Lucene search
+L

9751 matches found

NVD
NVD
added 15 hours ago9 views

CVE-2026-16210

A vulnerability was found in newpanjing simpleui 2026.01.13. This affects the function self.getaction of the file simpleui/admin.py of the component AjaxAdmin AJAX Endpoint. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. The exploit has...

7.5CVSS
Exploits0References6
CVE
CVE
added 16 hours ago13 views

CVE-2026-16210

The CVE-2026-16210 entry affects newpanjing simpleui version 2026.01.13, specifically the AjaxAdmin AJAX Endpoint in the file simpleui/admin.py. The issue stems from the function self.get_action, where manipulated input leads to missing authentication, enabling remote exploitation. An exploit has...

7.5CVSS7AI score
Exploits0References6
EUVD
EUVD
added 16 hours ago8 views

EUVD-2026-45421

A vulnerability was found in newpanjing simpleui 2026.01.13. This affects the function self.getaction of the file simpleui/admin.py of the component AjaxAdmin AJAX Endpoint. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. The exploit has...

7.5CVSS7AI score
Exploits0References6
Nuclei
Nuclei
added 16 hours ago49 views

WordPress Ninja Forms <3.4.34 - Open Redirect

WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wpajaxnfoauthconnect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive...

6.1CVSS6.2AI score0.01643EPSS
Exploits2References5
Nuclei
Nuclei
added 16 hours ago57 views

WordPress Super Socializer <7.13.30 - Cross-Site Scripting

WordPress Super Socializer plugin before 7.13.30 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape the urls parameter in its thechampsharingcount AJAX action available to both unauthenticated and authenticated users before outputting it back in the response...

6.1CVSS5.8AI score0.01938EPSS
Exploits1References3
Nuclei
Nuclei
added 16 hours ago85 views

WordPress Gallery <2.0.0 - Cross-Site Scripting

WordPress Gallery plugin before 2.0.0 contains a reflected cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back in the response of an AJAX action, available to both unauthenticated and authenticated users. id: CVE-2022-1946 info: name: WordPres...

6.1CVSS5.8AI score0.01626EPSS
Exploits2References5
Nuclei
Nuclei
added 16 hours ago135 views

WordPress Modern Events Calendar <6.1.5 - Blind SQL Injection

WordPress Modern Events Calendar plugin before 6.1.5 is susceptible to blind SQL injection. The plugin does not sanitize and escape the time parameter before using it in a SQL statement in the mecloadsinglepage AJAX action. An attacker can possibly obtain sensitive information, modify data, and/o...

9.8CVSS8.7AI score0.728EPSS
Exploits7References5
Nuclei
Nuclei
added 16 hours ago52 views

WordPress Shareaholic <9.7.6 - Information Disclosure

WordPress Shareaholic plugin prior to 9.7.6 is susceptible to information disclosure. The plugin does not have proper authorization check in one of the AJAX actions, available to both unauthenticated before 9.7.5 and authenticated in 9.7.5 users, allowing them to possibly obtain sensitive...

5.3CVSS5.7AI score0.01633EPSS
Exploits2References5
Nuclei
Nuclei
added 16 hours ago70 views

Cryptocurrency Widgets Pack < 2.0 - SQL Injection

The plugin does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2022-4059 info: name: Cryptocurrency Widgets Pack 2.0 - SQL Injection author: r3Y3r53 severity: critical description...

9.8CVSS8.7AI score0.04756EPSS
Exploits1References3
Nuclei
Nuclei
added 16 hours ago76 views

Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure

The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users id: CVE-2022-0424 info: name: Popup by Supsystic 1.10.9 - Subscriber Email...

5.3CVSS5.8AI score0.02869EPSS
Exploits2References2
Nuclei
Nuclei
added 16 hours ago67 views

WordPress Best Books <=2.6.3 - SQL Injection

WordPress Best Books plugin through 2.6.3 is susceptible to SQL injection. The plugin does not sanitize and escape some parameters before using them in a SQL statement via an AJAX action. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrativ...

9.8CVSS8.7AI score0.09047EPSS
Exploits2References5
Nuclei
Nuclei
added 16 hours ago62 views

WordPress JNews Theme <8.0.6 - Cross-Site Scripting

WordPress JNews theme before 8.0.6 contains a reflected cross-site scripting vulnerability. It does not sanitize the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory. id: CVE-2021-24342 info: name: WordPress JNews Theme =8.0.6 to mitigate the XSS...

6.1CVSS5.8AI score0.01975EPSS
Exploits2References4
Nuclei
Nuclei
added 16 hours ago37 views

MLflow Job API - Authentication Bypass

MLflow latest version contains an authentication bypass caused by unprotected FastAPI job endpoints under /ajax-api/3.0/jobs/ when basic-auth is enabled, letting unauthenticated network clients submit and manage jobs, exploit requires job execution enabled and allowlisted job functions. id:...

9.8CVSS8.5AI score0.04392EPSS
Exploits1References3
Nuclei
Nuclei
added 16 hours ago21 views

WCAPF WooCommerce Ajax Product Filter - SQL Injection

WCAPF WooCommerce Ajax Product Filter = 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter ...

7.5CVSS5.6AI score0.01473EPSS
Exploits0References2
Nuclei
Nuclei
added 16 hours ago16 views

HT Mega < 3.0.7 - Sensitive Information Disclosure

The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation. id: CVE-2026-4106 info: name: HT Mega 3.0.7 - Sensitive Information Disclosure author: EFETR severity: high description: |...

5.3CVSS5.2AI score0.00742EPSS
Exploits1References2
Nuclei
Nuclei
added 16 hours ago43 views

AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls

The plugin lacks sufficient access controls allowing an unauthenticated user to disconnect the plugin from OpenAI, thereby disabling the plugin. Multiple actions are accessible: ayschatgptdisconnect, ayschatgptconnect, and ayschatgptsavefeedback id: CVE-2024-7714 info: name: AI Assistant with...

7.5CVSS5.2AI score0.00848EPSS
Exploits1References2
Nuclei
Nuclei
added 16 hours ago113 views

CZ Loan Management <= 1.1 - SQL Injection

The CZ Loan Management WordPress plugin through 1.1 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2024-5975 info: name: CZ Loan Management = 1.1 - SQL Injection author...

9.1CVSS5.6AI score0.01958EPSS
Exploits1References3
Nuclei
Nuclei
added 16 hours ago25 views

The Events Calendar < 6.4.0.1 - Cross-site Scripting

The Events Calendar WordPress plugin 6.4.0.1 contains a stored XSS caused by improper sanitization of user-submitted content when rendering views via AJAX, letting attackers execute scripts in the context of the affected site. Exploitation requires user interaction. id: CVE-2024-4180 info: name:...

9.1CVSS5.2AI score0.01834EPSS
Exploits2References3
Nuclei
Nuclei
added 16 hours ago32 views

WCFM Membership <= 2.10.0 - Broken Access Control

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings. id: CVE-2022-4940 info:...

7.3CVSS7AI score0.01084EPSS
Exploits0References3
Nuclei
Nuclei
added 16 hours ago68 views

Combo Blocks < 2.2.76 - Improper Access Control

The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts id:...

5.4CVSS5.2AI score0.16906EPSS
Exploits2References3
Rows per page
Query Builder