Lucene search
K

128 matches found

CVE
CVE
added 2026/03/21 3:26 a.m.5 views

CVE-2026-3546

The CVE concerns the WordPress plugin e-shot form builder (≤ v1.0.2). The vulnerable component is eshot_form_builder_get_account_data(), registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks capability checks (no current_user_can) and does not verify a no...

5.3CVSS5.8AI score0.00231EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.7 views

PT-2026-26858

Name of the Vulnerable Software and Affected Versions e-shot form builder plugin for WordPress versions up to and including 1.0.2 Description The e-shot form builder plugin for WordPress is susceptible to exposure of sensitive information. The eshot form builder get account data function,...

5.3CVSS5.8AI score0.00231EPSS
Exploits0References9
NVD
NVD
added 2026/03/13 7:54 p.m.9 views

CVE-2026-2888

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frmstrpamount AJAX handler updateintentajax overwriting the global $POST data with attacker-controlled JSON input and then...

5.3CVSS0.0035EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/13 8:25 a.m.4 views

CVE-2026-2888 Formidable Forms <= 6.28 - Unauthenticated Payment Amount Manipulation via 'item_meta' Parameter

The Formidable Forms plugin for WordPress is vulnerable to an authorization bypass through user-controlled key in all versions up to, and including, 6.28. This is due to the frmstrpamount AJAX handler updateintentajax overwriting the global $POST data with attacker-controlled JSON input and then...

5.3CVSS5.8AI score0.0035EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/13 12:0 a.m.10 views

WordPress plugin Formidable Forms 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

5.3CVSS5.8AI score0.0035EPSS
Exploits0References5
NVD
NVD
added 2026/03/11 6:17 a.m.9 views

CVE-2026-3222

The WP Maps plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'locationid' parameter in all versions up to, and including, 4.9.1. This is due to the plugin's database abstraction layer FlipperCodeModelBase::iscolumn treating user input wrapped in backticks as column...

7.5CVSS0.00418EPSS
Exploits1References10
CVE
CVE
added 2026/03/11 5:27 a.m.16 views

CVE-2026-3222

WP Maps plugin for WordPress is vulnerable to a time-based blind SQL injection via the location_id parameter in versions up to 4.9.1. Root cause: the database abstraction layer (FlipperCode_Model_Base::is_column()) accepts user input wrapped in backticks as column names, bypassing esc_sql(). Addi...

7.5CVSS5.9AI score0.00418EPSS
Exploits1References10
Vulnrichment
Vulnrichment
added 2026/03/11 2:22 a.m.3 views

CVE-2026-3453 ProfilePress <= 4.16.11 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Subscription Cancellation/Expiration

The ProfilePress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.16.11. This is due to missing ownership validation on the changeplansubid parameter in the processcheckout function. The ppressprocesscheckout AJAX handler accepts a...

8.1CVSS5.8AI score0.00379EPSS
Exploits0References5
CVE
CVE
added 2026/03/06 11:22 p.m.13 views

CVE-2026-2371

Summary (CVE-2026-2371) The Greenshift – animation and page builder blocks WordPress plugin versions up to and including 12.8.3 are vulnerable to an insecure direct object reference in the gspb_el_reusable_load AJAX handler. The handler accepts an arbitrary post_id and renders the content of any ...

5.3CVSS5.9AI score0.00305EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/06 11:22 p.m.3 views

CVE-2026-2371 Greenshift <= 12.8.3 - Missing Authorization to Unauthenticated Private Reusable Block Disclosure via 'gspb_el_reusable_load'

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspbelreusableload AJAX handler. The handler accepts an...

5.3CVSS5.9AI score0.00305EPSS
Exploits0References5
CVE
CVE
added 2026/02/28 9:47 p.m.15 views

CVE-2026-28557

The vulnerability CVE-2026-28557 affects wpForo Forum 2.4.14, due to a missing capability check in the wpforo_synch_roles AJAX handler. Any authenticated user can access the usergroups admin page to obtain a nonce and bulk-remap all wpForo usergroups to arbitrary WordPress roles, enabling privile...

7.1CVSS6AI score0.00274EPSS
Exploits0References3Affected Software1
Cvelist
Cvelist
added 2026/02/28 9:47 p.m.19 views

CVE-2026-28555 wpForo Forum 2.4.14 Missing Authorization via Topic Close AJAX Handler

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to close or reopen any forum topic via the wpforocloseajax handler. Attackers submit a valid nonce with an arbitrary topic ID to bypass the moderator permission requirement and disrupt forum...

5.3CVSS0.00268EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/28 9:47 p.m.4 views

CVE-2026-28554

wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforoapproveajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation...

5.3CVSS6AI score0.00268EPSS
Exploits0References4Affected Software1
Vulnrichment
Vulnrichment
added 2026/02/25 8:25 a.m.3 views

CVE-2026-1929 Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of calluserfuncarray with user-controlled callback and parameters in the getselectoptionvalues AJAX handler without an allowlist of permitted...

8.8CVSS6.2AI score0.00553EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/22 8:24 a.m.25 views

CVE-2026-2385 The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.4.7 - Unauthenticated Email Relay

The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting...

5.3CVSS0.00148EPSS
Exploits0References2
NVD
NVD
added 2026/02/18 10:16 p.m.9 views

CVE-2026-27174

MajorDoMo aka Major Domestic Module allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect call that lacks an exit statement, allowing unauthenticated requests to reach th...

9.8CVSS0.06996EPSS
Exploits4References3
Cvelist
Cvelist
added 2026/02/18 9:10 p.m.32 views

CVE-2026-27174 MajorDoMo Unauthenticated Remote Code Execution via Admin Console Eval

MajorDoMo aka Major Domestic Module allows unauthenticated remote code execution via the admin panel's PHP console feature. An include order bug in modules/panel.class.php causes execution to continue past a redirect call that lacks an exit statement, allowing unauthenticated requests to reach th...

9.8CVSS0.06996EPSS
Exploits4References3
CVE
CVE
added 2026/02/18 12:28 p.m.19 views

CVE-2026-2386

The Plus Addons for Elementor vulnerability (CVE-2026-2386) affects WordPress plugin The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce. It relies on tpae_create_page() AJAX handler which authorizes only current_user_can('edit_posts') but passes ...

4.3CVSS5.7AI score0.00167EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/18 12:0 a.m.5 views

PT-2026-20510

Name of the Vulnerable Software and Affected Versions MajorDoMo affected versions not specified Description An include order bug in modules/panel.class.php allows execution to continue past a redirect call that lacks an exit statement. This enables unauthenticated requests to reach the ajax handl...

9.8CVSS6.4AI score0.06996EPSS
Exploits4References7
CNNVD
CNNVD
added 2026/02/18 12:0 a.m.8 views

MajorDoMo 代码注入漏洞

MajorDoMo is an open-source DIY smart home automation platform developed by the MajorDoMo community. There is a code injection vulnerability in MajorDoMo. This vulnerability stems from an error in the inclusion order of modules/panel.class.php, which causes the execution to continue after a...

9.8CVSS6.5AI score0.06996EPSS
Exploits4References3
Rows per page
Query Builder