Lucene search
K

244 matches found

EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43134

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...

5.3CVSS6.1AI score0.00297EPSS
Exploits0References12
Positive Technologies
Positive Technologies
added 3 days ago11 views

PT-2026-57398

Name of the Vulnerable Software and Affected Versions AI Chatbot & Workflow Automation by AIWU versions prior to 1.4.13 Description The plugin contains a missing authorization flaw resulting from the absence of capability checks and nonce verification on AJAX actions registered under wp ajax and ...

5.3CVSS6.1AI score0.00297EPSS
Exploits0References15
Cvelist
Cvelist
added 4 days ago36 views

CVE-2026-9857 Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

4.3CVSS0.00288EPSS
Exploits0References12
EUVD
EUVD
added 2026/07/02 7:49 p.m.15 views

EUVD-2026-33280

Mautic has Stored Cross-Site Scripting XSS in Project Option Selector...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 3:43 a.m.17 views

CVE-2026-12902

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor (WordPress) contains an authorization bypass in all versions up to 3.7.7. Authenticated attackers with contributor-level access can create arbitrary Media Library attachments by downloading remote images into the uploads directory via wp_...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References10
NVD
NVD
added 2026/06/30 6:16 a.m.10 views

CVE-2026-12349

The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the addcustomsidebar and removecustomsidebar AJAX handlers, both of which are...

5.3CVSS0.00239EPSS
Exploits0References6
CVE
CVE
added 2026/06/27 6:50 a.m.15 views

CVE-2026-11364

CVE-2026-11364 affects the Product Specifications for WooCommerce plugin for WordPress up to version 0.8.9. The root cause is missing capability checks and absent nonce verification in the __invoke() methods of AttributeGroupController and AttributeController, tied to AJAX actions dwps_modify_gro...

4.3CVSS5.9AI score0.00213EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/06/19 9:18 a.m.8 views

WordPress WP Hotel Booking plugin < 2.3.1 - Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability

Subscriber+ Missing Authorization in Multiple AJAX Handlers vulnerability discovered by Sanjorn Keeratirungsan in WordPress Plugin WP Hotel Booking versions 2.3.1...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/17 1:21 p.m.10 views

CVE-2026-8089

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...

7.1CVSS0.00215EPSS
Exploits0References1
CVE
CVE
added 2026/06/17 6:0 a.m.15 views

CVE-2026-8089

CVE-2026-8089 affects the weMail plugin for WooCommerce (WordPress) prior to version 2.1.3. The issue is a reflected Cross-Site Scripting (XSS) vulnerability caused by not escaping a user-supplied parameter before reflecting it into an HTML attribute in a non-nonce-protected AJAX response. This a...

7.1CVSS5.2AI score0.00215EPSS
Exploits0References1
NVD
NVD
added 2026/06/10 10:17 p.m.10 views

CVE-2026-53738

Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdpactionhandling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks...

8.1CVSS0.00248EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/10 6:0 a.m.12 views

EUVD-2026-35985

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

8.6CVSS5.6AI score0.00282EPSS
Exploits0References1
Packet Storm News
Packet Storm News
added 2026/06/09 12:0 a.m.23 views

WordPress Contest Gallery Scanner

This Python script is a assessment tool designed to evaluate potential exposure of a WordPress Contest Gallery AJAX workflow by observing response differences from benign probe requests...

5.5AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.27 views

PT-2026-47678

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rc options page function. This makes it possible for unauthenticated attackers to modify plugin settin...

4.3CVSS5.3AI score0.00124EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:33 p.m.11 views

CVE-2026-9811

A stored Cross-Site Scripting XSS vulnerability exists in the project selector component of Mautic 7. When rendering selection menus for associating projects with system entities, the application fails to sanitize project names returned via AJAX before injecting them into the DOM as option fields...

5.4CVSS5.5AI score0.00133EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/29 12:0 a.m.9 views

WordPress plugin Poll Maker 信息泄露漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.8AI score0.00283EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/05/29 12:0 a.m.16 views

PT-2026-44823

Name of the Vulnerable Software and Affected Versions Mautic versions prior to 7.1.2 Description A stored Cross-Site Scripting XSS issue exists in the project selector component. The application fails to sanitize project names returned via AJAX before injecting them into the Document Object Model...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References4
CVE
CVE
added 2026/05/28 7:43 a.m.23 views

CVE-2026-8689

The CVE concerns the Visualizer: Tables and Charts Manager for WordPress plugin (WordPress) with versions up to 3.11.14. Root cause: missing capability checks on renderChartPages() and uploadData(), enabling certain AJAX actions (wp_ajax_visualizer-create-chart, wp_ajax_visualizer-edit-chart, and...

4.3CVSS5.9AI score0.00242EPSS
Exploits0References8
SUSE CVE
SUSE CVE
added 2026/05/28 3:54 a.m.10 views

SUSE CVE-2026-46028

In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...

5.5CVSS5.9AI score0.00123EPSS
Exploits0References9
NVD
NVD
added 2026/05/27 2:17 p.m.15 views

CVE-2026-46028

In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - snapshot IV for async AEAD requests AFALG AEAD AIO requests currently use the socket-wide IV buffer during request processing. For async requests, later socket activity can update that shared state before the...

5.5CVSS0.00123EPSS
Exploits0References8
Rows per page
Query Builder