{"sector":{"id":"ecommerce","name":"E-commerce & Retail","sector":"retail","description":"Online merchants, marketplaces and headless commerce platforms. Focus on\ncart/checkout flows, payment integrations and customer data.","visibility":"public"},"top_24h":[{"id":"7dfec3c4-23f4-4403-bf5c-d95cd65a1f93","threat_type":"cve","title":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:04.090000Z","last_modified_at":"2026-05-06T14:04:51.574691Z","external_id":"CVE-2026-7332","description":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve"],"sources":["nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["stripe"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-05-06T14:04:56.025564Z"},{"id":"1d3a8374-3c0d-43f3-8e38-a9ed156c7190","threat_type":"cve","title":"The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '","summary":"The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.","severity":"medium","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T04:16:06.223000Z","last_modified_at":"2026-05-06T14:04:51.428972Z","external_id":"CVE-2026-3208","description":"The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L358","https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L92","https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-mercadopago/tags/8.7.11&new_path=%2Fwoocommerce-mercadopago/tags/8.7.12","https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e?source=cve"],"sources":["nvd"],"score":55.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["WooCommerce"],"points":30},"keyword_match":{"hit":true,"matched":["merchant"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.3,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":55,"final_score":55.0},"calculated_at":"2026-05-06T14:04:56.069586Z"},{"id":"e478ff62-dbbd-491f-8ebe-6248ab8f7055","threat_type":"cve","title":"The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escap","summary":"The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","severity":"high","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T10:16:18.903000Z","last_modified_at":"2026-05-06T14:04:51.638970Z","external_id":"CVE-2026-1719","description":"The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","affected_products":[],"references":["https://gravitybooking.com/","https://www.wordfence.com/threat-intel/vulnerabilities/id/ce032abe-ee9d-4be1-ac97-5fa95d598e85?source=cve"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-89"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.5,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T14:04:56.047935Z"},{"id":"ad4474c7-62e5-4a09-9515-8749a1ba6bff","threat_type":"cve","title":"A remote code execution vulnerability\nexists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated\nuser with System Setting permissio","summary":"A remote code execution vulnerability\nexists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated\nuser with System Setting permissions can execute arbitrary commands on the\nserver by sending a crafted HTTP POST request to the ASWebCommon.srf backend\nendpoint to bypass the frontend restrictions.","severity":"high","cvss_score":8.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:04.490000Z","last_modified_at":"2026-05-06T08:59:38.678099Z","external_id":"CVE-2026-7841","description":"A remote code execution vulnerability\nexists in Notification Settings on GeoVision GV-ASWeb 6.2.0. An authenticated\nuser with System Setting permissions can execute arbitrary commands on the\nserver by sending a crafted HTTP POST request to the ASWebCommon.srf backend\nendpoint to bypass the frontend restrictions.","affected_products":[],"references":["https://www.geovision.com.tw/cyber_security.php"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-94"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T08:59:38.794366Z"},{"id":"f5ca24a5-761c-4767-81b0-a44a82633d50","threat_type":"cve","title":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_n","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:04.230000Z","last_modified_at":"2026-05-06T14:04:51.594543Z","external_id":"CVE-2026-7448","description":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/activities_controller.php#L270","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/email_helper.php#L50","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/replacer_helper.php#L276","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/models/customer_model.php#L376","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L270","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/email_helper.php#L50","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/models/customer_model.php#L376","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L270","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/email_helper.php#L50","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L376","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c8eedec9-d8d4-4052-baec-29f83ac306ac?source=cve"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T14:04:56.043784Z"},{"id":"e7abeea8-c2f3-41a1-be26-eef6839afb8a","threat_type":"cve","title":"In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attack","summary":"In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When \"UseReverseDNS on\" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.","severity":"high","cvss_score":8.1,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T20:16:39.680000Z","last_modified_at":"2026-05-05T20:47:40.773256Z","external_id":"CVE-2026-44331","description":"In ProFTPD through 1.3.9a before 7666224, a SQL injection vulnerability in sqltab_fetch_clients_cb() in contrib/mod_wrap2_sql.c allows a remote attacker to inject arbitrary SQL commands via a crafted domain name that is accessed in a reverse DNS lookup. When \"UseReverseDNS on\" is enabled, the attacker-supplied hostname is passed unescaped into SQL queries. The character restrictions of DNS names may affect exploitability.","affected_products":[],"references":["https://github.com/proftpd/proftpd/commit/766622456440fbca33abd7927c523673a11d1ed1","https://github.com/proftpd/proftpd/issues/2057"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-89"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.1,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:16.223257Z"},{"id":"9f90756c-10c3-463d-b98e-67d8c9425a99","threat_type":"cve","title":"A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Con","summary":"A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.","severity":"medium","cvss_score":4.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T15:16:13.050000Z","last_modified_at":"2026-05-06T16:06:39.790964Z","external_id":"CVE-2026-8027","description":"A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argument userId/organizationId/workspaceId/email causes authorization bypass. The attack may be initiated remotely. The affected component should be upgraded.","affected_products":[],"references":["https://gist.github.com/YLChen-007/3584e6ffa0bba6367328ecf0b46b0e4b","https://vuldb.com/submit/777657","https://vuldb.com/vuln/361274","https://vuldb.com/vuln/361274/cti"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-639"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":4.3,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T16:06:40.112045Z"},{"id":"7f472828-6a5b-42c4-af99-95bb6e79ad10","threat_type":"cve","title":"HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability.  This could lead to unauthorized changes or expo","summary":"HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability.  This could lead to unauthorized changes or exposure of sensitive data.","severity":"low","cvss_score":2.6,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T15:16:05.750000Z","last_modified_at":"2026-05-06T16:06:39.534227Z","external_id":"CVE-2025-31957","description":"HHCL BigFix Service Management (SM) is affected by a Cross‑Site Request Forgery (CSRF) vulnerability.  This could lead to unauthorized changes or exposure of sensitive data.","affected_products":[],"references":["https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128144"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-352"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":2.6,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T16:06:40.097190Z"},{"id":"ad6f1722-2c29-44ac-b647-03ffb63cdb9b","threat_type":"cve","title":"Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner A","summary":"Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function","severity":"medium","cvss_score":5.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T14:16:19.583000Z","last_modified_at":"2026-05-06T16:06:39.508854Z","external_id":"CVE-2026-36358","description":"Cross Site Scripting vulnerability in Juzaweb CMS v.5.0.0 allows a remote attacker via execute arbitrary code via a crafted script to the Add Banner Ads function","affected_products":[],"references":["http://juzaweb.com","https://gist.github.com/yuhuamiao/2c984b2d7f2adb90020818f9308b5862","https://juzaweb.com/"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T16:06:39.968067Z"},{"id":"a09aaa24-1a26-48be-bbd1-d0940eb26300","threat_type":"cve","title":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.\n\nThis issue affects Apache Wicket","summary":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-06T10:16:20.217000Z","last_modified_at":"2026-05-06T14:04:51.692758Z","external_id":"CVE-2026-42509","description":"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Wicket.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.","affected_products":[],"references":["https://lists.apache.org/thread/52nrq4tt07gxz4r6sj5gyocz5s6bprjp","http://www.openwall.com/lists/oss-security/2026/05/06/2"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T14:04:56.030490Z"}],"top_7d":[{"id":"0da69b0c-abe3-484a-af6c-cc3bd2432dc7","threat_type":"cve","title":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to g","summary":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","severity":"critical","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd","kev","actively-exploited","ransomware"],"published_at":"2026-04-29T22:17:34.339369Z","last_modified_at":"2026-05-06T15:23:37.677810Z","external_id":"CVE-2026-41940","description":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","affected_products":["cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*","cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*","cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*"],"references":["https://docs.cpanel.net/release-notes/release-notes","https://docs.wpsquared.com/changelogs/versions/changelog/#13617","https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026","https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026","https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow","https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/","https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/","https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"],"sources":["nvd","cisa_kev"],"score":75.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":true,"points":25},"actively_exploited":{"hit":true,"points":15},"ransomware":{"hit":true,"points":15},"multi_source":{"hit":true,"source_count":2,"points":5},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":75,"final_score":75.0},"calculated_at":"2026-05-06T15:24:16.023863Z"},{"id":"43dec599-bd66-43c5-a544-e3f0a19b23a4","threat_type":"cve","title":"The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct","summary":"The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.","severity":"high","cvss_score":8.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-02T14:16:17.707000Z","last_modified_at":"2026-05-05T19:46:40.114322Z","external_id":"CVE-2026-2554","description":"The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386","https://plugins.trac.wordpress.org/changeset/3483695/","https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve"],"sources":["nvd"],"score":65.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["WooCommerce"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-639"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.1,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":65,"final_score":65.0},"calculated_at":"2026-05-06T02:00:10.425012Z"},{"id":"7dfec3c4-23f4-4403-bf5c-d95cd65a1f93","threat_type":"cve","title":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking","summary":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","severity":"high","cvss_score":7.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:04.090000Z","last_modified_at":"2026-05-06T14:04:51.574691Z","external_id":"CVE-2026-7332","description":"The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260","https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve"],"sources":["nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["stripe"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-05-06T14:04:56.025564Z"},{"id":"41c8559d-14f1-4210-b2bc-ffc52a687aa9","threat_type":"cve","title":"Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning","summary":"Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.","severity":"high","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-04T18:16:29.447000Z","last_modified_at":"2026-05-05T20:47:39.268864Z","external_id":"CVE-2026-41471","description":"Easy PayPal Events & Tickets plugin for WordPress versions 1.3 and earlier contain an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress post IDs through the scan_qr.php endpoint to harvest the complete set of orders stored in the database without requiring authentication or prior knowledge of specific order identifiers. This plugin was officially closed as of 2026-03-18.","affected_products":[],"references":["https://gist.github.com/4lec4st/9fd04b4bfadb3f7e388f61588f5f2564","https://wordpress.org/plugins/easy-paypal-events-tickets","https://www.vulncheck.com/advisories/easy-paypal-events-tickets-information-disclosure-via-qr-code-endpoint"],"sources":["nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["paypal"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-639"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.5,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-05-06T02:00:13.992906Z"},{"id":"4f1e1ccb-9a2d-4d4b-88d6-025408e35526","threat_type":"cve","title":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings.  Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.","severity":"critical","cvss_score":7.8,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd","kev","actively-exploited"],"published_at":"2026-04-29T22:17:30.493476Z","last_modified_at":"2026-05-06T15:23:37.653656Z","external_id":"CVE-2026-31431","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings.  Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.","affected_products":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:10.1:*:*:*:*:*:*:*","cpe:2.3:o:amazon:amazon_linux:-:*:*:*:*:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:*:*","cpe:2.3:o:suse:suse_linux:-:*:*:*:*:*:*:*"],"references":["https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c","https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc","https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667","https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82","https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b","https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5","https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237","https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8","http://www.openwall.com/lists/oss-security/2026/04/29/23","http://www.openwall.com/lists/oss-security/2026/04/29/25","http://www.openwall.com/lists/oss-security/2026/04/29/26","http://www.openwall.com/lists/oss-security/2026/04/30/10","http://www.openwall.com/lists/oss-security/2026/04/30/11","http://www.openwall.com/lists/oss-security/2026/04/30/12","http://www.openwall.com/lists/oss-security/2026/04/30/14","http://www.openwall.com/lists/oss-security/2026/04/30/15","http://www.openwall.com/lists/oss-security/2026/04/30/16","http://www.openwall.com/lists/oss-security/2026/04/30/17","http://www.openwall.com/lists/oss-security/2026/04/30/18","http://www.openwall.com/lists/oss-security/2026/04/30/2","http://www.openwall.com/lists/oss-security/2026/04/30/20","http://www.openwall.com/lists/oss-security/2026/04/30/5","http://www.openwall.com/lists/oss-security/2026/04/30/6","http://www.openwall.com/lists/oss-security/2026/05/01/10","http://www.openwall.com/lists/oss-security/2026/05/01/12","http://www.openwall.com/lists/oss-security/2026/05/01/15","http://www.openwall.com/lists/oss-security/2026/05/01/16","http://www.openwall.com/lists/oss-security/2026/05/01/17","http://www.openwall.com/lists/oss-security/2026/05/01/18","http://www.openwall.com/lists/oss-security/2026/05/01/2","http://www.openwall.com/lists/oss-security/2026/05/01/22","http://www.openwall.com/lists/oss-security/2026/05/01/23","http://www.openwall.com/lists/oss-security/2026/05/01/24","http://www.openwall.com/lists/oss-security/2026/05/01/3","http://www.openwall.com/lists/oss-security/2026/05/02/14","http://www.openwall.com/lists/oss-security/2026/05/02/15","http://www.openwall.com/lists/oss-security/2026/05/02/16","http://www.openwall.com/lists/oss-security/2026/05/02/17","http://www.openwall.com/lists/oss-security/2026/05/02/18","http://www.openwall.com/lists/oss-security/2026/05/02/19","http://www.openwall.com/lists/oss-security/2026/05/02/20","http://www.openwall.com/lists/oss-security/2026/05/02/21","http://www.openwall.com/lists/oss-security/2026/05/02/23","http://www.openwall.com/lists/oss-security/2026/05/02/24","http://www.openwall.com/lists/oss-security/2026/05/02/25","http://www.openwall.com/lists/oss-security/2026/05/02/4","http://www.openwall.com/lists/oss-security/2026/05/02/5","http://www.openwall.com/lists/oss-security/2026/05/02/6","http://www.openwall.com/lists/oss-security/2026/05/02/7","http://www.openwall.com/lists/oss-security/2026/05/02/8","http://www.openwall.com/lists/oss-security/2026/05/03/10","http://www.openwall.com/lists/oss-security/2026/05/03/12","http://www.openwall.com/lists/oss-security/2026/05/03/13","http://www.openwall.com/lists/oss-security/2026/05/03/3","http://www.openwall.com/lists/oss-security/2026/05/03/4","http://www.openwall.com/lists/oss-security/2026/05/03/5","http://www.openwall.com/lists/oss-security/2026/05/03/6","http://www.openwall.com/lists/oss-security/2026/05/04/1","http://www.openwall.com/lists/oss-security/2026/05/04/10","http://www.openwall.com/lists/oss-security/2026/05/04/11","http://www.openwall.com/lists/oss-security/2026/05/04/12","http://www.openwall.com/lists/oss-security/2026/05/04/13","http://www.openwall.com/lists/oss-security/2026/05/04/14","http://www.openwall.com/lists/oss-security/2026/05/04/2","http://www.openwall.com/lists/oss-security/2026/05/04/24","http://www.openwall.com/lists/oss-security/2026/05/04/27","http://www.openwall.com/lists/oss-security/2026/05/04/28","http://www.openwall.com/lists/oss-security/2026/05/04/29","http://www.openwall.com/lists/oss-security/2026/05/04/31","http://www.openwall.com/lists/oss-security/2026/05/04/8","http://www.openwall.com/lists/oss-security/2026/05/04/9","http://www.openwall.com/lists/oss-security/2026/05/06/5","https://copy.fail","https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170","https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation","https://github.com/theori-io/copy-fail-CVE-2026-31431","https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431","https://xint.io/blog/copy-fail-linux-distributions#the-fix-6"],"sources":["cisa_kev","nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":true,"points":25},"actively_exploited":{"hit":true,"points":15},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":true,"source_count":2,"points":5},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-05-06T15:24:16.017346Z"},{"id":"1d3a8374-3c0d-43f3-8e38-a9ed156c7190","threat_type":"cve","title":"The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '","summary":"The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.","severity":"medium","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T04:16:06.223000Z","last_modified_at":"2026-05-06T14:04:51.428972Z","external_id":"CVE-2026-3208","description":"The Mercado Pago payments for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'mp_pix_image' WooCommerce API endpoint in all versions up to, and including, 8.7.11. This makes it possible for unauthenticated attackers to retrieve PIX payment QR code images for arbitrary orders. PIX QR codes contain sensitive merchant information including PIX keys (which may be CPF/CNPJ personal identifiers), transaction amounts, merchant name and city, and MercadoPago transaction references.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L358","https://plugins.trac.wordpress.org/browser/woocommerce-mercadopago/tags/8.7.10/src/Gateways/PixGateway.php#L92","https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoocommerce-mercadopago/tags/8.7.11&new_path=%2Fwoocommerce-mercadopago/tags/8.7.12","https://www.wordfence.com/threat-intel/vulnerabilities/id/986e0252-b94d-4ac8-9083-0218fa8a651e?source=cve"],"sources":["nvd"],"score":55.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["WooCommerce"],"points":30},"keyword_match":{"hit":true,"matched":["merchant"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.3,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":55,"final_score":55.0},"calculated_at":"2026-05-06T14:04:56.069586Z"},{"id":"5c364ff8-0b09-4ed3-8b4b-cbb001f07f34","threat_type":"cve","title":"The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_","summary":"The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","severity":"medium","cvss_score":6.4,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-02T14:16:17.040000Z","last_modified_at":"2026-05-05T19:46:40.096153Z","external_id":"CVE-2026-0703","description":"The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79","https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87","https://plugins.trac.wordpress.org/changeset/3482613/","https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=cve"],"sources":["nvd"],"score":50.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["WooCommerce"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":50,"final_score":50.0},"calculated_at":"2026-05-06T02:00:10.498658Z"},{"id":"4ec4b50f-8309-460f-9522-f69b1a0785c3","threat_type":"cve","title":"The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and inc","summary":"The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","severity":"medium","cvss_score":4.4,"cvss_vector":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-02T06:16:04.173000Z","last_modified_at":"2026-05-05T19:46:39.405927Z","external_id":"CVE-2026-6447","description":"The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/tags/4.2.0/includes/admin/class-wc-call-for-price-settings-product-types.php#L68","https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/tags/4.2.0/includes/class-wc-call-for-price.php#L681","https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/trunk/includes/admin/class-wc-call-for-price-settings-product-types.php#L68","https://plugins.trac.wordpress.org/browser/woocommerce-call-for-price/trunk/includes/class-wc-call-for-price.php#L681","https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3513448%40woocommerce-call-for-price&new=3513448%40woocommerce-call-for-price&sfp_email=&sfph_mail=","https://www.wordfence.com/threat-intel/vulnerabilities/id/7bffb16d-38dc-49b8-96bd-c13923069d9c?source=cve"],"sources":["nvd"],"score":50.0,"score_breakdown":{"technology_match":{"hit":true,"matched":["WooCommerce"],"points":30},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-79"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":4.4,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":50,"final_score":50.0},"calculated_at":"2026-05-06T02:00:07.627489Z"},{"id":"5cac2531-8bcb-4473-9605-3e55ed68a241","threat_type":"cve","title":"The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not ","summary":"The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.","severity":"medium","cvss_score":5.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T07:15:59.960000Z","last_modified_at":"2026-05-05T19:46:43.702630Z","external_id":"CVE-2026-2729","description":"The Forminator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.52.0. This is due to the plugin not properly verifying that a user is authorized to perform an action when processing attacker-supplied Stripe PaymentIntent identifiers in the public payment flow. This makes it possible for unauthenticated attackers to submit high-value paid forms as completed by reusing a previously succeeded low-value Stripe PaymentIntent, resulting in underpayment/payment bypass conditions.","affected_products":[],"references":["https://plugins.trac.wordpress.org/changeset/3500669/forminator","https://www.wordfence.com/threat-intel/vulnerabilities/id/1afb94ab-b3ba-4598-8ff4-f9ffc6717371?source=cve"],"sources":["nvd"],"score":45.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["stripe"],"points":25},"cwe_match":{"hit":true,"matched":["CWE-639"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.3,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":45,"final_score":45.0},"calculated_at":"2026-05-06T02:00:14.818191Z"},{"id":"ec73010e-6a27-4a4f-a66b-9ec673692d07","threat_type":"cve","title":"Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code s","summary":"Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.","severity":"high","cvss_score":7.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-04T18:16:27.223000Z","last_modified_at":"2026-05-05T20:47:39.226633Z","external_id":"CVE-2026-32834","description":"Easy PayPal Events & Tickets plugin for WordPress version 1.3 and earlier contain a hardcoded authentication bypass vulnerability in the QR code scanning functionality that allows unauthenticated remote attackers to bypass hash verification by supplying 'test' as the hash parameter. Attackers can access the vulnerable endpoint via the add_wpeevent_button_qr action to retrieve sensitive order details including PayPal transaction IDs, customer email addresses, purchase amounts, and ticket information for any order with a known or guessed post ID. This plugin was officially closed as of 2026-03-18.","affected_products":[],"references":["https://gist.github.com/4lec4st/eb20f9934f8c23b4b241f74a8d884ce9","https://wordpress.org/plugins/easy-paypal-events-tickets","https://www.vulncheck.com/advisories/easy-paypal-events-tickets-authentication-bypass-via-qr-code-scanning"],"sources":["nvd"],"score":40.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["paypal"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.5,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":40,"final_score":40.0},"calculated_at":"2026-05-06T02:00:14.136280Z"}],"stats":{"total_threats":28771,"critical_count":6,"high_count":2,"average_score":13.25,"sources_active":["nvd","cisa_kev"]}}