These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to generic SQL Injection via the 'data' parameter in all versions up to, and including, 3.9.11 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows authenticated attackers with administrator-level access and above to append a [truncated]
CVE-2026-22332 is a critical vulnerability in Tutor LMS Pro, a popular WordPress plugin. The vulnerability, which has a CVSS score of 9.3, allows unauthenticated attackers to inject malicious SQL code. This could lead to unauthorized access to sensitive data, modification of database contents, and potentially, elevation of privileges. The vulnerability was published on June 17, 2026, and immediately gaine [truncated]
CVE-2026-22330 is an Unauthenticated Local File Inclusion vulnerability in Right Way theme versions <= 4.0. The CVSS score is 8.1, indicating a HIGH severity level. This vulnerability allows unauthenticated attackers to include local files, potentially leading to code execution. Users should prioritize patching due to the high CVSS score and potential for code execution.
CVE-2026-22329 is a high-severity Unauthenticated Cross Site Scripting (XSS) vulnerability in Skillate versions <= 1.2.10. This vulnerability has a CVSS score of 7.1 and is considered HIGH severity. The vulnerability was published on June 17, 2026, and last modified on the same day. Users of affected versions should take immediate action to mitigate the risk. The vulnerability allows attackers to inject m [truncated]
CVE-2026-40743 is a MEDIUM severity vulnerability (CVSS Score: 6.5) in Tutor LMS plugin versions <= 3.9.7. The vulnerability is caused by unauthenticated broken access control. The CVE was published on 2026-06-15T21:16:49.003Z and last modified on 2026-06-15T21:24:32.790Z.
CVE-2026-8096 affects the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin in versions up to and including 6.0.6. The issue is an authorization bypass caused by insufficient verification that a user is allowed to perform the action. As disclosed, authenticated attackers with subscriber-level access and above can view Kirki frontend forms and read stored visitor submission data, [truncated]
CVE-2026-8073 is a high-severity flaw in the Kirki WordPress plugin that can let an unauthenticated attacker trigger arbitrary file deletion, with the impact limited to paths under the WordPress uploads base directory. The issue is tied to insufficient file path validation and a missing capability check in the downloadZIP function. NVD lists the vulnerability as deferred, while Wordfence references the af [truncated]