| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-6235 | Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests | sendmachine | Sendmachine for WordPress | Critical | 9.8 | 2026-04-22 07:45:38 | Deep Dive |
| CVE-2026-4142 | Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field | eazyserver | Sentence To SEO (keywords, description and tags) | Medium | 4.4 | 2026-04-22 07:45:38 | Deep Dive |
| CVE-2026-4090 | Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form | ravster | Inquiry cart | Medium | 6.1 | 2026-04-22 07:45:38 | Deep Dive |
| CVE-2026-2717 | HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values | zinoui | HTTP Headers | Medium | 5.5 | 2026-04-22 07:45:37 | Deep Dive |
| CVE-2026-4118 | Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update | tmarek | Call To Action Plugin | Medium | 4.3 | 2026-04-22 07:45:37 | Deep Dive |
| CVE-2026-4125 | WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | wpmkorg | WPMK Block | Medium | 6.4 | 2026-04-22 07:45:36 | Deep Dive |
| CVE-2026-4128 | TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action | tplugins | TP Restore Categories And Taxonomies | Medium | 4.3 | 2026-04-22 07:45:36 | Deep Dive |
| CVE-2026-4139 | mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function | chsxf | mCatFilter | Medium | 4.3 | 2026-04-22 07:45:36 | Deep Dive |
| CVE-2026-3362 | Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting | itsananderson | Short Comment Filter | Medium | 4.4 | 2026-04-22 07:45:35 | Deep Dive |
| CVE-2026-4089 | Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute | johnnie2u | Twittee Text Tweet | Medium | 6.4 | 2026-04-22 07:45:35 | Deep Dive |
| CVE-2026-5767 | SlideShowPro SC <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'album' Shortcode Attribute | luetkemj | SlideShowPro SC | Medium | 6.4 | 2026-04-22 07:45:35 | Deep Dive |
| CVE-2026-6396 | Fast & Fancy Filter – 3F <= 1.2.2 - Cross-Site Request Forgery to Settings Modification via fff_save_settins AJAX Action | webarea | Fast & Fancy Filter – 3F | Medium | 4.3 | 2026-04-22 07:45:34 | Deep Dive |
| CVE-2026-4280 | Breaking News WP <= 1.3 - Missing Authorization to Authenticated (Subscriber+) Local File Inclusion/Read | doctorwp | Breaking News WP | Medium | 6.5 | 2026-04-22 07:45:34 | Deep Dive |
| CVE-2026-4140 | Ni WooCommerce Order Export <= 3.1.6 - Cross-Site Request Forgery to Settings Update via ni_order_export_action AJAX Action | anzia | Ni WooCommerce Order Export | Medium | 4.3 | 2026-04-22 07:45:34 | Deep Dive |
| CVE-2026-4076 | Slider Bootstrap Carousel <= 1.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | felipermendes | Slider Bootstrap Carousel | Medium | 6.4 | 2026-04-22 07:45:33 | Deep Dive |
| CVE-2026-4126 | Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute | primisdigital | Table Manager | Medium | 4.3 | 2026-04-22 07:45:33 | Deep Dive |
| CVE-2026-4133 | TextP2P Texting Widget <= 1.7 - Cross-Site Request Forgery to Settings Update | textp2p | TextP2P Texting Widget | Medium | 4.3 | 2026-04-22 07:45:33 | Deep Dive |
| CVE-2026-2714 | Institute Management <= 5.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Enquiry Form Title' Setting | weblizar | Institute Management – Learning Management System | Medium | 4.4 | 2026-04-22 07:45:32 | Deep Dive |
| CVE-2026-4088 | Switch CTA Box <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | wpshouter | Switch CTA Box | Medium | 6.4 | 2026-04-22 07:45:32 | Deep Dive |
| CVE-2026-6041 | Buzz Comments <= 0.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Buzz Avatar' Setting | mixer2 | Buzz Comments | Medium | 4.4 | 2026-04-22 07:45:31 | Deep Dive |