Beta Contact us and join the community
Live vulnerability intelligence

Vulnerability Intelligence Center

Track, prioritise and act on the vulnerabilities that actually threaten your external attack surface — CVEs, exploits, EPSS, CISA KEV and trending attacks, unified in one continuously updated feed.

Try , or .

Live feed

0 CVE available

Streaming live from the Patrowl Intelligence API.

CVE-2026-11965
yesterday

The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users (after self-registering an account through the open registration flow) to obtain an active subscription on any paid plan without paying and access the gated content.

0.0
CVE-2026-14249
yesterday

The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This is due to the emd_delete_file() handler deriving a PHP function name from the attacker-controlled $_POST['path'] parameter and invoking it dynamically via the variable-function call $sess_name(), and the handler being registered for wp_ajax_nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp_localize_script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.

5.7
CVE-2026-11781
yesterday

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role (Contributor) to disclose non-public content that WordPress would not otherwise expose to them, such as other authors' unpublished post titles, pending comment content, the site's Adminify WordPress plugin before 4.2.10 inventory, and user account names.

0.0
CVE-2026-11578
yesterday

The Fluent Forms WordPress plugin before 6.2.5 does not properly restrict the deletion of form submission entries to the forms a restricted Manager is authorized to manage, allowing a Manager limited to specific forms to permanently delete submission entries belonging to other forms. This requires a non-default configuration in which an administrator has created at least one Manager restricted to specific forms.

0.0
CVE-2026-13704
yesterday

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sequoia[introduction][image]' parameter in all versions up to, and including, 4.16.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Give Worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

5.2
CVE-2026-10077
yesterday

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wp_kses_post(), as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any user who views the affected post.

0.0
CVE-2026-5821
yesterday

The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachment hook. An authenticated attacker with Author-level access can edit the image_optimizer_metadata post meta on their own attachments via WordPress's Custom Fields interface, injecting arbitrary absolute file paths into the backups array. When the attacker subsequently deletes the attachment, the plugin calls File_System::delete() on each path without validation. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server within the web server's filesystem permissions, potentially leading to denial of service, data loss, or security degradation.

6.0
CVE-2026-11592
yesterday

The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to overwrite plugin mail settings (from name and from email address), create audience lists, insert arbitrary contacts into those lists, create and overwrite newsletter broadcasts and post notifications, add workflows, and queue and dispatch mass email to arbitrary recipients.

4.2
CVE-2026-10089
yesterday

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

5.2
CVE-2026-11600
yesterday

The Envo's Templates & Widgets for Elementor and WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the Envo Tabs (and Off Canvas) widget's template rendering in versions up to, and including, 1.4.26. The render() method of the Tabs widget passes a user-controlled template/post ID directly to Elementor's get_builder_content_for_display() without verifying the referenced post's status (published/private/draft) or the visitor's authorization to view it. This makes it possible for authenticated attackers, with Author-level access and above, to disclose the contents of private Elementor-driven pages and templates to anonymous visitors by configuring an Envo Tabs widget on a public post to reference the private content's ID (which can be supplied by editing the underlying Elementor widget JSON via the Elementor editor REST API).

4.2

Discover

Map your entire external attack surface automatically — domains, IPs, services and shadow IT.

Detect

Continuously match exposures against new CVEs, public exploits and CISA KEV entries.

Remediate

Prioritise with the Patrowl EASM risk score and act on what truly matters first.

Monitor

Stay ahead with real-time alerts the moment a threat starts trending.

The platform

Continuously protect what you expose on the Internet

Patrowl turns raw vulnerability data into prioritised, actionable intelligence — so your team spends time fixing what attackers will actually use.

0M

Assets monitored

0M

Vulnerabilities analysed

0x

Faster remediation

Built for Claude · Open source

Turn Claude into a vulnerability analyst

patrowl-cve-analyst pulls correlated CVE, CVSS, EPSS, CISA KEV, public-exploit and trending-attack data from Patrowl Intelligence — and produces decision-grade risk briefs in seconds.

  • One prompt, full picture — CVSS, EPSS, KEV, public exploits and trending attacks correlated in a single call.
  • Decision-grade output. A risk verdict and remediation window, not raw JSON to parse.
  • Works in Claude Code, Claude Desktop or any Claude app — drop the skill in and prompt.
~/patrowl-cve-analyst
$ claude
> Use the patrowl-cve-analyst skill —
  brief me on CVE-2025-41115

┌─ Patrowl risk brief ───────────────────────┐
  EASM score   8.7 / 10   high              
  CVSS v4.0    9.1        v3.1   8.7      
  EPSS         12.4%      KEV    no       
  Public PoCs  2          Remote yes      
                                            
  Verdict Patch within 7 days. Trending     
          exploitation observed in the wild. 
└────────────────────────────────────────────┘

More than 100 companies trust us

European Investment BankMGEN SolutionForvis MazarsColasHeetchXplorEuropean Investment BankMGEN SolutionForvis MazarsColasHeetchXplor

Take 15 minutes to discover our platform with our experts

PatrowlIntel platform screenshot