Lucene search
+L

30228 matches found

NVD
NVD
added 2 days ago8 views

CVE-2026-11866

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...

5.4CVSS0.00095EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-44871

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the...

5.4CVSS6.1AI score0.00095EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-12525 Redux Framework < 4.5.13 - Subscriber+ Privilege Escalation to Administrator

The Redux Framework WordPress plugin before 4.5.13 does not restrict which user meta keys can be written when saving custom profile fields, allowing users with at least the Subscriber role to escalate their privileges to Administrator by submitting a crafted value while updating their own profile...

0.00237EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago36 views

CVE-2026-12492 Happy Coders OTP Login for WooCommerce < 2.8 - Unauthenticated Account Takeover via hcotp_auto_login_user

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

0.00283EPSS
Exploits0References1
CVE
CVE
added 2 days ago11 views

CVE-2026-12525

CVE-2026-12525 affects the Redux Framework WordPress plugin prior to 4.5.13. The vulnerability arises because the plugin does not restrict which user_meta keys can be written when saving custom profile fields, enabling users with at least the Subscriber role to escalate to Administrator while upd...

8.8CVSS6.1AI score0.00237EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44873

The Happy Coders OTP Login for WooCommerce WordPress plugin before 2.8 does not verify that a one-time password was actually validated before authenticating a user based on a supplied identifier, allowing unauthenticated attackers to log in as any existing user, including administrators, as well ...

9.8CVSS6.1AI score0.00283EPSS
Exploits0References1
NVD
NVD
added 2 days ago8 views

CVE-2026-15445

The SEO Booster plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

4.9CVSS0.00272EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-44867

The SEO Booster plugin for WordPress is vulnerable to generic SQL Injection via the 'sortfield' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

4.9CVSS6.1AI score0.00272EPSS
Exploits0References5
CVE
CVE
added 2 days ago11 views

CVE-2026-15458

CVE-2026-15458 affects the WordPress SEO Booster plugin up to version 7.3.1. The vulnerability is a SQL Injection in the sort_field parameter caused by insufficient escaping and an inadequately prepared SQL query. It requires authenticated access at Administrator level or higher, and could allow ...

4.9CVSS6.1AI score0.00272EPSS
Exploits0References5
CVE
CVE
added 2 days ago10 views

CVE-2026-15445

The CVE covers the WordPress plugin SEO Booster (versions up to 7.3.1). It is vulnerable to a time-based SQL Injection via the orderby parameter, caused by insufficient escaping and lack of proper query preparation in an unquoted ORDER BY context. The vulnerability requires authenticated access w...

4.9CVSS6.1AI score0.00272EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago40 views

CVE-2026-15445 SEO Booster <= 7.3.1 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The SEO Booster plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

4.9CVSS0.00272EPSS
Exploits0References5
CVE
CVE
added 2 days ago8 views

CVE-2026-13005

The CVE concerns the MxChat – AI Chatbot & Content Generation for WordPress plugin for WordPress. Affected: all versions up to 3.2.10. Vulnerability: Stored Cross-Site Scripting via the intro_message admin setting due to insufficient input sanitization and output escaping. Privileged context: aut...

4.4CVSS6.2AI score0.00207EPSS
Exploits0References6
CVE
CVE
added 2 days ago7 views

CVE-2026-47089

CVE-2026-47089 affects Cyrus IMAPD up to version 3.12.2. The LISTRIGHTS function is not restricted to admins, allowing any authenticated user to call LISTRIGHTS on a mailbox they name and discover which principals have what access. This is a data-exposure/privacy issue tied to insufficient access...

4.3CVSS6.1AI score0.00168EPSS
Exploits0References2
NVD
NVD
added 3 days ago5 views

CVE-2026-40953

CVE-2026-40953 is a heap overflow in the certificate parsing function of Secure Access clients prior to 14.55. Attackers with local access and administrator permissions can create a denial of service attack against the client over which they have control...

6.7CVSS0.00073EPSS
Exploits0References1
NVD
NVD
added 3 days ago5 views

CVE-2026-40952

CVE-2026-40952 is a privilege misconfiguration in the Secure Access installer for the Windows client and server prior to version 14.55. Attackers with local access to the client or server can use it to elevate privileges to Administrator when Secure Access is installed in a non-default location...

8.5CVSS0.00094EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 3 days ago3 views

CVE-2026-40957

o CVE-2026-40957 is a frameable content vulnerability in the Secure Access server login page prior to 14.55. Attackers with control of a malicious web site could use it to potentially steal credentials from an unwary administrator...

7.5CVSS6AI score0.00313EPSS
Exploits0References2
Cvelist
Cvelist
added 3 days ago39 views

CVE-2026-40953 Heap overflow in Secure Access clients

CVE-2026-40953 is a heap overflow in the certificate parsing function of Secure Access clients prior to 14.55. Attackers with local access and administrator permissions can create a denial of service attack against the client over which they have control...

6.7CVSS0.00073EPSS
Exploits0References1
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-44779

CVE-2026-40952 is a privilege misconfiguration in the Secure Access installer for the Windows client and server prior to version 14.55. Attackers with local access to the client or server can use it to elevate privileges to Administrator when Secure Access is installed in a non-default location...

8.5CVSS6.1AI score0.00094EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 3 days ago3 views

CVE-2026-40952

CVE-2026-40952 is a privilege misconfiguration in the Secure Access installer for the Windows client and server prior to version 14.55. Attackers with local access to the client or server can use it to elevate privileges to Administrator when Secure Access is installed in a non-default location...

8.5CVSS6.1AI score0.00094EPSS
Exploits0References2
CVE
CVE
added 3 days ago11 views

CVE-2026-40952

The CVE-2026-40952 entry describes a privilege misconfiguration in the Windows Secure Access installer for the client and server prior to version 14.55. Local attackers with access to the affected system can elevate privileges to Administrator when Secure Access is installed in a non-default loca...

8.5CVSS6.1AI score0.00094EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder