These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site to manipulate payment records in the site's database. The handler is registered through both wp_ajax_ and wp [truncated]
The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress has a Stored Cross-Site Scripting vulnerability via admin settings in all versions up to, and including, 3.0.6. This vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts, which execute when a user accesses an injected page. The vulnera [truncated]
CVE-2026-42378 is a MEDIUM severity vulnerability (CVSS Score: 6.5) in the WP Full Stripe Free plugin for WordPress, affecting versions up to 8.4.1. The vulnerability is related to subscriber broken authentication. The CVE was published on 2026-06-15T21:16:53.863Z and modified on 2026-06-15T21:24:32.790Z.
CVE-2026-39507 is a HIGH severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Social Slider Feed <= 2.3.2 versions. The vulnerability has a CVSS score of 7.1 and was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-39507). The vulnerability was last modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-39507).
CVE-2026-23970 is a HIGH severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Redirection for Contact Form 7 plugin versions <= 3.2.8. The vulnerability has a CVSS score of 7.1.
The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to create and exe [truncated]
A missing authorization vulnerability in the Visualizer: Tables and Charts Manager for WordPress plugin allows authenticated attackers with Subscriber-level access to create arbitrary chart posts and access or modify chart data belonging to other users. The vulnerability stems from missing capability checks on the renderChartPages() and uploadData() functions, which are invoked by AJAX actions without cur [truncated]
CVE-2026-24573 is a medium-severity stored cross-site scripting issue in the Visualizer WordPress plugin from Themeisle, affecting versions before 4.0.0. Because the flaw is stored XSS, malicious input can be saved and later rendered in a page context, creating risk for users who view the affected content. The NVD record lists the issue as Deferred and links to a Patchstack reference for the affected plug [truncated]