Filtered by vendor Wordpress Subscriptions
Total 13947 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-39481 2 Wordpress, Wpchill 2 Wordpress, Modula Image Gallery 2026-06-16 7.2 High
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
CVE-2026-39449 2 Itpathsolutions, Wordpress 2 Contact Form To Any Api, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
CVE-2026-39435 2 Bgermann, Wordpress 2 Cformsii, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
CVE-2026-39584 2 Webful Creations, Wordpress 2 Repairbuddy, Wordpress 2026-06-16 6.5 Medium
Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions.
CVE-2026-40770 2 Relywp, Wordpress 2 Coupon Affiliates, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.
CVE-2026-42663 2 Wordpress, Wp.insider 2 Wordpress, Simple Membership 2026-06-16 6.5 Medium
Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.
CVE-2026-52712 2 Tnomi, Wordpress 2 Attendance Manager, Wordpress 2026-06-16 7.6 High
Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
CVE-2026-54198 2 Davidlingren, Wordpress 2 Media Library Assistant, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.
CVE-2026-2381 2 Woocommerce, Wordpress 2 Stripe Payment Gateway, Wordpress 2026-06-16 6.5 Medium
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
CVE-2026-39499 2 Wombat Plugins, Wordpress 2 Advanced Product Fields Product Addons For Woocommerce, Wordpress 2026-06-16 7.2 High
Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.
CVE-2026-39513 2 Easy-appointments, Wordpress 2 Easy Appointments, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.
CVE-2026-49769 2 Tomdever, Wordpress 2 Wpforo Forum, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.
CVE-2026-49112 2 Tammersoft, Wordpress 2 Shared Files, Wordpress 2026-06-16 7.5 High
Unauthenticated Path Traversal in Shared Files <= 1.7.64 versions.
CVE-2026-8176 2 Latepoint, Wordpress 2 Latepoint, Wordpress 2026-06-16 7.5 High
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
CVE-2026-40766 2 Stylemixthemes, Wordpress 2 Masterstudy Lms, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in MasterStudy LMS <= 3.7.25 versions.
CVE-2026-40798 2 Tomdever, Wordpress 2 Wpforo Forum, Wordpress 2026-06-16 9.3 Critical
Unauthenticated SQL Injection in wpForo Forum <= 3.0.4 versions.
CVE-2026-25440 2 Wordpress, Wpdeveloper 2 Wordpress, Essential Addons For Elementor 2026-06-16 5.3 Medium
Unauthenticated Broken Access Control in Essential Addons for Elementor < 6.6.0 versions.
CVE-2026-39434 2 Webappick, Wordpress 2 Ctx Feed, Wordpress 2026-06-16 7.2 High
Shop manager PHP Object Injection in CTX Feed <= 6.6.26 versions.
CVE-2026-39451 2 Jgwhite33, Wordpress 2 Wp Google Review Slider, Wordpress 2026-06-16 6.3 Medium
Unauthenticated Cross Site Scripting (XSS) in WP Google Review Slider <= 18.0 versions.
CVE-2026-49768 2 Happyforms, Wordpress 2 Happyforms, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in Happyforms <= 1.26.13 versions.