| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jul 05, 2026, 10:07:03 | ||||
|
Heateor Social Login WordPress
vulnerable
|
Jul 05, 2026, 12:07:41 |
Min -
Max 1.1.39
|
Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. | |
|
Shopping Cart & eCommerce Store
vulnerable
|
Jul 05, 2026, 12:07:01 |
Min -
Max 5.9.0
|
Contributor SQL Injection in WP EasyCart <= 5.9.0 versions. | |
|
vulnerable
|
Jul 05, 2026, 11:07:57 |
Min -
Max 1.4.9
|
Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions. | |
|
vulnerable
|
Jul 05, 2026, 07:07:55 |
Min -
Max 1.2.4
|
Contributor SQL Injection in iNET Webkit 1.2.4 versions. | |
|
Timetics- AI-powered Appointment Booking with Visual Seat Plan and ultimate Calendar Scheduling
vulnerable
|
Jul 04, 2026, 22:07:15 |
Min -
Max 1.0.59
|
Unauthenticated Cross Site Scripting (XSS) in Timetics <= 1.0.58 versions. | |
|
vulnerable
|
Jul 04, 2026, 22:07:02 |
Min -
Max 4.1.2
|
The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the post_comment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the post_comment() function, which passes the attacker-controlled comment_content value directly to wp_insert_comment() without applying any HTML sanitization, and additionally allows the caller to set comment_approved=1 to self-approve the comment and bypass moderation. This ... | |
|
Image Optimization by Optimole – Lazy Load, CDN, Convert WebP & AVIF
vulnerable
|
Jul 04, 2026, 21:07:10 |
Min -
Max 4.2.7
|
Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions. | |
|
vulnerable
|
Jul 04, 2026, 21:07:06 |
Min -
Max 3.0.5
|
Unauthenticated Server Side Request Forgery (SSRF) in Paid Member Subscriptions <= 3.0.4 versions. | |
|
vulnerable
|
Jul 04, 2026, 19:07:30 |
Min -
Max 2.2.15
|
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | |
|
vulnerable
|
Jul 04, 2026, 19:07:20 |
Min -
Max 3.9.31
|
The WP Import Export Lite plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to and including 3.9.30 via the wpie_import_upload_file_from_url AJAX action. The plugin's URL downloader first calls wp_safe_remote_get() (which correctly blocks private/reserved IP ranges), but when that call returns a WP_Error — the exact outcome for any blocked internal host — the Download::download_file() method falls back to GuzzleHttp\Client::request() with the original attacker-supplied URL... | |