Solution sectors / web-cms-plugins
Web & CMS Plugins
The web's content-management layer — WordPress plugins and themes, CMS cores and e-commerce platforms — is one of the most frequently exploited targets online. This hub tracks CVE volume and severity across it.
wordpress-plugin · 540cms-core · 378ecommerce-platform · 111wordpress-theme · 109site-builder · 65forum-wiki · 22
Cumulative CVEs
62,615
across 289 monthly snapshots
Latest month
1,477
+30.2% MoM · +40.4% YoY
Peak month
1,581
Mar 26
KEV this month
4
705 vendors affected
CVEs per month
Newest period on the right. Click a point to open that monthly report.
Deployment mix
How this sector's software is typically delivered — whether you patch it yourself or a vendor does. AI-assisted vendor classification.
- On-prem50%
- Mixed47%
- SaaS4%
Latest CVEs in this sector
The 15 most recently published vulnerabilities tagged to Web & CMS Plugins.
- CVE-2026-57995phpMyFAQ - Privilege Escalation via Missing Self-Rights Constraint in GroupController::updatePermissions8.8
- CVE-2026-56700Grav - Multiple Remote Code Execution Vulnerabilities via Unsafe Unserialize and Command Injection9.8
- CVE-2026-13207Frangoteam FUXA SCADA/HMI Authentication Bypass by Spoofing7.5
- CVE-2026-58174Hermes WebUI < 0.51.521 - Cross-Profile Authorization Bypass via Unset Session Profile on Import6.5
- CVE-2026-58167Nightingale < 9.0.0-beta.2 - Datasource Credential Disclosure to Low-Privilege Users6.5
- CVE-2025-53648Apache Gravitino: SQL misconfiguration can access or truncate files5.4
- CVE-2026-4629Keycloak: keycloak: privilege escalation through hardcoded role mapper injection6.5
- CVE-2026-12388Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper6.5
- CVE-2026-14209Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions4.3
- CVE-2026-8403Stored XSS in Exagate's SYSGUARD 60016.1
- CVE-2026-8402SQLi in Exagate's SYSGUARD 60019.8
- CVE-2026-49432Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: STOMP negative content-length enables denial of service7.5
- CVE-2026-52760Apache ActiveMQ, Apache ActiveMQ Web Console: Stored XSS via Unescaped values in ActiveMQ Web Console6.1
- CVE-2026-53916Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ Stomp: Unbounded header buffer in STOMP NIO codec7.5
- CVE-2026-9711EventON - WordPress Virtual Event Calendar Plugin <= 5.0.11 - Unauthenticated Blind SQL Injection via Search Parameter9.8
Weakness fingerprint
Top CWE classes in this sector, latest monthly snapshot.
Top vendors
Most CVEs in this sector, latest monthly snapshot.
| Vendor | CVEs | Crit | KEV |
|---|---|---|---|
| apache software foundation | 121 | 21 | · |
| apache | 94 | 17 | · |
| themerex | 58 | 5 | · |
| sourcecodester | 49 | · | · |
| code-projects | 17 | · | · |
| revive | 17 | · | · |
| elated-themes | 16 | · | · |
| haxtheweb | 16 | · | · |
| typo3 | 15 | · | · |
| pretix | 13 | · | · |
Subsectors
Breakdown for the latest monthly snapshot.
| Subsector | CVEs | Crit | KEV | Vendors | MoM | Top products |
|---|---|---|---|---|---|---|
| wordpress-plugin | 540 | 79 | 1 | 359 | — | jetengine (10) · eventprime (5) · classified listing (4) |
| cms-core | 378 | 39 | 3 | 124 | — | adobe experience manager (57) · adserver (17) · class and exam timetabling system (16) |
| — | 252 | 20 | · | 60 | — | apache airflow (17) · typo3 cms (13) · discourse (11) |
| ecommerce-platform | 111 | 14 | · | 66 | — | fossbilling (10) · react-router (6) · pretix (5) |
| wordpress-theme | 109 | 11 | · | 48 | — | blocksy companion pro (4) · fusion builder (3) · aperitif (2) |
| site-builder | 65 | 4 | · | 44 | — | filebrowser (10) · markdown preview enhanced (4) · student_management_system_by_php (4) |
| forum-wiki | 22 | 5 | · | 4 | — | nameless (7) · ubb.threads (6) · wpforo forum (6) |
Sector classification is AI-assisted with human review. How tagging works · Report a misclassification