Lucene search
K

30059 matches found

CVE
CVE
added 5 hours ago6 views

CVE-2026-61463

Shiori contains a privilege escalation vulnerability in the account update endpoint that allows authenticated users to modify the owner field without authorization checks. Attackers can escalate to administrator by submitting a crafted PATCH request with owner: true, then re-authenticate to obtai...

8.8CVSS6.1AI score
Exploits0References4
EUVD
EUVD
added 13 hours ago5 views

EUVD-2026-43289

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-leve...

6.5CVSS6.1AI score
Exploits0References2
NVD
NVD
added 14 hours ago7 views

CVE-2026-15540

A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/requi...

5.3CVSS
Exploits0References6
Cvelist
Cvelist
added 17 hours ago8 views

CVE-2026-12274 Tutor LMS < 3.9.13 - Instructor+ Arbitrary Post Overwrite via IDOR

The Tutor LMS WordPress plugin before 3.9.13 does not verify that the requesting user is allowed to edit a target post before overwriting it in one of its content-builder save handlers, authorizing the request only against an unrelated identifier, allowing authenticated users with instructor-leve...

Exploits0References1
Nuclei
Nuclei
added 18 hours ago112 views

Miniorange Social Login and Register <= 7.6.3 - Authentication Bypass

The WordPress Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes...

9.8CVSS7.1AI score0.46242EPSS
Exploits4References5
Nuclei
Nuclei
added 18 hours ago117 views

Piwigo 13.7.0 - SQL Injection

Piwigo is open source photo gallery software. Prior to version 13.8.0, there is a SQL Injection vulnerability in the login of the administrator screen. The SQL statement that acquires the HTTP Header User-Agent is vulnerable at the endpoint that records user information when logging in to the...

9.8CVSS7.2AI score0.97405EPSS
Exploits21References5
Nuclei
Nuclei
added 18 hours ago26 views

OpenText Documentum Administrator 7.2.0180.0055 - Open Redirect

OpenText Documentum Administrator 7.2.0180.0055 is susceptible to multiple open redirect vulnerabilities. An attacker can redirect a user to a malicious site and potentially obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2017-14524 info: name: OpenText...

6.1CVSS6.4AI score0.0294EPSS
Exploits2References5
Nuclei
Nuclei
added 18 hours ago103 views

Netgear-WN604 downloadFile.php - Information Disclosure

There is an information leakage vulnerability in the downloadFile.php interface of Netgear WN604. A remote attacker using file authentication can use this vulnerability to obtain the administrator account and password information of the wireless router, causing the router's background to be...

6.9CVSS6.2AI score0.45681EPSS
Exploits0References5
Nuclei
Nuclei
added 18 hours ago119 views

Palo Alto Networks PAN-OS Web Interface - Cross Site-Scripting

PAN-OS management web interface is vulnerable to reflected cross-site scripting. A remote attacker able to convince an administrator with an active authenticated session on the firewall management interface to click on a crafted link to that management web interface could potentially execute...

8.8CVSS7AI score0.2389EPSS
Exploits0References5
Nuclei
Nuclei
added 18 hours ago21 views

Masteriyo LMS <= 1.7.2 - Unauthenticated Privilege Escalation

The Masteriyo LMS – eLearning and Online Course Builder for WordPress plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the updateloggedinuser function in all versions up to, and including, 1.7.2. This makes it possible for unauthenticated attackers t...

9.8CVSS7AI score0.02112EPSS
Exploits0References4
Nuclei
Nuclei
added 18 hours ago44 views

WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation

User Registration & Membership WordPress plugin = 5.1.2 contains an improper privilege management vulnerability caused by accepting user-supplied roles without server-side allowlist enforcement, letting unauthenticated attackers create administrator accounts id: CVE-2026-1492 info: name: WordPres...

9.8CVSS7.1AI score0.25532EPSS
Exploits2References3
Nuclei
Nuclei
added 18 hours ago8 views

LatePoint <= 5.0.11 - SQL Injection

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

9.8CVSS6.1AI score0.02823EPSS
Exploits0References3
Nuclei
Nuclei
added 18 hours ago136 views

Limit Login Attempts - Stored Cross-Site Scripting

Limit Login Attempts WordPress plugin 4.0.72 contains a stored cross-site scripting caused by unsanitized and unescaped settings, letting malicious administrators inject Javascript code, exploit requires administrator privileges. id: CVE-2022-1029 info: name: Limit Login Attempts - Stored...

4.8CVSS6AI score0.00848EPSS
Exploits2References1
Nuclei
Nuclei
added 18 hours ago12 views

HT Mega – Absolute Addons for Elementor <= 2.2.0 - Missing Authorization to Privilege Escalation

The HT Mega plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.2.0. This is due to missing validation of the regrole parameter on the htmegaajaxregister function. This makes it possible for unauthenticated attackers to create administrator accounts. id...

9.8CVSS6.2AI score0.03043EPSS
Exploits0References4
Nuclei
Nuclei
added 18 hours ago38 views

WordPress InstaWP Connect <= 0.1.0.38 - Unauthenticated User Creation

The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to arbitrary option updates due to a missing authorization checks on the REST API calls in all versions up to, and including, 0.1.0.38. This makes it possible for unauthenticated attackers to connect the site ...

9.8CVSS6.1AI score0.04156EPSS
Exploits0References4
Nuclei
Nuclei
added 18 hours ago17 views

HyperComments <= 1.2.2 - Arbitrary Options Update

The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hcrequesthandler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to...

8.8CVSS6.2AI score0.01718EPSS
Exploits4References2
Nuclei
Nuclei
added 18 hours ago7 views

Payara Server - Cross-Site Scripting

Payara Server versions 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit...

9.3CVSS6.1AI score0.01002EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago16 views

The Opal Estate Pro – Property Management <= 1.7.5 - Unauthenticated Privilege Escalation

The Opal Estate Pro plugin ≤ 1.7.5 is vulnerable to privilege escalation. Due to missing role restrictions in the onregisteruser function, users can register with any role. This allows unauthenticated attackers to create administrator accounts. id: CVE-2025-6934 info: name: The Opal Estate Pro –...

9.8CVSS6.1AI score0.22334EPSS
Exploits12References2
Nuclei
Nuclei
added 18 hours ago14 views

Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wpcapabilities user meta that defines a user's role. During the registration...

10CVSS7AI score0.08975EPSS
Exploits2References3
Nuclei
Nuclei
added 18 hours ago102 views

WordPress File Upload Plugin < 4.24.8 - Cross-Site Scripting

The WordPress File Upload plugin before version 4.24.8 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'dir' parameter in the file browser page before outputting it back, which could allow attackers to execute arbitrary JavaScript code...

6.1CVSS6.3AI score0.14058EPSS
Exploits2References2
Rows per page
Query Builder