CVE-2026-8977 - WP GDPR Cookie Consent <= 1.0.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'ninja_gdpr_ajax_actions' AJAX Action
CVE ID :CVE-2026-8977
Published : June 9, 2026, 5:16 a.m. | 1 hour, 48 minutes ago
Description :The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a
CVE ID :CVE-2026-8977
Published : June 9, 2026, 5:16 a.m. | 1 hour, 48 minutes ago
Description :The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninja_gdpr_ajax_actions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls() function, combined with insufficient input sanitization on the gdprConfig values and missing output escaping in the generateCSS() function which echoes stored configuration values directly into a
CVE-2026-9185 - 6Storage Rentals <= 2.22.0 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Disclosure and Modification via 'userId' Parameter
CVE ID :CVE-2026-9185
Published : June 9, 2026, 5:16 a.m. | 1 hour, 48 minutes ago
Description :The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9185
Published : June 9, 2026, 5:16 a.m. | 1 hour, 48 minutes ago
Description :The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the `userId` parameter of the `six_storage_get_user_info` and `six_storage_update_profile` AJAX actions. This is due to the `six_storage_getUserInfo()` and `six_storage_updateProfile()` functions being registered on `wp_ajax_nopriv_*` hooks and accepting a tenant identifier directly from `$_POST['userId']` without performing any ownership verification, session binding, or nonce validation to confirm the requester has a legitimate relationship to the supplied ID. This makes it possible for unauthenticated attackers to read and modify arbitrary tenants' profile data — including name, email address, phone number, physical address, and SSN — by supplying an enumerated `userId` value in a crafted request to either handler.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9662 - Recover Exit For WooCommerce <= 1.0.3 - Unauthenticated Local File Inclusion via 'tpf' Parameter
CVE ID :CVE-2026-9662
Published : June 9, 2026, 5:16 a.m. | 1 hour, 48 minutes ago
Description :The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9662
Published : June 9, 2026, 5:16 a.m. | 1 hour, 48 minutes ago
Description :The Recover Exit For WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to and including 1.0.3. This is due to insufficient validation and sanitization of the user-controlled `tpf` POST parameter before it is used in an `include()` path in the `recover_exit()` function. This makes it possible for unauthenticated attackers to perform path traversal and include unintended local PHP files, which can lead to sensitive information exposure and, in certain deployment chains, code execution.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-11572 - degit Command Injection
CVE ID :CVE-2026-11572
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11572
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-41539 - QTS, QuTS hero
CVE ID :CVE-2026-41539
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-41539
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3500 build 20260520 and later
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4986 - WPForms Lite < 1.10.0.5 – Unauthenticated PayPal Webhook Forgery
CVE ID :CVE-2026-4986
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-4986
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :The WPForms WordPress plugin before 1.10.0.5 does not verify the authenticity of incoming PayPal webhook events before processing them, allowing unauthenticated attackers to forge webhook payloads and manipulate the payment state of arbitrary transactions.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5067 - Out-of-bounds read/write in HTTP WebSocket upgrade via non-null-terminated Sec-WebSocket-Key
CVE ID :CVE-2026-5067
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-5067
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :A remote, unauthenticated attacker can trigger memory corruption in Zephyr's HTTP server WebSocket upgrade path by sending a crafted Sec-WebSocket-Key header. The HTTP/1 header parser copies the header into a fixed-size buffer using a bounded copy that does not guarantee NUL termination when the input length reaches the buffer size. During upgrade handling the buffer is copied to a local stack buffer and passed to strlen(); if no NUL exists in-bounds, strlen() reads beyond the stack buffer and subsequent concatenation with the WebSocket magic string can write out of bounds. This leads to out-of-bounds read and write on stack memory, resulting in crash (denial of service) and potentially code execution. The path is reachable when CONFIG_HTTP_SERVER_WEBSOCKET is enabled.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8981 - Lazy Blocks < 4.3.0 - Admin+ Stored XSS via Custom Block Frontend HTML
CVE ID :CVE-2026-8981
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8981
Published : June 9, 2026, 6:16 a.m. | 48 minutes ago
Description :The Custom Block Builder WordPress plugin before 4.3.0 does not consistently check the unfiltered_html capability across all paths that write to its block template code fields, allowing administrators on multisite installations (or single-site installs with DISALLOW_UNFILTERED_HTML defined) to inject arbitrary JavaScript that executes for any visitor of pages embedding the affected block.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25688 - Apache Answer: XSS in AI Answer Rendering
CVE ID :CVE-2026-25688
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-25688
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Improper Neutralization of Alternate XSS Syntax vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. AI-generated response content was rendered in the browser without proper sanitization, allowing malicious scripts to be executed when the content was viewed. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-25699 - Apache Answer: Authorization Bypass in Timeline API
CVE ID :CVE-2026-25699
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-25699
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. Timeline-related APIs lacked proper authorization checks, allowing regular authenticated users to access deleted, private, or unapproved content and its revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-28262 - Dell iDRAC Tools Improper Link Resolution Before File Access
CVE ID :CVE-2026-28262
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Dell iDRAC Tools, versions prior to 11.4.1.0, contains an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-28262
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Dell iDRAC Tools, versions prior to 11.4.1.0, contains an Improper Link Resolution Before File Access ('Link Following') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.
Severity: 6.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-33582 - Apache Answer: Uploading specially crafted TIFF files causes an Out-of-Memory error
CVE ID :CVE-2026-33582
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-33582
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. A crafted TIFF image could trigger excessive memory allocation during image decoding, allowing an authenticated user to cause the server process to crash. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-34031 - Apache Answer: The custom avatar was not properly validated
CVE ID :CVE-2026-34031
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to unintended external requests and tracking by third-party servers. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-34031
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Unrestricted Upload of File with Dangerous Type vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The server did not sufficiently validate user-supplied image URLs, allowing arbitrary external content to be embedded as profile images, which could expose users to unintended external requests and tracking by third-party servers. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-34033 - Apache Answer: HTML Content Injection in Email
CVE ID :CVE-2026-34033
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-34033
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. User-supplied content was included in notification emails without proper escaping, allowing authenticated users to inject arbitrary HTML into emails sent to other users. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-34905 - Apache Answer: Unlisted Questions Accessible via Direct API Access
CVE ID :CVE-2026-34905
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-34905
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 2.0.0. The unlisted question feature did not enforce access restrictions on direct API endpoints, allowing authenticated users to discover and access unlisted questions, their answers, comments, and revision history. Users are recommended to upgrade to version 2.0.1, which fixes the issue.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-46315 - io_uring/waitid: clear waitid info before copying it to userspace
CVE ID :CVE-2026-46315
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-46315
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :In the Linux kernel, the following vulnerability has been resolved: io_uring/waitid: clear waitid info before copying it to userspace IORING_OP_WAITID stores its result fields in struct io_waitid::info and later copies them to userspace siginfo. The prep path initializes the request arguments, but it does not initialize info itself. If the wait operation completes without reporting a child event, the common wait code can return without writing wo_info. In that case io_waitid_finish() still copies iw->info to userspace, exposing stale bytes from the reused io_kiocb command storage. Clear the result storage during prep so the io_uring path matches the regular waitid syscall, which uses a zero-initialized struct waitid_info.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49818 - Apache Airflow Samba provider: Path traversal in GCSToSambaOperator via GCS object names
CVE ID :CVE-2026-49818
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-49818
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The Apache Airflow Samba provider's `GCSToSambaOperator` joined GCS object names to the SMB destination path without a containment check, so an object named with `../` segments resolved a write path outside the configured `destination_path`. An attacker able to write objects into the source GCS bucket — typically an external data producer distinct from the trusted DAG author — could write files to arbitrary locations on the Samba target when the operator ran. Upgrade apache-airflow-providers-samba to 4.12.6 or later, which validates the resolved destination stays within `destination_path`.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6899 - Improper Check for Certificate Revocation in S2OPC
CVE ID :CVE-2026-6899
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate.
Severity: 5.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6899
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :Check for certificate revocation only considers the first matching CRL and ignores other valid CRLs of the same CA in the CycloneCrypto cryptographic wrapper of S2OPC library. It might allow connection between an OPC UA client and server using a revoked certificate.
Severity: 5.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7542 - Slider Revolution <= 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
CVE ID :CVE-2026-7542
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7542
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: (1) the plugin leaks a valid backend AJAX nonce (revslider_actions) to all authenticated users including Subscribers via the admin_footer hook; (2) the wordpress.create.image_from_url action is explicitly allowlisted in the $user_allowed array, bypassing the administrator-only access control; (3) the create_wordpress_image_from_url() function accepts an attacker-controlled url parameter that is passed to import_media(), where path_or_url_exists() explicitly accepts local filesystem paths (file_exists() && is_readable()) with no restriction to remote HTTP/HTTPS URLs, and @copy() physically copies those files into the publicly accessible /wp-content/uploads/revslider/ai/ directory. The MIME type check trusts the attacker-supplied content_type parameter to derive the destination extension without verifying actual file content, and the source extension blacklist does not block many sensitive types (.sql, .log, .json, .bak, .xml, .csv, .conf, .yml, .yaml, .pem, .key, .crt, .txt, .db, etc.). This makes it possible for authenticated attackers with Subscriber-level access and above to read the contents of server files with non-blacklisted extensions by having them copied to a publicly accessible URL.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8365 - Blocksy <= 2.1.41 - Authenticated (Contributor+) PHP Object Injection via Deserialization of Untrusted Data via 'blocksy_meta' REST API Field
CVE ID :CVE-2026-8365
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8365
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The Blocksy theme for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution via the 'blocksy_meta' REST API field and the V200 database migration in versions up to and including 2.1.35. This is due to insufficient input sanitization in the blocksy_sanitize_post_meta_options() function, which only blocks values containing '<' or '>' and does not prevent serialized PHP object strings from being stored in post meta, combined with the SearchReplacer::run_recursively() function unconditionally deserializing all string values via @unserialize() during migration without restricting allowed classes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject a serialized Blocksy\RaiiPattern object into post meta that, when the V200 migration runs on an upgraded site, is deserialized and triggers RaiiPattern::__destruct(), which executes arbitrary PHP callables via call_user_func().
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8599 - MailerPress <= 2.0.4 - Authenticated (Author+) Stored Cross-Site Scripting via Campaign HTML Content Field
CVE ID :CVE-2026-8599
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8599
Published : June 9, 2026, 9:16 a.m. | 1 hour, 50 minutes ago
Description :The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The public-facing campaign preview endpoint (/mp-email/{id}-slug/) is not affected by this vulnerability, as it applies a Content-Security-Policy header blocking all inline scripts; exploitation is limited to the admin dashboard preview.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...