These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2025-4202 is an authorization flaw in the Multicollab WordPress plugin. A missing capability check in cf_add_comment allows authenticated users with Subscriber-level access and above to add comments to collaborations they should not be able to modify.
CVE-2026-6417 is a medium-severity reflected cross-site scripting issue in GLS Shipping for WooCommerce affecting all versions up to and including 1.4.0. An unauthenticated attacker can inject script through the `failed_orders` parameter, but the attack depends on a victim clicking a crafted link. The supplied record shows no KEV listing and a very low EPSS score, which lowers urgency compared with active [truncated]
CVE-2026-5396 describes a high-severity authorization bypass in the Fluent Forms WordPress plugin, affecting versions up to and including 6.1.21. An authenticated attacker with manager access restricted to specific forms can spoof the user-supplied form_id parameter and perform submission-level actions on other forms, including reading submissions, changing status, adding notes, and permanently deleting r [truncated]
CVE-2025-15345 is a reflected cross-site scripting issue in the MapGeo – Interactive Geo Maps WordPress plugin. According to the supplied advisory, the flaw affects all versions up to and including 1.6.27 and stems from insufficient input sanitization and output escaping in the display-map shortcode’s map parameter. The issue can let an unauthenticated attacker inject script that executes if a user is ind [truncated]
CVE-2026-7525 affects the My Calendar – Accessible Event Manager WordPress plugin through version 3.7.9. The issue is a missing authorization check in event submission handling, which can let authenticated users with custom-level access and above bypass the intended moderation workflow by tampering with the POST body. The UI’s draft-only restriction for low-privilege users is enforced client-side only, so [truncated]
Unlimited Elements for Elementor for WordPress contains an authenticated SQL injection issue affecting versions up to and including 2.0.7. An attacker with Contributor-level access or higher may be able to abuse the get_cat_addons AJAX action to read sensitive database information, especially when they can obtain a valid Elementor nonce.
CVE-2026-5361 describes a stored cross-site scripting weakness in Envira Gallery Lite for WordPress affecting versions up to and including 1.12.4. The issue is tied to REST API handling and unsafe output in inline JavaScript, allowing authenticated users with Author-level access and above to store script content that can run when an injected page is later viewed.
CVE-2026-8198 is a WordPress plugin vulnerability in Logtivity versions up to and including 3.3.6. A logic flaw in the plugin’s authorization verification can allow requests without an Authorization header to bypass Bearer token validation and reach the /wp-json/logtivity/v1/options endpoint. The result is information disclosure of plugin configuration data, including a site API key that could be used to [truncated]
CVE-2026-7652 is an unauthenticated account-takeover issue in the LatePoint WordPress plugin's guest booking flow. In the vulnerable configuration described in the source record, a guest booking can overwrite a customer's email and that email can then be propagated to a linked WordPress user account without ownership verification, allowing a password-reset hijack.