News & Sicurezza

CVE ID :CVE-2026-10820 Published : June 27, 2026, 6 a.m. | 1 hour, 45 minutes ago Description :The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin before 4.16.17 does not verify that the user performing a subscription action owns the targeted subscription, allowing any authenticated user (Subscriber+) to cancel other users' active subscriptions via an Insecure Direct Object Reference. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-9677 Published : June 27, 2026, 6 a.m. | 1 hour, 45 minutes ago Description :The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-12404 Published : June 27, 2026, 5:33 a.m. | 2 hours, 11 minutes ago Description :The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to enumerate sequential report IDs and download complete form submission data — including names, email addresses, phone numbers, postal addresses, payment details, and uploaded file paths — for any saved report on the site. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-13245 Published : June 27, 2026, 5:33 a.m. | 2 hours, 11 minutes ago Description :The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account.

CVE ID :CVE-2026-12415 Published : June 27, 2026, 4:30 a.m. | 3 hours, 15 minutes ago Description :The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account. Severity: 9.8 | CRITICAL Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2025-59868 Published : June 27, 2026, 1:43 a.m. | 6 hours, 1 minute ago Description :HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a sensitive data exposure vulnerability which could allow an attacker to exploit application information to then attempt additional attacks and cause unknown behavior in the application. Severity: 5.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-11356 Published : June 27, 2026, 1:27 a.m. | 6 hours, 18 minutes ago Description :The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'menu_title' and 'menu_magnifier_color' Settings in all versions up to, and including, 5.5.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 4.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-13422 Published : June 27, 2026, 1:27 a.m. | 6 hours, 18 minutes ago Description :The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Severity: 4.3 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-13335 Published : June 27, 2026, 1:27 a.m. | 6 hours, 18 minutes ago Description :The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-13333 Published : June 27, 2026, 1:27 a.m. | 6 hours, 18 minutes ago Description :The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-13331 Published : June 27, 2026, 1:27 a.m. | 6 hours, 18 minutes ago Description :The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...