Lucene search
K

1062 matches found

Nuclei
Nuclei
added yesterday75 views

WordPress Visual Form Builder <3.0.8 - Information Disclosure

WordPress Visual Form Builder plugin before 3.0.8 contains a information disclosure vulnerability. The plugin does not perform access control on entry form export, allowing an unauthenticated user to export the form entries as CSV files using the vfb-export endpoint. id: CVE-2022-0140 info: name:...

5.3CVSS6.2AI score0.0384EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday17 views

Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure

The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frmformspreview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form. id: CVE-2017-20194 info...

5.3CVSS6.1AI score0.01098EPSS
Exploits1References3
CVE
CVE
added 2 days ago8 views

CVE-2026-15288

CVE-2026-15288 affects the SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress. All versions up to and including 2.2.1 are vulnerable to Improper Input Validation: the plugin accepts the payment amount directly from user-controlled POST data in the create_payment_intent and ...

7.5CVSS6.1AI score0.00333EPSS
Exploits0References3
NVD
NVD
added 3 days ago15 views

CVE-2026-5523

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS0.00309EPSS
Exploits0References2
CVE
CVE
added 3 days ago17 views

CVE-2026-5523

The CVE describes a privilege-escalation flaw in the Divi Form Builder plugin for WordPress (versions up to and including 5.1.8). The root cause is missing authorization checks: update_user() accepts a user ID from form submissions without validating the editor’s permission for that target user, ...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago29 views

CVE-2026-5523 Divi Form Builder <= 5.1.8 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via User Profile Update Form

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS0.00309EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 3 days ago8 views

CVE-2026-5523

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References3
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42506

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 1:17 p.m.11 views

CVE-2026-5524

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the doimageupload function where user-supplied input from the acceptFileTypes POST...

9.8CVSS0.00542EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/02 12:34 p.m.35 views

CVE-2026-5524 Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the doimageupload function where user-supplied input from the acceptFileTypes POST...

9.8CVSS0.00542EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/02 12:34 p.m.7 views

EUVD-2026-41368

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the doimageupload function where user-supplied input from the acceptFileTypes POST...

9.8CVSS6AI score0.00542EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/07/02 12:34 p.m.9 views

CVE-2026-5524

The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the doimageupload function where user-supplied input from the acceptFileTypes POST...

9.8CVSS6AI score0.00542EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 12:34 p.m.22 views

CVE-2026-5524

The Divi Form Builder plugin for WordPress (versions up to and including 5.1.8) is vulnerable to Unauthenticated Arbitrary File Upload leading to Remote Code Execution. The root cause is insufficient file extension validation in the do_image_upload() function where user-supplied input from accept...

9.8CVSS6AI score0.00542EPSS
In wildExploits0References2
Patchstack
Patchstack
added 2026/07/02 6:56 a.m.11 views

WordPress Divi Form Builder plugin <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution vulnerability

Unauthenticated Arbitrary File Upload Leading to Remote Code Execution vulnerability discovered by 0xd4rk5id3 - EnvoraSec in WordPress Plugin Divi Form Builder versions = 5.1.8...

9.8CVSS5.9AI score0.00542EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/15 8:16 a.m.14 views

CVE-2026-9278

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.4CVSS0.00159EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/15 6:0 a.m.9 views

CVE-2026-9278 Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.2AI score0.00159EPSS
Exploits0References1
CVE
CVE
added 2026/06/15 6:0 a.m.22 views

CVE-2026-9278

The CVE-2026-9278 entry concerns the Form Builder CP WordPress plugin prior to 1.2.47. Affected component: form_structure value handling in the plugin’s form configuration. Root cause: improper sanitization before storing and using the value in a client-side script, enabling Stored XSS. Impact: a...

5.4CVSS5.3AI score0.00159EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/15 6:0 a.m.43 views

CVE-2026-9278 Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

0.00159EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/15 6:0 a.m.11 views

EUVD-2026-36700

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.4CVSS5.2AI score0.00159EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/15 12:0 a.m.19 views

PT-2026-49186

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.3AI score0.00159EPSS
Exploits0References2
Rows per page
Query Builder