High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| abhisheksaha11–URL Preview | The URL Preview plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0 via the ‘url’ parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-06-24 | 7.2 | CVE-2026-12100 |
| adegans–AdRotate Banner Manager | The AdRotate Banner Manager plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 5.17.7 via the ‘banner’ attribute of the adrotate shortcode. This is due to insufficient input validation and sanitization of the banner shortcode attribute before concatenation into a PHP code string wrapped in W3 Total Cache mfunc or Borlabs Cache fragment markers. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server. This vulnerability requires W3 Total Cache or Borlabs Cache support to be enabled in AdRotate settings. | 2026-06-24 | 8.8 | CVE-2026-12242 |
| Adenion–Blog2Social | Unauthenticated Cross Site Scripting (XSS) in Blog2Social <= 8.9.2 versions. | 2026-06-26 | 7.1 | CVE-2026-56044 |
| Adobe–Acrobat Reader | Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2026-06-23 | 7.8 | CVE-2020-9695 |
| Adrian Tobey–Groundhogg | Sales Representative SQL Injection in Groundhogg <= 4.5 versions. | 2026-06-26 | 8.5 | CVE-2026-57667 |
| Ads WPQuads–Ads by WPQuads | Unauthenticated Sensitive Data Exposure in Ads by WPQuads <= 3.0.3 versions. | 2026-06-26 | 7.5 | CVE-2026-54824 |
| AF themes–WP Post Author | Contributor SQL Injection in WP Post Author <= 3.9.1 versions. | 2026-06-26 | 8.5 | CVE-2026-57643 |
| Ahmad–JS Help Desk | Subscriber Arbitrary File Deletion in JS Help Desk <= 3.1.1 versions. | 2026-06-25 | 7.7 | CVE-2026-56054 |
| AKIN Software Computer Import Export Industry and Trade Ltd.–CafePlus | Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CafePlus: from 12.05.03 before 12.05.04. | 2026-06-23 | 8.8 | CVE-2026-10711 |
| akosglys–Syncee Premium Dropshipping & Wholesale | Unauthenticated Broken Access Control in Syncee Premium Dropshipping & Wholesale <= 1.0.27 versions. | 2026-06-26 | 7.5 | CVE-2026-54846 |
| Algolplus–Advanced Order Export For WooCommerce | Customer Cross Site Scripting (XSS) in Advanced Order Export For WooCommerce < […] Content was cut in order to protect the source.Please visit the source for the rest of the article. This article has been indexed from Bulletins
Read the original article: Post navigation |