions. | ||
| CVE-2026-27089 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions. | ||
| CVE-2026-27053 | Cri | 0.64 | 9.8 | 0.00 | Jun 15, 2026 | Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions. | ||
| CVE-2026-25440 | Med | 0.34 | 5.3 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions. | ||
| CVE-2026-25425 | Hig | 0.49 | 7.5 | 0.00 | Jun 15, 2026 | Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions. | ||
| CVE-2026-24637 | Hig | 0.55 | 8.5 | 0.00 | Jun 15, 2026 | Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions. | ||
| CVE-2026-23970 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions. | ||
| CVE-2025-69332 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in Bookify <= 1.1.1 versions. | ||
| CVE-2025-68872 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions. | ||
| CVE-2025-68851 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions. | ||
| CVE-2025-68840 | Hig | 0.46 | 7.1 | 0.00 | Jun 15, 2026 | Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions. | ||
| CVE-2025-68049 | Med | 0.41 | 6.3 | 0.00 | Jun 15, 2026 | Subscriber Broken Access Control in bunny.net <= 2.3.6 versions. | ||
| CVE-2025-60175 | Med | 0.29 | 4.4 | 0.00 | Jun 15, 2026 | Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions. |
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.
- risk 0.53cvss 9.3epss 0.00
Unauthenticated SQL Injection in GeoDirectory <= 2.8.152 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Social Slider Feed <= 2.3.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Easy Digital Downloads <= 3.6.5 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in Form Maker by 10Web <= 1.15.38 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.
- risk 0.53cvss 9.3epss 0.00
Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions.
- risk 0.60cvss 9.3epss 0.00
Unauthenticated SQL Injection in WP Maps <= 4.9.1 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Cross Site Scripting (XSS) in JupiterX Core <= 4.14.1 versions.
- risk 0.29cvss 4.4epss 0.00
Author Arbitrary File Download in Download Monitor <= 5.1.9 versions.
- risk 0.47cvss 7.2epss 0.00
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in Backup Migration <= 2.1.1 versions.
- risk 0.57cvss 8.8epss 0.00
Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions.
- risk 0.50cvss 8.8epss 0.00
Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips < 5.9.0 versions.
- risk 0.47cvss 7.2epss 0.00
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.
- risk 0.37cvss 6.8epss 0.00
Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework <= 5.11.1 versions.
- risk 0.59cvss 9.1epss 0.01
Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
- risk 0.41cvss 6.3epss 0.00
Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions.
- risk 0.46cvss 7.1epss 0.00
Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
- risk 0.39cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Simply Schedule Appointments <= 1.6.10.6 versions.
- risk 0.53cvss 9.3epss 0.00
Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
- risk 0.47cvss 7.2epss 0.00
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated Privilege Escalation in iControlWP <= 5.5.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in GiveWP <= 4.14.2 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Sensitive Data Exposure in IDPay Payment Gateway for Woocommerce <= 2.2.5 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.
- risk 0.47cvss 7.2epss 0.00
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
- risk 0.53cvss 8.1epss 0.00
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site <= 7.3.23 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
- risk 0.64cvss 9.8epss 0.00
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
- risk 0.34cvss 5.3epss 0.00
Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
- risk 0.49cvss 7.5epss 0.00
Unauthenticated Broken Access Control in User Registration <= 5.1.2 versions.
- risk 0.55cvss 8.5epss 0.00
Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Redirection for Contact Form 7 <= 3.2.8 versions.
- risk 0.42cvss 6.5epss 0.00
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Eli's WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
- risk 0.46cvss 7.1epss 0.00
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
- risk 0.41cvss 6.3epss 0.00
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
- risk 0.29cvss 4.4epss 0.00
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.