CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

1060 matches found

EUVD-2026-33887

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpwfsgetfile' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6AI score0.0003EPSS

Exploits0References4

Cvelist•added 2 days ago•33 views

CVE-2026-2382 FPW Category Thumbnails <= 1.9.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'id' Parameter

6.4CVSS0.0003EPSS

Exploits0References4

Positive Technologies•added 2 days ago•4 views

PT-2026-45702

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw fs get file' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6AI score0.0003EPSS

Exploits0References5

ATTACKERKB•added 2026/05/27 9:27 a.m.•3 views

CVE-2026-2280

The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.8CVSS6AI score0.00025EPSS

Exploits0References6

Cvelist•added 2026/05/27 9:27 a.m.•22 views

CVE-2026-2280 rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings

4.8CVSS0.00025EPSS

Exploits0References5

Vulnrichment•added 2026/05/27 9:27 a.m.•7 views

CVE-2026-2280 rexCrawler <= 1.0.15 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings

4.8CVSS6AI score0.00025EPSS

Exploits0References5

NVD•added 2026/05/27 7:16 a.m.•8 views

CVE-2026-8939

The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the searchsimplefieldsoptions function in functionsadmin.php. This makes it possible for unauthenticated attacke...

4.3CVSS0.00013EPSS

Exploits0References3

Positive Technologies•added 2026/05/27 12:0 a.m.•5 views

PT-2026-43633

4.8CVSS6AI score0.00025EPSS

Exploits0References6

RedhatCVE•added 2026/05/21 1:3 p.m.•4 views

CVE-2026-41888

A flaw was found in Distribution, a software toolkit used for managing container content. This vulnerability allows a remote attacker to bypass security settings designed to prevent the deletion of container tags. By sending a specific request, an attacker can remove tags from repositories even...

6.5CVSS5.8AI score0.00016EPSS

Exploits1References4

CVE•added 2026/05/20 1:25 a.m.•5 views

CVE-2026-6399

The CVE concerns the WordPress General Options plugin (up to version 1.1.0). Root cause: the code uses sanitize_text_field() for output escaping in the ad_contact_number field, which strips HTML but does not encode double quotes, so when echoed inside a double-quoted HTML attribute (value="..."),...

4.4CVSS6AI score0.00039EPSS

Exploits0References5

Positive Technologies•added 2026/05/20 12:0 a.m.•6 views

PT-2026-42061

Name of the Vulnerable Software and Affected Versions Word 2 Cash versions prior to 0.9.3 Description The Word 2 Cash plugin for WordPress is subject to Cross-Site Request Forgery CSRF which can lead to Stored Cross-Site Scripting XSS. This occurs because the w2c admin function lacks nonce...

6.1CVSS6AI score0.00028EPSS

Exploits0References10

NVD•added 2026/05/19 9:16 p.m.•8 views

CVE-2026-34216

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, the admin settings update endpoint accepted a fully qualified class name directly from user-supplied request input and used it for dynamic static method calls and object instantiation without any allowli...

6.6CVSS0.00406EPSS

Exploits0References2

ATTACKERKB•added 2026/05/13 2:22 p.m.•2 views

CVE-2020-37225

Powie's WHOIS Domain Check 0.9.31 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject arbitrary JavaScript by exploiting unsanitized input fields in plugin settings. Attackers can submit malicious payloads through textarea and input elements in t...

6.4CVSS5.9AI score0.00036EPSS

Exploits0References5Affected Software1

NVD•added 2026/05/13 5:16 a.m.•3 views

CVE-2025-9989

The Broadstreet plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.53.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an...

4.4CVSS0.00029EPSS

Exploits0References2

Cvelist•added 2026/05/13 4:26 a.m.•28 views

CVE-2025-9989 Broadstreet <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4CVSS0.00029EPSS

Exploits0References2

ATTACKERKB•added 2026/05/13 4:26 a.m.•4 views

CVE-2025-9989

4.4CVSS6AI score0.00029EPSS

Exploits0References3

Positive Technologies•added 2026/05/13 12:0 a.m.•4 views

PT-2026-40560

4.4CVSS6AI score0.00029EPSS

Exploits0References2

EUVD•added 2026/05/12 12:32 p.m.•5 views

EUVD-2026-29444

The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS6AI score0.0003EPSS

Exploits0References6

CVE•added 2026/05/12 9:29 a.m.•6 views

CVE-2026-6813

The CVE-2026-6813 entry concerns the WordPress Continually plugin (versions up to 4.3.1). It describes a Stored Cross-Site Scripting vulnerability in admin settings caused by insufficient input sanitization and output escaping, exploitable by authenticated attackers with administrator-level permi...

4.4CVSS6AI score0.0003EPSS

Exploits0References5

Cvelist•added 2026/05/12 9:29 a.m.•29 views

CVE-2026-6800 FastBots <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

4.4CVSS0.0003EPSS

Exploits0References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by