10 vulnerabilities across 9 products scored HIGH or above on July 13, 2026.
- π HIGH: 10
Exploit Status Upgrades
The following CVEs from previous bulletins have been upgraded based on new exploit intelligence:
- [UPGRADED] CVE-2026-54003 (getkirby/kirby) β F1: theoretical β poc, AAS: 11.8 β 11.5 (HIGH β HIGH). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59827 (metabase/metabase) β F1: exploitable β itw, AAS: 11.2 β 14.2 (HIGH β CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59148 (mockoon/mockoon) β F1: exploitable β itw, AAS: 9.6 β 12.6 (HIGH β CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-59858 (vim/vim) β F1: exploitable β itw, AAS: 9.3 β 12.3 (HIGH β CRITICAL). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-55207 (pimcore/pimcore) β F1: theoretical β poc, AAS: 9.1 β 11.6 (HIGH β HIGH). Originally in 2026-07-09 bulletin.
- [UPGRADED] CVE-2026-57480 (parse-community/parse-server) β F1: theoretical β poc, AAS: 9.8 β 12.3 (HIGH β CRITICAL). Originally in 2026-07-08 bulletin.
- [UPGRADED] CVE-2026-59705 (mem0ai/mem0) β F1: exploitable β itw, AAS: 10.7 β 12.9 (HIGH β CRITICAL). Originally in 2026-07-07 bulletin.
- [UPGRADED] CVE-2026-53511 (kovidgoyal/calibre) β F1: exploitable β itw, AAS: 9.4 β 12.4 (HIGH β CRITICAL). Originally in 2026-07-07 bulletin.
π [HIGH] themeum/kirki
2 CVEs | CVSS 3.1: 9.8 | AAS 10.6
cpe:2.3:a:themeum:kirki:*:*:*:*:*:*:*:*
Themeum Kirki, a popular WordPress customizer framework plugin, is affected by 2 vulnerabilities including at least one critical-severity PHP object injection flaw rated CVSS 9.8. The deserialization of untrusted data issue allows attackers to perform object injection attacks against sites running Kirki versions up through 6.0.12, potentially leading to remote code execution depending on the gadget chains available in the environment. WordPress administrators using the Kirki plugin should update immediately beyond version 6.0.12 and review the vendor advisory at Patchstack for additional details.
- π CVE-2026-57724 (CVSS 3.1: 9.8)
- π CVE-2026-57726 (CVSS 3.1: 9.3)
π [HIGH] sergey/aiwu
1 CVE | CVSS 3.1: 9.3 | AAS 10.3
cpe:2.3:a:sergey:aiwu:*:*:*:*:*:*:*:*
AIWU (AI Copilot Content Generator), a WordPress plugin by Sergey, contains a blind SQL injection vulnerability rated CVSS 9.3 affecting all versions through 1.5.4. Exploitation could allow an attacker to extract or manipulate database contents, potentially compromising the entire WordPress installation including user credentials and sensitive site data. WordPress administrators running this plugin should update beyond version 1.5.4 immediately or deactivate it until a patch is available, and review the vendor advisory at Patchstack for further guidance.
- π CVE-2026-59515 (CVSS 3.1: 9.3)
π [HIGH] latepoint/latepoint
1 CVE | CVSS 3.1: 9.3 | AAS 10.1
cpe:2.3:a:latepoint:latepoint:*:*:*:*:*:*:*:*
LatePoint, a WordPress appointment scheduling plugin, contains a blind SQL injection vulnerability rated CVSS 9.3 affecting all versions through 5.6.3. Successful exploitation could allow an attacker to read, modify, or extract sensitive data from the WordPress database, including customer booking information and site credentials. WordPress administrators using LatePoint should update beyond version 5.6.3 immediately or disable the plugin until a fix is applied, and consult the vendor advisory at Patchstack for additional details.
- π CVE-2026-57714 (CVSS 3.1: 9.3)
π [HIGH] properfraction/mailoptin
1 CVE | CVSS 3.1: 9.8 | AAS 10.1
cpe:2.3:a:properfraction:mailoptin:*:*:*:*:*:*:*:*
MailOptin, a WordPress email opt-in and newsletter plugin by PropperFraction, contains a privilege escalation vulnerability rated CVSS 9.8 affecting all versions through 1.2.77.3. Due to incorrect privilege assignment, an attacker could elevate their access to administrative levels, potentially gaining full control of the WordPress site. WordPress administrators running MailOptin should update beyond version 1.2.77.3 immediately and audit user accounts for any unauthorized privilege changes, consulting the vendor advisory at Patchstack for further details.
- π CVE-2026-57813 (CVSS 3.1: 9.8)
π [HIGH] wpwax/directorist
1 CVE | CVSS 3.1: 9.8 | AAS 10.1
cpe:2.3:a:wpwax:directorist:*:*:*:*:*:*:*:*
Directorist, a WordPress business directory and listing plugin by wpWax, contains a PHP object injection vulnerability rated CVSS 9.8 affecting all versions through 8.8.2. The deserialization of untrusted data flaw could allow an attacker to inject arbitrary objects, potentially leading to remote code execution, data exfiltration, or full site compromise depending on available gadget chains. WordPress administrators using Directorist should update beyond version 8.8.2 immediately and review the vendor advisory at Patchstack for remediation guidance.
- π CVE-2026-59518 (CVSS 3.1: 9.8)
π [HIGH] decidim/decidim
1 CVE | CVSS 3.1: 8.5 | AAS 9.7
cpe:2.3:a:decidim:decidim:*:*:*:*:*:*:*:*
Decidim, an open-source participatory democracy platform, contains a cross-organization JWT authentication bypass vulnerability rated CVSS 8.5. The flaw allows a user authenticated against one Decidim organization to replay their JWT token against a different organization’s API, enabling unauthorized access to admin-only participant personal data and proposal mutation endpoints across trust boundaries. Organizations running multi-tenant Decidim deployments should apply the latest patch immediately and review API access logs for signs of cross-organization token reuse, consulting the vendor advisory on GitHub for remediation details.
- π CVE-2026-45414 (CVSS 3.1: 8.5)
π [HIGH] melograno_venture_studio/amelia
1 CVE | CVSS 3.1: 9.3 | AAS 9.6
cpe:2.3:a:melograno_venture_studio:amelia:*:*:*:*:*:*:*:*
Amelia, a WordPress appointment booking plugin by Melograno Venture Studio, contains a blind SQL injection vulnerability rated CVSS 9.3 affecting all versions through 2.4.2. Exploitation could allow an attacker to extract or manipulate sensitive database contents, including customer booking records, personal information, and site credentials. WordPress administrators using Amelia should update beyond version 2.4.2 immediately or deactivate the plugin until a patch is applied, and review the vendor advisory at Patchstack for further guidance.
- π CVE-2026-57702 (CVSS 3.1: 9.3)
π [HIGH] diracgrid/dirac
1 CVE | CVSS 3.1: 9.9 | AAS 9.2
cpe:2.3:a:diracgrid:dirac:*:*:*:*:*:*:*:*(< 8.0.37)
DIRAC, an open-source framework by DIRACGrid used for distributed computing in scientific and research environments, contains a remote code execution vulnerability rated CVSS 9.9. The flaw exists in the RequestManager component, where the use of eval on untrusted input allows any authenticated user to execute arbitrary code or commands on the DIRAC server under the system service account. Organizations running DIRAC should apply the latest patch immediately, restrict access to affected services in the interim, and consult the vendor advisory on GitHub for remediation details.
- π CVE-2026-45579 (CVSS 3.1: 9.9)
π [HIGH] marcus_(aka_@msykes)/events_manager
1 CVE | CVSS 3.1: 8.8 | AAS 9.1
cpe:2.3:a:marcus_aka_msykes:events_manager:*:*:*:*:*:*:*:*
Events Manager, a widely used WordPress event management plugin, contains a PHP object injection vulnerability rated CVSS 8.8 affecting all versions through 7.3.6. The deserialization of untrusted data flaw could allow an attacker to inject malicious objects, potentially leading to remote code execution, unauthorized data access, or full site compromise depending on available gadget chains in the environment. WordPress administrators using Events Manager should update beyond version 7.3.6 immediately and review the vendor advisory at Patchstack for remediation guidance.
- π CVE-2026-57713 (CVSS 3.1: 8.8)