3 vulnerabilities across 3 products scored HIGH or above on June 19, 2026.
- ๐ HIGH: 3
๐ [HIGH] betterdocs/betterdocs_pro
1 CVE | CVSS 3.1: 9.8 | AAS 11.6
cpe:2.3:a:betterdocs:betterdocs_pro:*:*:*:*:*:*:*:*(< 3.8.1)
BetterDocs Pro, a WordPress documentation plugin, is affected by one critical vulnerability (CVE-2026-7515, CVSS 9.8) that allows unauthenticated attackers to exploit a Local File Inclusion flaw via the doc_style parameter in versions up to and including 3.8.0, potentially achieving arbitrary PHP code execution on the server. This requires no authentication, making any WordPress site running BetterDocs Pro immediately exposed to remote compromise, data theft, and full server takeover.
Site administrators should update BetterDocs Pro beyond version 3.8.0 immediately and review server logs for signs of exploitation, particularly unexpected file inclusion activity or unauthorized PHP execution. Refer to the vendor advisory at betterdocs.co for patching guidance.
- ๐ CVE-2026-7515 (CVSS 3.1: 9.8)
๐ [HIGH] pgadmin.org/pgadmin_4
1 CVE | CVSS 4.0: 9.5 | AAS 9.8
cpe:2.3:a:pgadmin.org:pgadmin_4:*:*:*:*:*:*:*:*
pgAdmin 4 is affected by one critical vulnerability (CVE-2026-12046, CVSS 9.5) in which two SQL Editor endpoints lack authentication enforcement, exposing a Python pickle deserialization sink that can be reached by unauthenticated attackers in server mode. Successful exploitation allows remote code execution on the pgAdmin host, putting any organization running pgAdmin 4 in multi-user server mode at immediate risk of full system compromise.
Administrators should apply the vendor patch referenced in the pgAdmin 4 GitHub commit immediately, restrict network access to pgAdmin instances, and audit logs for unexpected requests to the sqleditor close and update_connection endpoints.
- ๐ CVE-2026-12046 (CVSS 4.0: 9.5)
๐ [HIGH] themefusion/avada_(fusion)_builder
1 CVE | CVSS 3.1: 9.1 | AAS 9.4
cpe:2.3:a:themefusion:avada_fusion_builder:*:*:*:*:*:*:*:*(< 3.15.4)
Avada (Fusion) Builder, a widely used WordPress page builder plugin by ThemeFusion, is affected by one critical vulnerability (CVE-2026-8713, CVSS 9.1) that allows unauthenticated attackers to delete arbitrary files on the server through insufficient path validation in the maybe_delete_files function in versions up to and including 3.15.3. Deleting critical files such as wp-config.php can force a site into a reinstallation state, enabling full remote code execution; sites with a published Avada form configured to save entries to the database are directly exploitable.
WordPress administrators using Avada Builder should update beyond version 3.15.3 immediately, audit their sites for any published Avada forms, and review server logs for suspicious file deletion activity targeting core WordPress files.
- ๐ CVE-2026-8713 (CVSS 3.1: 9.1)