| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-6236 | Posts map <= 0.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'name' Shortcode Attribute | lucdecri | Posts map | Medium | 6.4 | 2026-04-22 07:45:42 | Deep Dive |
| CVE-2026-4117 | CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action | calj | CalJ Shabbat Times | Medium | 5.3 | 2026-04-22 07:45:42 | Deep Dive |
| CVE-2026-2719 | Private WP suite <= 0.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Exceptions' Setting | fpoller | Private WP suite | Medium | 4.4 | 2026-04-22 07:45:41 | Deep Dive |
| CVE-2026-4132 | HTTP Headers <= 1.19.2 - Authenticated (Administrator+) External Control of File Name or Path to RCE via 'hh_htpasswd_path' and 'hh_www_authenticate_user' Parameters | zinoui | HTTP Headers | High | 7.2 | 2026-04-22 07:45:41 | Deep Dive |
| CVE-2026-4119 | Create DB Tables <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Database Table Creation/Deletion via admin-post.php | jppreus | Create DB Tables | Critical | 9.1 | 2026-04-22 07:45:41 | Deep Dive |
| CVE-2026-4121 | Kcaptcha <= 1.0.1 - Cross-Site Request Forgery to Settings Update | ksolves | Kcaptcha | Medium | 4.3 | 2026-04-22 07:45:40 | Deep Dive |
| CVE-2026-5748 | Text Snippets <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'w' Shortcode Attribute | snedled | Text Snippets | Medium | 6.4 | 2026-04-22 07:45:40 | Deep Dive |
| CVE-2026-6246 | Simple Random Posts Shortcode <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'container_right_width' Shortcode Attribute | mkerstner | Simple Random Posts Shortcode | Medium | 6.4 | 2026-04-22 07:45:39 | Deep Dive |
| CVE-2026-4074 | Quran Live Multilanguage <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | karim42 | Quran Live Multilanguage | Medium | 6.4 | 2026-04-22 07:45:39 | Deep Dive |
| CVE-2026-4085 | Easy Social Photos Gallery <= 3.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wrapper_class' Shortcode Attribute | maltathemes | Easy Social Photos Gallery – MIF | Medium | 6.4 | 2026-04-22 07:45:39 | Deep Dive |
| CVE-2026-6235 | Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests | sendmachine | Sendmachine for WordPress | Critical | 9.8 | 2026-04-22 07:45:38 | Deep Dive |
| CVE-2026-4142 | Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field | eazyserver | Sentence To SEO (keywords, description and tags) | Medium | 4.4 | 2026-04-22 07:45:38 | Deep Dive |
| CVE-2026-4090 | Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form | ravster | Inquiry cart | Medium | 6.1 | 2026-04-22 07:45:38 | Deep Dive |
| CVE-2026-2717 | HTTP Headers <= 1.19.2 - Authenticated (Administrator+) CRLF Injection via Custom Header Values | zinoui | HTTP Headers | Medium | 5.5 | 2026-04-22 07:45:37 | Deep Dive |
| CVE-2026-4118 | Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update | tmarek | Call To Action Plugin | Medium | 4.3 | 2026-04-22 07:45:37 | Deep Dive |
| CVE-2026-4125 | WPMK Block <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | wpmkorg | WPMK Block | Medium | 6.4 | 2026-04-22 07:45:36 | Deep Dive |
| CVE-2026-4128 | TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action | tplugins | TP Restore Categories And Taxonomies | Medium | 4.3 | 2026-04-22 07:45:36 | Deep Dive |
| CVE-2026-4139 | mCatFilter <= 0.5.2 - Cross-Site Request Forgery via compute_post() Function | chsxf | mCatFilter | Medium | 4.3 | 2026-04-22 07:45:36 | Deep Dive |
| CVE-2026-3362 | Short Comment Filter <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Minimum Count' Setting | itsananderson | Short Comment Filter | Medium | 4.4 | 2026-04-22 07:45:35 | Deep Dive |
| CVE-2026-4089 | Twittee Text Tweet <= 1.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute | johnnie2u | Twittee Text Tweet | Medium | 6.4 | 2026-04-22 07:45:35 | Deep Dive |