NVD threat watch

CVE metadata, CVSS enrichment, and modified vulnerability feed coverage.

Watch items

Recent NVD watch items

Showing the 20 most recent items, newest first. Each row links to the official advisory.

20 rows · sorted newest first

Operations view

Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all vulnerability (CVE-2026-12224)

HIGH
watchNVDCVE-2026-12224

The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via update_capabilities REST Endpoint in all versions up to, and including, 5.0.4. This is due to the `update_capabilities()` REST handler accepting arbitrary capability strings from the request body and passing them directly to WP_User::add_cap() with no allowlist validation, only verifying that the caller holds the dokandar capability. This makes it possible for authenticated attackers with a self-provisioned Vendor-level access and above, on sites with the Vendor Staff module enabled, to grant arbitrary WordPress capabilities, including administrator, to any vendor_staff account, leading to a full site takeover.

Jul 1, 2026, 3:16 AMOfficial source

RegistrationMagic – User Registration Forms Plugin plugin for WordPress vulnerability (CVE-2026-12158)

HIGH
watchNVDCVE-2026-12158

The RegistrationMagic – User Registration Forms Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0.9.1. This is due to missing or incorrect nonce validation on the process_request function. This makes it possible for unauthenticated attackers to escalate the privileges of an arbitrary form submitter to administrator by creating a malicious Chronos automation task that is executed via WordPress cron via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Jul 1, 2026, 3:16 AMOfficial source

SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress vulnerability (CVE-2026-11387)

CRITICAL
watchNVDCVE-2026-11387

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.

Jul 1, 2026, 3:16 AMOfficial source

Ninja Forms – The Contact Form Builder vulnerability (CVE-2026-1239)

HIGH
watchNVDCVE-2026-1239

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

Jul 1, 2026, 2:16 AMOfficial source

BookingPress Appointment Booking Pro plugin for WordPress vulnerability (CVE-2026-11823)

HIGH
watchNVDCVE-2026-11823

The BookingPress Appointment Booking Pro plugin for WordPress is vulnerable to SQL Injection via the 'store_service_date' parameter of the bpa_assign_staffmember_to_slots() function in versions up to and including 5.7.1. This is due to the explicit use of stripslashes_deep() on user-supplied POST data before it is interpolated verbatim into a SQL LIKE clause without use of $wpdb->prepare() or any parameterization. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Jul 1, 2026, 2:16 AMOfficial source

Custom Payment Gateways for WooCommerce plugin for WordPress vulnerability (CVE-2026-7517)

HIGH
watchNVDCVE-2026-7517

The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alg_wc_cpg_input_fields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This vulnerability is exploitable by unauthenticated guest users submitting a crafted checkout POST request, requiring no custom input fields to be configured in the plugin.

Jul 1, 2026, 12:16 AMOfficial source

WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in vulnerability (CVE-2026-6070)

CRITICAL
watchNVDCVE-2026-6070

The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.

Jul 1, 2026, 12:16 AMOfficial source

WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress vulnerability (CVE-2026-13731)

HIGH
watchNVDCVE-2026-13731

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'conversation' parameter in all versions up to, and including, 8.4.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The AJAX nonce required to authenticate the save request is publicly emitted on every frontend page via wp_localize_script, making it freely obtainable by any anonymous visitor and removing any practical barrier to exploitation.

Jul 1, 2026, 12:16 AMOfficial source

Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress vulnerability (CVE-2026-13468)

HIGH
watchNVDCVE-2026-13468

The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to access and export the contents of any visualizer chart on the site — including charts in draft, private, pending, future, or trash status — as CSV, Excel, or HTML via the /wp-json/visualizer/v1/action/{chart}/{type}/ REST endpoint. This bypass is particularly impactful because the standard WordPress REST endpoint for the non-public 'visualizer' custom post type correctly enforces capability checks and returns HTTP 401 to unauthenticated callers, whereas this plugin-registered route circumvents that protection entirely.

Jul 1, 2026, 12:16 AMOfficial source

Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in vulnerability (CVE-2026-12923)

HIGH
watchNVDCVE-2026-12923

The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.

Jul 1, 2026, 12:16 AMOfficial source

phpMyFAQ vulnerability (CVE-2026-57995)

HIGH
watchNVDCVE-2026-57995

phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUP_EDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-value permissions to a group they belong to, inheriting those rights and escalating privileges up to full administrative control.

Jun 30, 2026, 6:17 PMOfficial source

Grav CMS vulnerability (CVE-2026-56700)

CRITICAL
watchNVDCVE-2026-56700

Grav CMS before 2.0.0-beta.2 contains multiple code-execution vulnerabilities. Three unsafe unserialize() calls - in Scheduler\JobQueue, Framework\Cache\Adapter\FileCache, and Session - deserialize untrusted data without restricting allowed classes, enabling PHP object injection and, via a gadget chain, arbitrary code execution where an attacker controls the serialized input. Additionally, InstallCommand's git clone operation passes the branch, url, and path parameters into a shell command without escaping, allowing OS command injection via plugin/theme installation (which requires admin access). A Twig security blocklist bypass (server-side template injection) is also present. The issues are fixed in 2.0.0-beta.2.

Jun 30, 2026, 6:17 PMOfficial source

Capgo vulnerability (CVE-2026-56320)

HIGH
watchNVDCVE-2026-56320

Capgo before 12.128.2 contains an authorization flaw in POST /private/create_device that accepts a caller-supplied org_id parameter without validating it matches the target app's owner organization. Authenticated attackers can create device records for an application using a foreign organization identifier, bypassing the intended org/app authorization boundary.

Jun 30, 2026, 6:17 PMOfficial source

Capgo vulnerability (CVE-2026-56300)

HIGH
watchNVDCVE-2026-56300

Capgo before 12.128.2 contains unauthenticated security definer RPC functions get_user_id and get_org_perm_for_apikey that expose API key validity oracles and user UUID disclosure. Unauthenticated attackers using the public API key can validate leaked keys, enumerate users and apps, and determine permission levels, significantly increasing the actionability of compromised credentials.

Jun 30, 2026, 6:17 PMOfficial source

Capgo vulnerability (CVE-2026-56286)

HIGH
watchNVDCVE-2026-56286

Capgo before 12.128.2 contains an authentication bypass vulnerability in the account deletion endpoint that allows deletion without password re-authentication or secondary verification. Attackers can delete user accounts via session hijacking, CSRF attacks, or parameter tampering, resulting in unauthorized account deletion, data loss, and denial-of-service.

Jun 30, 2026, 6:17 PMOfficial source

Flowise vulnerability (CVE-2026-56278)

CRITICAL
watchNVDCVE-2026-56278

Flowise before 3.1.0 (affected versions 3.0.13 and earlier) uses a weak hardcoded default secret ('flowise') for the express-session middleware when the EXPRESS_SESSION_SECRET environment variable is not set (packages/server/src/enterprise/middleware/passport/index.ts). Because this default secret is publicly visible in the source code, an attacker can forge valid signed session cookies to impersonate any user and bypass authentication.

Jun 30, 2026, 6:17 PMOfficial source

Crawl4AI vulnerability (CVE-2026-56264)

CRITICAL
watchNVDCVE-2026-56264

Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /execute_js endpoint, which accepts and executes arbitrary user-supplied JavaScript in the server's browser context with --disable-web-security enabled. An attacker can execute arbitrary JavaScript and, combined with the browser's relaxed security settings, perform server-side request forgery against internal services.

Jun 30, 2026, 6:17 PMOfficial source

Capgo vulnerability (CVE-2026-56249)

HIGH
watchNVDCVE-2026-56249

Capgo before 12.128.2 contains an authorization bypass vulnerability in the channel creation endpoint that allows authenticated users to overwrite existing channels by reusing their names. Attackers with app.create_channel permission can exploit a logic mismatch between existence validation and upsert operations to reassign channel ownership and modify critical production channel configurations.

Jun 30, 2026, 6:17 PMOfficial source

Capgo vulnerability (CVE-2026-56247)

HIGH
watchNVDCVE-2026-56247

Capgo before 12.128.2 allows org admins to assign org-scoped RBAC roles at app scope without validating role scope compatibility, including to pending invitees. Attackers can pre-seed malformed high-privilege bindings that survive invite acceptance, enabling accepted low-privilege users to perform unauthorized privileged app actions.

Jun 30, 2026, 6:17 PMOfficial source

Capgo vulnerability (CVE-2026-56233)

HIGH
watchNVDCVE-2026-56233

Capgo before 12.128.2 contains a path traversal vulnerability in the builder upload proxy that allows authenticated users with build permissions to bypass upload restrictions. Attackers can append traversal sequences to the upload path, which are normalized by the WHATWG URL parser, enabling access to internal administrative endpoints with the privileged BUILDER_API_KEY header and resulting in server-side privilege escalation.

Jun 30, 2026, 6:17 PMOfficial source

Vendor watch hub

What this page covers

The NVDwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

  • Confirm whether recent NVD activity overlaps with your environment.
  • Prioritize advisories by MSP-relevance score, severity, and status.
  • Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

24129

Active

462

Featured

5331

Unique CVEs

20

Most recent entry

Jul 1, 2026, 3:16 AM

Feed refreshes daily · 5:15 a.m. Central

Sources·NIST National Vulnerability Database feed

"Most recent entry" is the newest item the upstream feed has published — not our sync time.

Related vendors

Other research feeds in the radar

Vendor watch FAQ

Common questions

What is the NVD threat watch page?

It is the NVD-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the NVD watch page?

Use it to confirm whether current NVD issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to NVD security issues?

Yes. ITECS can help map NVD advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.