| CVE/PSC | Application | Date | Affected versions | Description |
|---|---|---|---|---|
| Actual on: Jul 11, 2026, 17:07:08 | ||||
|
Import CSV or XML Datafeed With Ease
vulnerable
|
Jul 11, 2026, 20:07:44 |
Min -
Max 8.1
|
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-... | |
|
Members – Membership & User Role Editor Plugin
vulnerable
|
Jul 11, 2026, 20:07:18 |
Min -
Max 3.2.23
|
The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts. | |
|
vulnerable
|
Jul 11, 2026, 20:07:13 |
Min -
Max 1.1.8
|
The Hostel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wphostel-book' shortcode in all versions up to and including 1.1.7. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, the second shortcode attribute (used as button text) is passed to the `$text` variable without sanitization at line 79 and then output directly into an HTML `value` attribute at line 91 without `esc_attr()` or any other escaping. This mak... | |
|
Connect Form to Chat Apps with Contact Form 7 Integration – FormyChat
vulnerable
|
Jul 11, 2026, 19:07:12 |
Min -
Max 2.15.4
|
Contact Form to Chat Apps | Click to Chat to Order – FormyChat [social-contact-form] < 2.15.4 CVE-2026-57379 | |
|
KiviCare – Clinic & Patient Management System (EHR)
vulnerable
|
Jul 11, 2026, 18:07:53 |
Min -
Max 4.5.0
|
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record in wp_kc_payments_appointment_mappings using an attacker-supplied payment ID, bypassing payment entir... | |
|
Simple JWT Login – Login and Register to WordPress using JWT
vulnerable
|
Jul 11, 2026, 18:07:48 |
Min -
Max 3.6.7
|
The Simple JWT Login – Allows you to use JWT on REST endpoints. plugin for WordPress is vulnerable to Authentication Bypass to Privilege Escalation in all versions up to, and including, 3.6.6 via the `payload` parameter. The vulnerability exists because `AuthenticateService::generatePayload()` only overwrites JWT payload keys whose names appear in the admin-configured `jwt_payload` list — leaving any attacker-supplied identity claims such as `email`, `id`, or `username` intact and signed into the JWT with t... | |
|
vulnerable
|
Jul 11, 2026, 12:07:33 |
Min -
Max 3.12.28
|
The Easy Appointments plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.12.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with author-level access and above, to cancel all upcoming appointments site-wide by marking every future appointment stored by the plugin as abandoned. The nonce required to authenticate the cancellation request is printed on the Appo... | |
|
vulnerable
|
Jul 11, 2026, 11:07:56 |
Min -
Max 3.1.40
|
The WP DSGVO Tools (GDPR) WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export (including name, postal address, phone number, email, and comment content) of any user, customer, or commenter by supplying their email address. | |
|
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
vulnerable
|
Jul 11, 2026, 11:07:51 |
Min -
Max 4.1.16
|
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to authorization bypass due to a regression in versions from 4.0.26 up to and including 4.1.15. This is due to the plugin not properly verifying that a user is authorized to perform an action in the payment_complete() function of PaymentController.php. This makes it possible for unauthenticated attackers to mark unpaid ticket orders as completed by submitting a fabricated SureCart checkout ID ... | |
|
Event Manager, Events Calendar, Events Tickets for WooCommerce – Eventin
vulnerable
|
Jul 11, 2026, 11:07:51 |
Min -
Max 4.1.16
|
The Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'etn_faq_content' parameter in all versions up to, and including, 4.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |