93226 matches found
EUVD-2026-36880
Unauthenticated PHP Object Injection in WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms = 1.1.4 versions...
CVE-2026-42687 WordPress EventPrime plugin <= 4.3.2.1 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in EventPrime = 4.3.2.1 versions...
CVE-2026-39532
The CVE-2026-39532 affects WordPress plugin “Events Calendar for GeoDirectory” up to version 2.3.25, with a PHP Object Injection vulnerability in Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25. The associated CVSS v3.1 score is 8.8 (HIGH), vector: CVSS:3.1/AV:N/...
CVE-2026-39498
The Connected document identifies CVE-2026-39498-related details: a PHP Object Injection vulnerability in the WordPress YayMail plugin , affecting versions ≤ 4.3.3 and discovered by daroo . No additional root-cause, impact, exploit, or remediation details are provided in the sources. Monitor for ...
CVE-2026-39498 WordPress YayMail plugin <= 4.3.3 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in YayMail = 4.3.3 versions...
CVE-2026-39499
The connected PatchStack entry documents a PHP Object Injection vulnerability in the WordPress plugin “Advanced Product Fields (Product Addons) for WooCommerce” (versions
CVE-2026-39499 WordPress Advanced Product Fields (Product Addons) for WooCommerce plugin <= 1.6.19 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in Advanced Product Fields Product Addons for WooCommerce = 1.6.19 versions...
CVE-2026-39481 WordPress Modula Image Gallery plugin <= 2.14.18 - PHP Object Injection vulnerability
Author PHP Object Injection in Modula Image Gallery = 2.14.18 versions...
CVE-2026-39474 WordPress Post Duplicator plugin <= 3.0.10 - PHP Object Injection vulnerability
Contributor PHP Object Injection in Post Duplicator = 3.0.10 versions...
CVE-2026-39472
The CVE-2026-39472 affects the WordPress WooCommerce PDF Invoices & Packing Slips plugin prior to version 5.9.0, where a PHP Object Injection vulnerability was reported affecting shop manager operations. The root cause is a PHP Object Injection flaw in this plugin version, with CVSS 3.1 base metr...
CVE-2026-39472 WordPress WooCommerce PDF Invoices & Packing Slips plugin < 5.9.0 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in WooCommerce PDF Invoices & Packing Slips 5.9.0 versions...
CVE-2026-39471 WordPress ShortPixel Image Optimizer plugin <= 6.4.3 - PHP Object Injection vulnerability
Author PHP Object Injection in ShortPixel Image Optimizer = 6.4.3 versions...
CVE-2026-39434 WordPress CTX Feed plugin <= 6.6.26 - PHP Object Injection vulnerability
Shop manager PHP Object Injection in CTX Feed = 6.6.26 versions...
CVE-2026-39434
CVE-2026-39434 affects WordPress CTX Feed plugin (WebAppick CTX Feed) versions
CVE-2026-9691 WordPress Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.1.1 - PHP Object Injection vulnerability
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms = 1.1.1 versions...
CVE-2026-38329
Bludit CMS before version 3.18.4 allows Remote Code Execution RCE via the API Plugin. The POST /api/files/key endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and...
CVE-2016-20077
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...
CVE-2016-20075
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the...
EUVD-2016-10895
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...
CVE-2016-20081
HB Audio Gallery Lite 1.0.0 (WordPress) has a path traversal in audio-download.php via the file_path parameter that allows unauthenticated access to arbitrary files outside the gallery directory (e.g., wp-config.php). Root cause: inadequate validation of the file_path input. The connected documen...