| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Wordpress products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-4816 | A Reflected Cross Site Scripting (XSS) vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the vic... | 5.4 |
| 231 |
| Neutral |
| No |
| No |
| CVE-2026-4815 | A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls[0][message_ids][]' parameter in '... | 8.8 | 681 | Neutral | No | No |
| CVE-2026-4338 | The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts | 7.5 | 394 | Neutral | No | No |
| CVE-2026-41940 | cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 contain an authentication bypass vulnerability in the login flow that allows unauthenti... | 9.8 | 999 | Viral | Yes | Yes |
| CVE-2026-4079 | The SQL Chart Builder WordPress plugin before 2.3.8 does not properly escape user input as it is concatened to SQL queries, making it possible for attackers to conduct SQL Injection attacks against th... | 6.5 | 454 | Neutral | Yes | No |
| CVE-2026-3058 | The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`.... | 6.5 | 273 | Neutral | No | Yes |
| CVE-2026-28562 | wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers ... | 9.8 | 725 | Neutral | No | No |
| CVE-2026-28561 | wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across m... | 4.8 | 210 | Neutral | No | No |
| CVE-2026-28560 | wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows script injection via forum URL data output into an inline script block using json_encode without the JSON_HEX_TAG f... | 4.8 | 210 | Neutral | No | No |
| CVE-2026-28559 | wpForo Forum 2.4.14 contains an information disclosure vulnerability that allows unauthenticated users to retrieve private and unapproved forum topics via the global RSS feed endpoint. Attackers reque... | 5.3 | 196 | Neutral | No | No |
| CVE-2026-28558 | wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows authenticated subscribers to upload SVG files as profile avatars through the avatar upload functionality. Attackers... | 5.4 | 231 | Neutral | No | No |
| CVE-2026-28557 | wpForo Forum 2.4.14 contains a missing capability check vulnerability that allows authenticated users to trigger bulk wpForo usergroup reassignment via the wpforo_synch_roles AJAX handler. Attackers a... | 6.5 | 281 | Neutral | No | No |
| CVE-2026-28556 | wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to move, merge, or split any forum topic via the topic_move, topic_merge, and topic_split form ... | 5.4 | 193 | Neutral | No | No |
| CVE-2026-28555 | wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforo_close_ajax handler. Attackers submit a valid ... | 4.3 | 171 | Neutral | No | No |
| CVE-2026-28554 | wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers expl... | 4.3 | 171 | Neutral | No | No |
| CVE-2026-22850 | Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL im... | 8.3 | 602 | Neutral | Yes | Yes |
| CVE-2026-22216 | wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the... | 5.3 | 132 | Neutral | No | No |
| CVE-2026-22215 | wpDiscuz before 7.6.47 contains a cross-site request forgery vulnerability in the getFollowsPage() function that allows attackers to trigger unauthorized actions without nonce validation. Attackers ca... | 5.4 | 193 | Neutral | No | No |
| CVE-2026-22210 | wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability that allows attackers to inject malicious code through unescaped attachment URLs in HTML output by exploiting the WpdiscuzHelperUpl... | 6.1 | 280 | Neutral | No | No |
| CVE-2026-22209 | wpDiscuz before 7.6.47 contains a cross-site scripting vulnerability in the customCss field that allows administrators to inject malicious scripts by breaking out of style tags. Attackers with admin a... | 5.5 | 285 | Neutral | No | Yes |