News & Sicurezza

CVE ID :CVE-2026-4303 Published : April 8, 2026, 10:16 a.m. | 3 hours, 40 minutes ago Description :The WP Visitor Statistics (Real Time Traffic) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wsm_showDayStatsGraph' shortcode in all versions up to, and including, 8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4025 Published : April 8, 2026, 10:16 a.m. | 1 hour, 40 minutes ago Description :The PrivateContent Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' shortcode attribute in the [pc-login-form] shortcode in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on the 'align' attribute. Specifically, the attribute value flows from the shortcode through pc_login_form() to pc_static::form_align(), where it is directly concatenated into an HTML class attribute without esc_attr() or any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-4073 Published : April 8, 2026, 10:16 a.m. | 3 hours, 40 minutes ago Description :The pdfl.io plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pdflio' shortcode in all versions up to, and including, 1.0.5. This is due to insufficient input sanitization and output escaping on the 'text' shortcode attribute. The output_shortcode() function directly concatenates the user-supplied $text variable into HTML output without applying esc_html() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Severity: 6.4 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...

Exploited in the Wild: Critical 9.3 CVSS Flaw Turns Tianxin Systems into Hacker Gateways A critical security vulnerability, tracked as CVE-2021-4473, has been identified in the Tianxin Internet Behavior Management System. With a severe CVSS score of 9.3, this flaw allows unauthenticated a ... Read more Published Date: Apr 08, 2026 (1 day, 1 hour ago) Vulnerabilities has been mentioned in this article. CVE-2021-4473 CVE-2026-35616 CVE-2026-5281 CVE-2026-3502 CVE-2026-33032 CVE-2025-24936 CVE-2025-20337 CVE-2024-50623

Critical Flowise RCE Vulnerability Actively Exploited, Thousands of Systems at Risk A critical Flowise RCE vulnerability is now being actively exploited. The flaw, tracked as CVE-2025-59528, carries a maximum severity rating and enables attackers to execute arbitrary code on affected ... Read more Published Date: Apr 08, 2026 (1 day, 1 hour ago) Vulnerabilities has been mentioned in this article. CVE-2026-4681 CVE-2025-59528 CVE-2025-8943 CVE-2025-26319

CVE ID :CVE-2026-39713 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Missing Authorization vulnerability in mailercloud Mailercloud – Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud – Integrate webforms and synchronize website contacts: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39715 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Missing Authorization vulnerability in AnyTrack AnyTrack Affiliate Link Manager anytrack-affiliate-link-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AnyTrack Affiliate Link Manager: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39711 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Insertion of Sensitive Information Into Sent Data vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows Retrieve Embedded Sensitive Data.This issue affects RT-Theme 18 | Extensions: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39712 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in tagDiv tagDiv Composer td-composer allows Code Injection.This issue affects tagDiv Composer: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39714 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39716 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Missing Authorization vulnerability in CKThemes Flipmart flipmart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Flipmart: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...

CVE ID :CVE-2026-39706 Published : April 8, 2026, 9:16 a.m. | 2 hours, 39 minutes ago Description :Missing Authorization vulnerability in Netro Systems Make My Trivia trivialy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Make My Trivia: from n/a through Severity: 0.0 | NA Visit the link for more details, such as CVSS details, affected products, timeline, and more...