Lucene search
K

84397 matches found

EUVD
EUVD
added yesterday5 views

EUVD-2026-42793

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formpageid' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the addtosubmissions function, which applies sanitizetextfield which preserves...

6.4CVSS6.1AI score0.00307EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-15284

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formpageid' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the addtosubmissions function, which applies sanitizetextfield which preserves...

6.4CVSS6.1AI score0.00307EPSS
Exploits0References11
CVE
CVE
added yesterday6 views

CVE-2026-15284

The King Addons for Elementor plugin (WordPress) has a Stored Cross-Site Scripting vulnerability affecting versions up to 51.1.62 via the form_page_id parameter. The root cause is insufficient input sanitization in add_to_submissions() (sanitize_text_field() preserves quotes) combined with missin...

6.4CVSS6.1AI score0.00307EPSS
Exploits0References10
Cvelist
Cvelist
added yesterday12 views

CVE-2026-15284 King Addons for Elementor <= 51.1.62 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'form_page_id' Parameter

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formpageid' parameter in versions up to, and including, 51.1.62 This is due to insufficient input sanitization in the addtosubmissions function, which applies sanitizetextfield which preserves...

6.4CVSS0.00307EPSS
Exploits0References10
Cvelist
Cvelist
added yesterday11 views

CVE-2026-15285 The Plus Addons for Elementor <= 6.4.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget Custom Attributes

The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated Contributor+ Stored Cross-Site Scripting via the Button widget's customattributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tpbutton.php passed the raw customattributes...

6.4CVSS0.00261EPSS
Exploits0References5
EUVD
EUVD
added yesterday7 views

EUVD-2026-42792

The ARMember plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 4.0.27 via the 'X-FILENAME' HTTP header. This makes it possible for unauthenticated attackers to upload and overwrite certain files e.g., CSS to directories outside the...

5.3CVSS5.9AI score0.00533EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added yesterday3 views

CVE-2026-15283

The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS6AI score0.00187EPSS
Exploits0References3
CVE
CVE
added yesterday8 views

CVE-2026-15302

The ARMember plug-in for WordPress (affected: all versions up to and including 4.0.27) is vulnerable to Directory Traversal via the X-FILENAME HTTP header. Unauthenticated attackers can upload and overwrite certain files (e.g., CSS) outside the wp-content/uploads/armember directory. This is a net...

5.3CVSS5.9AI score0.00533EPSS
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-15282

The Instant Appointment plugin for WordPress (affected versions up to 1.2) is vulnerable to arbitrary file uploads due to missing file type validation in the insapp_upload_image_as_attachment function. This allows unauthenticated attackers to upload arbitrary files to the server, with a potential...

9.8CVSS6.7AI score0.00744EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-15282

The Instant Appointment plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'insappuploadimageasattachment' function in all versions up to, and including, 1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

9.8CVSS6.7AI score0.00744EPSS
Exploits0References5
Cvelist
Cvelist
added yesterday11 views

CVE-2026-15283 WPvivid Backup for MainWP <= 0.9.33 - Authenticated (Admin+) Stored Cross-Site Scripting

The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS0.00187EPSS
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-15283

The CVE pertains to the WPvivid Backup for MainWP WordPress plugin. A stored XSS flaw exists in admin settings across all versions up to 0.9.33 due to insufficient input sanitization and output escaping. This affects multi-site installations and sites where unfiltered_html is disabled, allowing a...

4.4CVSS6AI score0.00187EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday85 views

WordPress Simple File List <=4.2.2 - Remote Code Execution

An unrestricted file upload vulnerability in the WordPress Simple File List plugin before version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint ee-upload-engine.php restricts file uploads based on extension, but lacks proper validatio...

6.3AI score
Exploits9References3
NVD
NVD
added yesterday6 views

CVE-2026-5069

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS0.00176EPSS
Exploits0References2
NVD
NVD
added yesterday6 views

CVE-2026-11818

The WPCafe – Restaurant Menu, Online Food Ordering & Table Booking System plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.0.14. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possibl...

5.4CVSS0.00251EPSS
Exploits0References10
NVD
NVD
added yesterday5 views

CVE-2026-15070

The Salon Booking System – Free Version plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 10.30.32. This is due to missing or incorrect nonce validation on the setCustomText function. This makes it possible for unauthenticated attackers to inje...

8.8CVSS0.00259EPSS
Exploits0References6
NVD
NVD
added yesterday6 views

CVE-2026-13430

The Post Export Import with Media plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.13.1 via the importmediafilesecure function. This is due to insufficient file extension validation caused by a trailing-dot filename bypass, where the extension...

7.2CVSS0.00615EPSS
Exploits0References7
NVD
NVD
added yesterday8 views

CVE-2026-14894

The Super Forms – Drag & Drop Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 6.3.313 via the submitform function. This is due to missing file type validation and the absence of any capability check on the submitform nopriv AJAX...

9.8CVSS0.00523EPSS
Exploits0References2
NVD
NVD
added yesterday6 views

CVE-2026-11392

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS0.00254EPSS
Exploits0References9
CVE
CVE
added yesterday7 views

CVE-2026-11392

The CVE-2026-11392 affects the WordPress WP Hotel Booking plugin up to version 2.3.1. It is a Reflected Cross-Site Scripting vulnerability caused by insufficient input sanitization and output escaping in the check_in_date and check_out_date parameters. This allows unauthenticated attackers to inj...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References9
Rows per page
Query Builder