CVE-2026-11578 - Fluent Forms < 6.2.5 - Form Manager+ Cross-Form Submission Entry Deletion via IDOR
CVE ID :CVE-2026-11578
Published : July 2, 2026, 6 a.m. | 3 hours, 39 minutes ago
Description :The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11578
Published : July 2, 2026, 6 a.m. | 3 hours, 39 minutes ago
Description :The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-11781 - Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX
CVE ID :CVE-2026-11781
Published : July 2, 2026, 6 a.m. | 3 hours, 39 minutes ago
Description :The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's Adminify WordPress plugin before 4.2.10 inventory, and user account names.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11781
Published : July 2, 2026, 6 a.m. | 3 hours, 39 minutes ago
Description :The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's Adminify WordPress plugin before 4.2.10 inventory, and user account names.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-11965 - User Registration & Membership < 5.2.0 - Unauthenticated Paid Membership Bypass
CVE ID :CVE-2026-11965
Published : July 2, 2026, 6 a.m. | 3 hours, 39 minutes ago
Description :The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11965
Published : July 2, 2026, 6 a.m. | 3 hours, 39 minutes ago
Description :The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-33592 - FindServers Memory Exhaustion in open62541
CVE ID :CVE-2026-33592
Published : July 2, 2026, 7:12 a.m. | 2 hours, 27 minutes ago
Description :An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-33592
Published : July 2, 2026, 7:12 a.m. | 2 hours, 27 minutes ago
Description :An unauthenticated remote attacker can exhaust server memory via the FindServers Discovery Service in open62541. The serverUris field of FindServersRequest is not validated for length or array size. An attacker can declare an arbitrarily large string (up to ~3.9 GB) delivered across intermediate chunks without ever sending the final chunk. The server buffers all chunks in RAM indefinitely until the SecureChannel times out. The attack is pre-session and bypasses all encryption configuration. The issue affects open62541: from 1.4.0 through 1.4.16, from 1.5.0 through 1.5.4, master.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-8147 - Authorization Bypass in mlflow/mlflow
CVE ID :CVE-2026-8147
Published : July 2, 2026, 7:32 a.m. | 2 hours, 6 minutes ago
Description :In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-8147
Published : July 2, 2026, 7:32 a.m. | 2 hours, 6 minutes ago
Description :In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying traces on experiments they do not have permission to access. The issue arises from the `_before_request` handler, which does not register authorization validators for trace endpoints, resulting in requests proceeding without validation. This vulnerability can expose sensitive data, destroy audit logs, and allow unauthorized modifications.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9563 - Eclipse Parsson Denial of Service
CVE ID :CVE-2026-9563
Published : July 2, 2026, 7:33 a.m. | 2 hours, 6 minutes ago
Description :In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9563
Published : July 2, 2026, 7:33 a.m. | 2 hours, 6 minutes ago
Description :In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memory by processing very large documents, including large arrays, objects, strings, numbers, whitespace, or nested structures, resulting in a denial of service. Eclipse Parsson 1.1.8 introduces a configurable maximum parsing limit with a default limit of 15 million parser-consumed characters.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57750 - WordPress ez Form Calculator Premium plugin <= 2.14.1.2 - Broken Access Control vulnerability
CVE ID :CVE-2026-57750
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57750
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57751 - WordPress Heateor Social Login plugin <= 1.1.39 - Cross Site Request Forgery (CSRF) vulnerability
CVE ID :CVE-2026-57751
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57751
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57752 - WordPress iNET Webkit plugin 1.2.4 - SQL Injection vulnerability
CVE ID :CVE-2026-57752
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in iNET Webkit 1.2.4 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57752
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in iNET Webkit 1.2.4 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57753 - WordPress Kit (formerly ConvertKit) for WooCommerce plugin <= 2.1.5 - Sensitive Data Exposure vulnerability
CVE ID :CVE-2026-57753
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57753
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Sensitive Data Exposure in Kit (formerly ConvertKit) for WooCommerce <= 2.1.5 versions.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57754 - WordPress Livemesh Addons for WPBakery Page Builder plugin <= 3.9.4 - Cross Site Scripting (XSS) vulnerability
CVE ID :CVE-2026-57754
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57754
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57755 - WordPress Mosaic Gallery – Advanced Gallery plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability
CVE ID :CVE-2026-57755
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Mosaic Gallery – Advanced Gallery <= 1.2.0 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57755
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Mosaic Gallery – Advanced Gallery <= 1.2.0 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57756 - WordPress nicen-localize-image plugin <= 1.4.9 - SQL Injection vulnerability
CVE ID :CVE-2026-57756
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57756
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57757 - WordPress pCloud WP Backup plugin <= 2.0.2 - Cross Site Request Forgery (CSRF) vulnerability
CVE ID :CVE-2026-57757
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57757
Published : July 2, 2026, 11:15 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57758 - WordPress Permalink Manager for WooCommerce plugin <= 1.0.8.2 - CSRF to Stored XSS vulnerability
CVE ID :CVE-2026-57758
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57758
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in Permalink Manager for WooCommerce <= 1.0.8.2 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57759 - WordPress ProfileGrid plugin <= 5.9.9.7 - CSRF to Account Takeover vulnerability
CVE ID :CVE-2026-57759
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57759
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in ProfileGrid <= 5.9.9.7 versions.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57761 - WordPress SEOWP theme <= 3.12.2 - CSRF to Stored XSS vulnerability
CVE ID :CVE-2026-57761
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57761
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57762 - WordPress Simple URLs plugin <= 151 - Cross Site Scripting (XSS) vulnerability
CVE ID :CVE-2026-57762
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57762
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Author Cross Site Scripting (XSS) in Simple URLs <= 151 versions.
Severity: 5.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57763 - WordPress Structured Content plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability
CVE ID :CVE-2026-57763
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57763
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57764 - WordPress Surbma | Yoast SEO Breadcrumb Shortcode plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability
CVE ID :CVE-2026-57764
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57764
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57765 - WordPress WP EasyCart plugin <= 5.9.0 - SQL Injection vulnerability
CVE ID :CVE-2026-57765
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-57765
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...