Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    8564 vulnerabilities by unknown

    CVE-2026-12979 (GCVE-0-2026-12979)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer
    Summary
    The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/d81ca171-65eb-48… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown FunnelKit Affected: 0 , < 3.15.0.6 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FunnelKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.15.0.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FunnelKit  WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit  WordPress plugin before 3.15.0.6 or  (denial of service)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:05.068Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "FunnelKit \u003c 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12979",
        "datePublished": "2026-07-16T06:00:05.068Z",
        "dateReserved": "2026-06-23T10:56:14.346Z",
        "dateUpdated": "2026-07-16T06:00:05.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12978 (GCVE-0-2026-12978)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form
    Summary
    The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/1b22645b-28cb-44… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown FunnelKit Affected: 0 , < 3.15.0.6 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FunnelKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.15.0.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FunnelKit  WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.896Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/1b22645b-28cb-44f3-a5b9-c81a40175e59/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "FunnelKit \u003c 3.15.0.6 - Reflected XSS via Divi Optin Form",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12978",
        "datePublished": "2026-07-16T06:00:04.896Z",
        "dateReserved": "2026-06-23T10:56:12.742Z",
        "dateUpdated": "2026-07-16T06:00:04.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12907 (GCVE-0-2026-12907)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation
    Summary
    The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/61588303-d356-4c… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown RTMKit Affected: 0 , < 2.0.9 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RTMKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.681Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/61588303-d356-4cec-9cdc-15dc8cb0b29f/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "RTMKit Addons for Elementor \u003c 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12907",
        "datePublished": "2026-07-16T06:00:04.681Z",
        "dateReserved": "2026-06-22T14:41:44.233Z",
        "dateUpdated": "2026-07-16T06:00:04.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12906 (GCVE-0-2026-12906)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure
    Summary
    The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/594c3769-b953-49… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown RTMKit Affected: 0 , < 2.0.9 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RTMKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users\u0027 private, draft, pending, scheduled and trashed posts."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.463Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/594c3769-b953-4966-836d-a0dc4585fe87/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "RTMKit Addons for Elementor \u003c 2.0.9 - Contributor+ Private Post Title Disclosure",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12906",
        "datePublished": "2026-07-16T06:00:04.463Z",
        "dateReserved": "2026-06-22T14:41:41.058Z",
        "dateUpdated": "2026-07-16T06:00:04.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12869 (GCVE-0-2026-12869)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import
    Summary
    The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/3c6562d9-f55e-4d… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Header Footer Builder for Elementor Affected: 0 , < 1.2.1 (semver)
    Create a notification for this product.
    Credits
    Vaibhav Narkhede WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Header Footer Builder for Elementor",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vaibhav Narkhede"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.278Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/3c6562d9-f55e-4d82-be95-60e82a6feecf/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Header Footer Builder for Elementor \u003c 1.2.1 - Contributor+ Stored XSS via Template Import",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12869",
        "datePublished": "2026-07-16T06:00:04.278Z",
        "dateReserved": "2026-06-22T08:30:36.821Z",
        "dateUpdated": "2026-07-16T06:00:04.278Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12684 (GCVE-0-2026-12684)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media
    Summary
    The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/169d3455-dd98-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Customer Reviews for WooCommerce Affected: 0 , < 5.113.0 (semver)
    Create a notification for this product.
    Credits
    Tom C WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Reviews for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.113.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tom C"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.102Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/169d3455-dd98-4b0b-b6c1-6c9c28aa9707/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Customer Reviews for WooCommerce \u003c 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12684",
        "datePublished": "2026-07-16T06:00:04.102Z",
        "dateReserved": "2026-06-19T07:49:11.659Z",
        "dateUpdated": "2026-07-16T06:00:04.102Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12585 (GCVE-0-2026-12585)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token
    Summary
    The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/c94475c8-d129-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Abandoned Cart Lite for WooCommerce Affected: 0 , < 6.8.2 (semver)
    Create a notification for this product.
    Credits
    Shivamani Vastrala WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Abandoned Cart Lite for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "6.8.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Shivamani Vastrala"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.930Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/c94475c8-d129-4735-b599-5094efb20cb8/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Abandoned Cart Lite for WooCommerce \u003c 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12585",
        "datePublished": "2026-07-16T06:00:03.930Z",
        "dateReserved": "2026-06-18T07:06:18.053Z",
        "dateUpdated": "2026-07-16T06:00:03.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12525 (GCVE-0-2026-12525)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Redux Framework < 4.5.13 - Subscriber+ Privilege Escalation to Administrator
    Summary
    The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/11d5d4c2-7ba9-43… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Redux Framework Affected: 0 , < 4.5.13 (semver)
    Create a notification for this product.
    Credits
    Jakub Herman WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Redux Framework",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.5.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakub Herman"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13\u0027s user-profile (Users extension) feature is enabled."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.760Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/11d5d4c2-7ba9-4389-9050-28c90920e34b/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Redux Framework \u003c 4.5.13 - Subscriber+ Privilege Escalation to Administrator",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12525",
        "datePublished": "2026-07-16T06:00:03.760Z",
        "dateReserved": "2026-06-17T13:40:16.637Z",
        "dateUpdated": "2026-07-16T06:00:03.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12510 (GCVE-0-2026-12510)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    AI Engine < 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR
    Summary
    The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions feature is enabled.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/b7825c8a-1817-4a… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown AI Engine Affected: 0 , < 3.5.5 (semver)
    Create a notification for this product.
    Credits
    Shivamani Vastrala WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "AI Engine",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.5.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Shivamani Vastrala"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The AI Engine  WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users\u0027 private conversations and take over their conversation records when the discussions feature is enabled."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.590Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/b7825c8a-1817-4a17-b641-076e48ac7c2e/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "AI Engine \u003c 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12510",
        "datePublished": "2026-07-16T06:00:03.590Z",
        "dateReserved": "2026-06-17T11:39:09.525Z",
        "dateUpdated": "2026-07-16T06:00:03.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12492 (GCVE-0-2026-12492)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user
    Summary
    The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/56fdcba6-c7b1-44… exploitvdb-entrytechnical-description
    Impacted products
    Credits
    moonge WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Happy Coders OTP Login for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.8",
                  "status": "affected",
                  "version": "1.5",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "moonge"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.419Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/56fdcba6-c7b1-443d-9f9d-b738ecaadabc/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Happy Coders OTP Login for WooCommerce \u003c 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12492",
        "datePublished": "2026-07-16T06:00:03.419Z",
        "dateReserved": "2026-06-17T08:25:07.733Z",
        "dateUpdated": "2026-07-16T06:00:03.419Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12395 (GCVE-0-2026-12395)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    WP Job Portal < 2.5.5 - Subscriber+ SQL Injection via Applied Resumes 'ta' Parameter
    Summary
    The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerable) account to perform SQL injection attacks.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/0183c669-cb09-4d… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP Job Portal Affected: 0 , < 2.5.5 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WP Job Portal",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.5.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Job Portal  WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerable) account to perform SQL injection attacks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.242Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/0183c669-cb09-4d53-852f-a0a877691d1e/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP Job Portal \u003c 2.5.5 - Subscriber+ SQL Injection via Applied Resumes \u0027ta\u0027 Parameter",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12395",
        "datePublished": "2026-07-16T06:00:03.242Z",
        "dateReserved": "2026-06-16T13:12:32.338Z",
        "dateUpdated": "2026-07-16T06:00:03.242Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11866 (GCVE-0-2026-11866)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    LatePoint < 5.6.3 - Multiple Privileged Actions via CSRF
    Summary
    The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/84e936b8-1978-4d… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Plugin Affected: 0 , < 5.6.3 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Plugin  WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.056Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/84e936b8-1978-4dc3-aa40-5ce49bfdc445/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "LatePoint \u003c 5.6.3 - Multiple Privileged Actions via CSRF",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-11866",
        "datePublished": "2026-07-16T06:00:03.056Z",
        "dateReserved": "2026-06-10T12:15:27.794Z",
        "dateUpdated": "2026-07-16T06:00:03.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11371 (GCVE-0-2026-11371)

    Vulnerability from nvd – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    BetterDocs < 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection
    Summary
    The BetterDocs WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browser of any visitor who views the affected page, including administrators.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/db41e3db-74c2-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown BetterDocs Affected: 4.0.0 , < 4.5.5 (semver)
    Create a notification for this product.
    Credits
    mcdruid WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BetterDocs",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.5.5",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "mcdruid"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The BetterDocs  WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browser of any visitor who views the affected page, including administrators."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:02.874Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/db41e3db-74c2-4b94-bbff-bd1493295241/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "BetterDocs \u003c 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-11371",
        "datePublished": "2026-07-16T06:00:02.874Z",
        "dateReserved": "2026-06-05T12:01:56.518Z",
        "dateUpdated": "2026-07-16T06:00:02.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12512 (GCVE-0-2026-12512)

    Vulnerability from nvd – Published: 2026-07-15 06:00 – Updated: 2026-07-15 10:29
    VLAI
    Title
    Quotes Llama < 3.1.6 - Unauthenticated SQL Injection via sc Parameter
    Summary
    The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/39d038f6-f009-42… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Quotes llama Affected: 0 , < 3.1.6 (semver)
    Create a notification for this product.
    Credits
    Pablo González Pérez Francisco José Ramírez Vicente and Iñigo Sánchez Enciso WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 8.6,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "NONE",
                  "privilegesRequired": "NONE",
                  "scope": "CHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12512",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T10:28:33.135877Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-89",
                    "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:29:07.096Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Quotes llama",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.1.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Pablo Gonz\u00e1lez P\u00e9rez"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Francisco Jos\u00e9 Ram\u00edrez Vicente and I\u00f1igo S\u00e1nchez Enciso"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Quotes llama WordPress plugin before 3.1.6 does not properly sanitize and escape a user-supplied parameter before using it in a SQL query, allowing unauthenticated attackers to perform UNION-based SQL injection and read arbitrary data from the database, including password hashes."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T06:00:02.636Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/39d038f6-f009-4274-a8a7-9d7c2597ec85/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Quotes Llama \u003c 3.1.6 - Unauthenticated SQL Injection via sc Parameter",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12512",
        "datePublished": "2026-07-15T06:00:02.636Z",
        "dateReserved": "2026-06-17T11:59:13.454Z",
        "dateUpdated": "2026-07-15T10:29:07.096Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12281 (GCVE-0-2026-12281)

    Vulnerability from nvd – Published: 2026-07-15 06:00 – Updated: 2026-07-15 10:30
    VLAI
    Title
    Shibboleth < 2.5.4 - Unauthenticated Administrator Account Creation via Identity Header Spoofing
    Summary
    The Shibboleth WordPress plugin before 2.5.4 does not fail closed when its HTTP header identity mode is enabled without an anti-spoofing key, treating any request that carries identity headers as an authenticated session without verifying them. On a deployment where untrusted client headers reach the application, an unauthenticated attacker can log in with forged identity headers and, when automatic account creation and the default administrator role mapping are enabled, create and sign in as a new administrator. Exploitation requires the non-default HTTP header attribute mode, an empty or absent spoof key, automatic account creation enabled, and a deployment that does not strip untrusted client headers before they reach the application.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/8474eda4-6385-44… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Shibboleth Affected: 0 , < 2.5.4 (semver)
    Create a notification for this product.
    Credits
    Khaled Alenazi (Nxploited) WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "HIGH",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "HIGH",
                  "baseScore": 8.1,
                  "baseSeverity": "HIGH",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "HIGH",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12281",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T10:30:20.393062Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-287",
                    "description": "CWE-287 Improper Authentication",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:30:29.732Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Shibboleth",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.5.4",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Khaled Alenazi (Nxploited)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Shibboleth WordPress plugin before 2.5.4 does not fail closed when its HTTP header identity mode is enabled without an anti-spoofing key, treating any request that carries identity headers as an authenticated session without verifying them. On a deployment where untrusted client headers reach the application, an unauthenticated attacker can log in with forged identity headers and, when automatic account creation and the default administrator role mapping are enabled, create and sign in as a new administrator. Exploitation requires the non-default HTTP header attribute mode, an empty or absent spoof key, automatic account creation enabled, and a deployment that does not strip untrusted client headers before they reach the application."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T06:00:02.460Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/8474eda4-6385-447a-9139-f57c049d1713/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Shibboleth \u003c 2.5.4 - Unauthenticated Administrator Account Creation via Identity Header Spoofing",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12281",
        "datePublished": "2026-07-15T06:00:02.460Z",
        "dateReserved": "2026-06-15T12:45:00.391Z",
        "dateUpdated": "2026-07-15T10:30:29.732Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11580 (GCVE-0-2026-11580)

    Vulnerability from nvd – Published: 2026-07-15 06:00 – Updated: 2026-07-15 10:31
    VLAI
    Title
    Kali Forms < 2.4.17 - Contributor+ Arbitrary Post Metadata Disclosure via IDOR
    Summary
    The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/d73500e1-a8bc-4d… exploitvdb-entrytechnical-description
    Impacted products
    Credits
    Muni Nitish Kumar Yaddala WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.5,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "HIGH",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "HIGH",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11580",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T10:31:32.735066Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-639",
                    "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:31:39.200Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.4.17",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Muni Nitish Kumar Yaddala"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder WordPress plugin before 2.4.17."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T06:00:02.266Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/d73500e1-a8bc-4d31-ad9b-d1f71212bcc7/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Kali Forms \u003c 2.4.17 - Contributor+ Arbitrary Post Metadata Disclosure via IDOR",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-11580",
        "datePublished": "2026-07-15T06:00:02.266Z",
        "dateReserved": "2026-06-08T11:58:09.466Z",
        "dateUpdated": "2026-07-15T10:31:39.200Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11579 (GCVE-0-2026-11579)

    Vulnerability from nvd – Published: 2026-07-15 06:00 – Updated: 2026-07-15 10:33
    VLAI
    Title
    Kali Forms < 2.4.17 - Unauthenticated Media Upload
    Summary
    The Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload files to the WordPress Media Library; the uploads are limited to WordPress's default-allowed MIME types, so this does not lead to code execution.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/fae38fd0-8183-48… exploitvdb-entrytechnical-description
    Impacted products
    Credits
    Alexander Jurkschat WPScan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "cvssV3_1": {
                  "attackComplexity": "LOW",
                  "attackVector": "NETWORK",
                  "availabilityImpact": "NONE",
                  "baseScore": 5.3,
                  "baseSeverity": "MEDIUM",
                  "confidentialityImpact": "NONE",
                  "integrityImpact": "LOW",
                  "privilegesRequired": "NONE",
                  "scope": "UNCHANGED",
                  "userInteraction": "NONE",
                  "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                  "version": "3.1"
                }
              },
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-11579",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-15T10:33:44.320416Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "problemTypes": [
              {
                "descriptions": [
                  {
                    "cweId": "CWE-434",
                    "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                    "lang": "en",
                    "type": "CWE"
                  }
                ]
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-15T10:33:48.659Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.4.17",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Alexander Jurkschat"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Kali Forms \u2014 Contact Form \u0026 Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload files to the WordPress Media Library; the uploads are limited to WordPress\u0027s default-allowed MIME types, so this does not lead to code execution."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-15T06:00:02.091Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/fae38fd0-8183-4864-8dae-0cd33a220bec/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Kali Forms \u003c 2.4.17 - Unauthenticated Media Upload",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-11579",
        "datePublished": "2026-07-15T06:00:02.091Z",
        "dateReserved": "2026-06-08T11:45:18.284Z",
        "dateUpdated": "2026-07-15T10:33:48.659Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12979 (GCVE-0-2026-12979)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    FunnelKit < 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer
    Summary
    The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit WordPress plugin before 3.15.0.6 or (denial of service).
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/d81ca171-65eb-48… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown FunnelKit Affected: 0 , < 3.15.0.6 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FunnelKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.15.0.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FunnelKit  WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable other FunnelKit  WordPress plugin before 3.15.0.6 or  (denial of service)."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-73 External Control of File Name or Path",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:05.068Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/d81ca171-65eb-484d-917f-f41b0cd20351/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "FunnelKit \u003c 3.15.0.6 - Admin+ Arbitrary File Deletion via Path Traversal in Template Importer",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12979",
        "datePublished": "2026-07-16T06:00:05.068Z",
        "dateReserved": "2026-06-23T10:56:14.346Z",
        "dateUpdated": "2026-07-16T06:00:05.068Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12978 (GCVE-0-2026-12978)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    FunnelKit < 3.15.0.6 - Reflected XSS via Divi Optin Form
    Summary
    The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/1b22645b-28cb-44… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown FunnelKit Affected: 0 , < 3.15.0.6 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FunnelKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.15.0.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FunnelKit  WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted page. The affected action is only registered when the Divi /builder is active."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.896Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/1b22645b-28cb-44f3-a5b9-c81a40175e59/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "FunnelKit \u003c 3.15.0.6 - Reflected XSS via Divi Optin Form",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12978",
        "datePublished": "2026-07-16T06:00:04.896Z",
        "dateReserved": "2026-06-23T10:56:12.742Z",
        "dateUpdated": "2026-07-16T06:00:04.896Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12907 (GCVE-0-2026-12907)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation
    Summary
    The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/61588303-d356-4c… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown RTMKit Affected: 0 , < 2.0.9 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RTMKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.681Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/61588303-d356-4cec-9cdc-15dc8cb0b29f/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "RTMKit Addons for Elementor \u003c 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12907",
        "datePublished": "2026-07-16T06:00:04.681Z",
        "dateReserved": "2026-06-22T14:41:44.233Z",
        "dateUpdated": "2026-07-16T06:00:04.681Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12906 (GCVE-0-2026-12906)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure
    Summary
    The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/594c3769-b953-49… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown RTMKit Affected: 0 , < 2.0.9 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "RTMKit",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.0.9",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users\u0027 private, draft, pending, scheduled and trashed posts."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.463Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/594c3769-b953-4966-836d-a0dc4585fe87/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "RTMKit Addons for Elementor \u003c 2.0.9 - Contributor+ Private Post Title Disclosure",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12906",
        "datePublished": "2026-07-16T06:00:04.463Z",
        "dateReserved": "2026-06-22T14:41:41.058Z",
        "dateUpdated": "2026-07-16T06:00:04.463Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12869 (GCVE-0-2026-12869)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import
    Summary
    The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/3c6562d9-f55e-4d… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Header Footer Builder for Elementor Affected: 0 , < 1.2.1 (semver)
    Create a notification for this product.
    Credits
    Vaibhav Narkhede WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Header Footer Builder for Elementor",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Vaibhav Narkhede"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action (it allows any edit_posts user), so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide, injecting JavaScript that executes in the session of any visitor or administrator who loads the site."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.278Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/3c6562d9-f55e-4d82-be95-60e82a6feecf/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Header Footer Builder for Elementor \u003c 1.2.1 - Contributor+ Stored XSS via Template Import",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12869",
        "datePublished": "2026-07-16T06:00:04.278Z",
        "dateReserved": "2026-06-22T08:30:36.821Z",
        "dateUpdated": "2026-07-16T06:00:04.278Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12684 (GCVE-0-2026-12684)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Customer Reviews for WooCommerce < 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media
    Summary
    The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/169d3455-dd98-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Customer Reviews for WooCommerce Affected: 0 , < 5.113.0 (semver)
    Create a notification for this product.
    Credits
    Tom C WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Customer Reviews for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.113.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Tom C"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Customer Reviews for WooCommerce WordPress plugin before 5.113.0 does not perform authentication, capability, or nonce checks on one of its media upload AJAX actions when the review media attachment feature is enabled, allowing unauthenticated users to upload media files (bounded to an image and video allowlist) to the Media Library and create attachment posts, leading to media library pollution and disk space exhaustion."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:04.102Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/169d3455-dd98-4b0b-b6c1-6c9c28aa9707/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Customer Reviews for WooCommerce \u003c 5.113.0 - Unauthenticated Arbitrary Media Upload via cr_upload_media",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12684",
        "datePublished": "2026-07-16T06:00:04.102Z",
        "dateReserved": "2026-06-19T07:49:11.659Z",
        "dateUpdated": "2026-07-16T06:00:04.102Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12585 (GCVE-0-2026-12585)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token
    Summary
    The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/c94475c8-d129-47… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Abandoned Cart Lite for WooCommerce Affected: 0 , < 6.8.2 (semver)
    Create a notification for this product.
    Credits
    Shivamani Vastrala WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Abandoned Cart Lite for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "6.8.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Shivamani Vastrala"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.930Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/c94475c8-d129-4735-b599-5094efb20cb8/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Abandoned Cart Lite for WooCommerce \u003c 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12585",
        "datePublished": "2026-07-16T06:00:03.930Z",
        "dateReserved": "2026-06-18T07:06:18.053Z",
        "dateUpdated": "2026-07-16T06:00:03.930Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12525 (GCVE-0-2026-12525)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Redux Framework < 4.5.13 - Subscriber+ Privilege Escalation to Administrator
    Summary
    The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13's user-profile (Users extension) feature is enabled.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/11d5d4c2-7ba9-43… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Redux Framework Affected: 0 , < 4.5.13 (semver)
    Create a notification for this product.
    Credits
    Jakub Herman WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Redux Framework",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.5.13",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Jakub Herman"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile, on sites where the Redux Framework WordPress plugin before 4.5.13\u0027s user-profile (Users extension) feature is enabled."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.760Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/11d5d4c2-7ba9-4389-9050-28c90920e34b/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Redux Framework \u003c 4.5.13 - Subscriber+ Privilege Escalation to Administrator",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12525",
        "datePublished": "2026-07-16T06:00:03.760Z",
        "dateReserved": "2026-06-17T13:40:16.637Z",
        "dateUpdated": "2026-07-16T06:00:03.760Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12510 (GCVE-0-2026-12510)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    AI Engine < 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR
    Summary
    The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions feature is enabled.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/b7825c8a-1817-4a… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown AI Engine Affected: 0 , < 3.5.5 (semver)
    Create a notification for this product.
    Credits
    Shivamani Vastrala WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "AI Engine",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "3.5.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Shivamani Vastrala"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The AI Engine  WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users\u0027 private conversations and take over their conversation records when the discussions feature is enabled."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.590Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/b7825c8a-1817-4a17-b641-076e48ac7c2e/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "AI Engine \u003c 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12510",
        "datePublished": "2026-07-16T06:00:03.590Z",
        "dateReserved": "2026-06-17T11:39:09.525Z",
        "dateUpdated": "2026-07-16T06:00:03.590Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12492 (GCVE-0-2026-12492)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user
    Summary
    The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/56fdcba6-c7b1-44… exploitvdb-entrytechnical-description
    Impacted products
    Credits
    moonge WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Happy Coders OTP Login for WooCommerce",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.8",
                  "status": "affected",
                  "version": "1.5",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "moonge"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well as to create new accounts."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.419Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/56fdcba6-c7b1-443d-9f9d-b738ecaadabc/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Happy Coders OTP Login for WooCommerce \u003c 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12492",
        "datePublished": "2026-07-16T06:00:03.419Z",
        "dateReserved": "2026-06-17T08:25:07.733Z",
        "dateUpdated": "2026-07-16T06:00:03.419Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12395 (GCVE-0-2026-12395)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    WP Job Portal < 2.5.5 - Subscriber+ SQL Injection via Applied Resumes 'ta' Parameter
    Summary
    The WP Job Portal WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerable) account to perform SQL injection attacks.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/0183c669-cb09-4d… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown WP Job Portal Affected: 0 , < 2.5.5 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WP Job Portal",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "2.5.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The WP Job Portal  WordPress plugin before 2.5.5 does not properly sanitize and escape a parameter before using it in a SQL query, allowing authenticated users with a subscriber-level (self-registerable) account to perform SQL injection attacks."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.242Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/0183c669-cb09-4d53-852f-a0a877691d1e/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WP Job Portal \u003c 2.5.5 - Subscriber+ SQL Injection via Applied Resumes \u0027ta\u0027 Parameter",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-12395",
        "datePublished": "2026-07-16T06:00:03.242Z",
        "dateReserved": "2026-06-16T13:12:32.338Z",
        "dateUpdated": "2026-07-16T06:00:03.242Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11866 (GCVE-0-2026-11866)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    LatePoint < 5.6.3 - Multiple Privileged Actions via CSRF
    Summary
    The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/84e936b8-1978-4d… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown Appointment Booking Plugin Affected: 0 , < 5.6.3 (semver)
    Create a notification for this product.
    Credits
    Meher Sudhakar Abbireddi WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "Appointment Booking Plugin",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "5.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Meher Sudhakar Abbireddi"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The Appointment Booking Plugin  WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:03.056Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/84e936b8-1978-4dc3-aa40-5ce49bfdc445/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "LatePoint \u003c 5.6.3 - Multiple Privileged Actions via CSRF",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-11866",
        "datePublished": "2026-07-16T06:00:03.056Z",
        "dateReserved": "2026-06-10T12:15:27.794Z",
        "dateUpdated": "2026-07-16T06:00:03.056Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-11371 (GCVE-0-2026-11371)

    Vulnerability from cvelistv5 – Published: 2026-07-16 06:00 – Updated: 2026-07-16 06:00
    VLAI
    Title
    BetterDocs < 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection
    Summary
    The BetterDocs WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browser of any visitor who views the affected page, including administrators.
    Severity
    No CVSS data available.
    Assigner
    References
    URL Tags
    https://wpscan.com/vulnerability/db41e3db-74c2-4b… exploitvdb-entrytechnical-description
    Impacted products
    Vendor Product Version
    Unknown BetterDocs Affected: 4.0.0 , < 4.5.5 (semver)
    Create a notification for this product.
    Credits
    mcdruid WPScan
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "BetterDocs",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "4.5.5",
                  "status": "affected",
                  "version": "4.0.0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "mcdruid"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "WPScan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The BetterDocs  WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browser of any visitor who views the affected page, including administrators."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "CWE-79 Cross-Site Scripting (XSS)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-16T06:00:02.874Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "exploit",
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://wpscan.com/vulnerability/db41e3db-74c2-4b94-bbff-bd1493295241/"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "BetterDocs \u003c 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection",
          "x_generator": {
            "engine": "WPScan CVE Generator"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2026-11371",
        "datePublished": "2026-07-16T06:00:02.874Z",
        "dateReserved": "2026-06-05T12:01:56.518Z",
        "dateUpdated": "2026-07-16T06:00:02.874Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }