CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 4 hours ago•1 views

CVE-2019-25734

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

5.1CVSS

CVE•added 5 hours ago•5 views

CVE-2019-25738

The CVE affects WordPress Hybrid Composer 1.4.6, where an unauthenticated attacker can exploit the hc_ajax_save_option action via admin-ajax.php to modify WordPress options, enabling user registration and setting the default role to administrator, potentially leading to account takeover. The issu...

9.8CVSS5.8AI score

Cvelist•added 5 hours ago•3 views

CVE-2019-25734 Contact Form by WD 1.13.1 CSRF to Local File Inclusion

5.1CVSS

CVE•added 5 hours ago•4 views

CVE-2019-25734

The CVE-2019-25734 entry concerns the WordPress plugin Contact Form by WD version 1.13.1. It describes a combined cross-site request forgery and local file inclusion vulnerability that lets unauthenticated attackers include arbitrary files by exploiting unsanitized action parameters. Attacks targ...

5.1CVSS5.8AI score

Vulnrichment•added 5 hours ago•2 views

CVE-2019-25734 Contact Form by WD 1.13.1 CSRF to Local File Inclusion

5.1CVSS5.8AI score

ATTACKERKB•added 17 hours ago•2 views

CVE-2026-10737

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the viewfile function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links f...

7.5CVSS5.9AI score

EUVD•added 17 hours ago•3 views

EUVD-2026-34190

7.5CVSS5.9AI score

Positive Technologies•added 18 hours ago•4 views

PT-2026-46204

5.1CVSS5.8AI score

NVD•added 2026/05/27 8:16 a.m.•7 views

CVE-2026-3895

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lvcaadminajax AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce b...

6.4CVSS0.0003EPSS

NVD•added 2026/05/27 8:16 a.m.•6 views

CVE-2026-3896

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lsowadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not...

6.4CVSS0.0003EPSS

EUVD•added 2026/05/27 6:46 a.m.•8 views

EUVD-2026-32107

EUVD•added 2026/05/27 6:46 a.m.•5 views

EUVD-2026-32102

ATTACKERKB•added 2026/05/27 6:46 a.m.•5 views

CVE-2026-3896

EUVD•added 2026/05/27 6:46 a.m.•5 views

EUVD-2026-32101

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labbadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but doe...

ATTACKERKB•added 2026/05/27 6:46 a.m.•4 views

CVE-2026-3897

Vulnrichment•added 2026/05/27 6:46 a.m.•7 views

CVE-2026-3897 Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization

CVE•added 2026/05/27 6:46 a.m.•10 views

CVE-2026-3897

The CVE-2026-3897 entry describes a Stored XSS in the Livemesh Addons for Beaver Builder WordPress plugin, via the labb_admin_ajax action. Affected versions are all up to 3.9.2. Root cause is missing authorization checks despite nonce verification, enabling authenticated Subscriber+ users to modi...

Cvelist•added 2026/05/27 6:46 a.m.•22 views

CVE-2026-3897 Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Missing Authorization

6.4CVSS0.0003EPSS

Positive Technologies•added 2026/05/27 12:0 a.m.•7 views

PT-2026-43547

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lvca admin ajax AJAX action in all versions up to, and including, 3.9.4 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce...