In the imwptip plugin for WordPress versions up to and including 1.1 a medium severity vulnerability CVE-2026-1377 was detected. This vulnerability allows unauthenticated attackers to update the plugin’s settings via a forged request due to missing nonce validation on the settings update functionality. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1377.
Read more CMSIn the WP Hello Bar plugin for WordPress versions up to and including 1.02 a medium severity vulnerability CVE-2026-1042 was detected. This vulnerability allows authenticated attackers with administrator-level access and above to inject arbitrary web scripts through the digit_one and digit_two parameters due to insufficient input sanitization and output escaping, resulting in stored cross-site scripting that executes when users access affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1042.
Read more CMS NewsflashIn the Viet Contact plugin for WordPress versions up to and including 1.3.2 a medium severity vulnerability CVE-2026-1045 was detected. This vulnerability allows authenticated attackers with administrator-level permissions and above to perform stored cross-site scripting (XSS) by injecting arbitrary web scripts through improperly sanitized admin settings, which execute when a user accesses the affected pages. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-1045.
Read more CMS NewsflashIn Umbraco CMS version 8.14.1 a medium severity vulnerability CVE-2021-47776 was detected. This vulnerability allows attackers to perform server-side request forgery (SSRF) by manipulating the baseUrl parameter in multiple dashboard and help controller endpoints, causing the server to initiate unauthorized requests to external hosts. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2021-47776.
Read more CMS NewsflashIn Ghost versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3 a high severity vulnerability CVE-2026-22594 was detected. This vulnerability allows authenticated staff users to bypass the email-based two-factor authentication (2FA) mechanism, weakening account security and increasing the risk of unauthorized access. To address this issue, users should upgrade Ghost to versions 5.130.6 or 6.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22594.
Read more CMSIn Ghost versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3 a medium severity vulnerability CVE-2026-22596 was detected. This vulnerability allows attackers with valid Ghost Admin API authentication credentials to execute arbitrary SQL commands via the /ghost/api/admin/members/events endpoint, potentially leading to data disclosure, modification, or full database compromise. To address this issue, users should upgrade Ghost to versions 5.130.6 or 6.11.0. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22596.
Read more CMS NewsflashIn OpenProject versions prior to 16.6.2 a medium severity vulnerability CVE-2026-22603 was detected. This vulnerability allows attackers to perform unlimited password-guessing attacks against user accounts by abusing an unauthenticated password-change endpoint that lacks brute-force protection, potentially leading to full account compromise and further privilege escalation. To address this issue, users should upgrade OpenProject to version 16.6.2 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-22603.
Read more CMS NewsflashIn the Short Link plugin for WordPress versions up to and including 1.0 a medium severity vulnerability CVE-2026-0813 was detected. This vulnerability allows authenticated attackers with administrator-level access or higher to inject arbitrary JavaScript into pages via the short_link_post_title and short_link_page_title parameters, which will execute when a user visits the affected page. To address this issue, users should upgrade to a patched or the latest available version of the plugin. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-0813.
Read more CMS NewsflashIn the Quiz Maker plugin for WordPress versions before 6.7.0.89 a low severity vulnerability CVE-2025-14579 was detected. This vulnerability allows attackers with high-privilege roles, such as administrators, to perform stored cross-site scripting (XSS) attacks due to insufficient sanitization and escaping of plugin settings, even when the unfiltered_html capability is disabled (for example, in multisite environments). To address this issue, users should upgrade the Quiz Maker plugin to version 6.7.0.89 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2025-14579.
Read more CMS Newsflash