Common Vulnerabilities and Exposures (CVE)

CVE-2025-5017

Jul 11, 2026 05:35:47 UTC

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and l...

CVE-2026-6801

Jul 11, 2026 05:35:46 UTC

The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it possible for unauthenticated attackers to extract the content o...

CVE-2026-10865

Jul 11, 2026 05:35:46 UTC

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the (template body). This makes it possible for unauthenticated attackers to extract the plain...

CVE-2026-12738

Jul 11, 2026 05:35:46 UTC

The WP Easy Pay – Payment and Donation form Builder for Square plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.5.0. This is due to the plugin not properly verifying that a user is authorize...

CVE-2026-11898

Jul 11, 2026 05:35:45 UTC

The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for aut...

CVE-2025-6784

Jul 11, 2026 05:35:44 UTC

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of...

CVE-2026-11901

Jul 11, 2026 05:35:44 UTC

The WP Hotel Booking plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 2.3.1. This is due to the `web_hook_process_paypal_standard()` IPN handler selecting its PayPal ...

CVE-2026-48939

Jul 11, 2026 05:32:01 UTC

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.

CVE-2026-56291

Jul 11, 2026 05:28:12 UTC

The Joomla extension Balbooa Forms is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.

CVE-2026-34481

Jul 11, 2026 04:55:42 UTC

Apache Log4j's JsonTemplateLayout https://logging.apache.org/log4j/2.x/manual/json-template-layout.html , in versions up to and including 2.25.3, produces invalid JSON output when log events contain non-finite floating-point values (NaN, I...

CVE-2026-7655

Jul 11, 2026 04:32:59 UTC

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like e...

CVE-2026-13378

Jul 11, 2026 04:32:58 UTC

The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Contact Form 7 Form Field in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escapi...

CVE-2026-21042

Jul 11, 2026 03:55:21 UTC

Out-of-bounds write in libsavsac.so prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrary code.

CVE-2026-21043

Jul 11, 2026 03:55:20 UTC

Path traversal in Wallpaper service prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system server privilege.

CVE-2026-21046

Jul 11, 2026 03:55:19 UTC

Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows local privileged attackers to execute arbitrary code.