In Dolibarr versions up to and including 11.0.3 a medium severity vulnerability CVE-2020-36966 was detected. This vulnerability allows attackers to inject malicious scripts via the LDAP synchronization settings, specifically through the `host`, `slave`, and `port` parameters in `/dolibarr/admin/ldap.php`, potentially enabling arbitrary JavaScript execution and theft of user cookie information. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2020-36966.
Read more ERPIn the Simple Calendar for Elementor plugin for WordPress versions up to and including 1.6.6 a medium severity vulnerability CVE-2026-1310 was detected. This vulnerability allows unauthenticated attackers to delete arbitrary calendar entries due to missing capability checks on the miga_ajax_editor_cal_delete function, which is hooked to the miga_editor_cal_delete AJAX action with both authenticated and unauthenticated access enabled. To address this issue, users should upgrade Simple Calendar for Elementor plugin to version 1.6.7 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1310.
Read more CMSIn the Easy Replace Image plugin for WordPress versions up to and including 3.5.2 a medium severity vulnerability CVE-2026-1298 was detected. This vulnerability allows authenticated attackers with Contributor-level access and above to replace arbitrary image attachments on the site via the image_replacement_from_url function, which is hooked to the eri_from_url AJAX action, due to missing capability checks. To address this issue, users should upgrade Easy Replace Image plugin to version 3.5.3 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1298.
Read more CMSIn the Frontend File Manager plugin for WordPress versions up to and including 23.5 a high severity vulnerability CVE-2026-1280 was detected. This vulnerability allows unauthenticated attackers to share arbitrary uploaded files via email and enumerate all uploaded files on the site – potentially exfiltrating sensitive administrator-only data – due to a missing capability check on the wpfm_send_file_in_email AJAX action and the use of sequential file IDs. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1280.
Read more CMSIn the RegistrationMagic plugin for WordPress versions up to and including 6.0.7.4 a medium severity vulnerability CVE-2026-1054 was detected. This vulnerability allows unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles, due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. To address this issue, users should upgrade RegistrationMagic plugin to version 6.0.7.5 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1054.
Read more CMSIn the Snow Monkey Forms plugin for WordPress versions up to and including 12.0.3 a critical severity vulnerability CVE-2026-1056 was detected. This vulnerability allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation in the generate_user_dirpath function. To address this issue, users should upgrade Snow Monkey Forms plugin to version 12.0.4 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1056.
Read more CMSIn the imwptip plugin for WordPress versions up to and including 1.1 a medium severity vulnerability CVE-2026-1377 was detected. This vulnerability allows unauthenticated attackers to update the plugin’s settings via a forged request due to missing nonce validation on the settings update functionality. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1377.
Read more CMSIn the Change WP URL plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2026-1398 was detected. This vulnerability allows unauthenticated attackers to change the WordPress login URL via a forged request due to missing or incorrect nonce validation on the change-wp-url page. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1398.
Read more CMSIn the Vzaar Media Management plugin for WordPress versions up to and including 1.2 a medium severity vulnerability CVE-2026-1391 was detected. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts via a Reflected Cross-Site Scripting (XSS) attack due to insufficient input sanitization and output escaping on the $_SERVER[‘PHP_SELF’] variable. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1391.
Read more CMS