Lucene search
K

10000 matches found

ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-15104

The BetterDocs – AI Documentation, Knowledge Base, Docs, Wikis, FAQ with Chatbot plugin for WordPress is vulnerable to generic SQL Injection via the 'lang' parameter in all versions up to, and including, 4.6.0 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS6.1AI score0.0026EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday29 views

CVE-2026-40009 Apache IoTDB: Authenticated users can escalate to full tree-path access by renaming themselves to __internal_auditor

Improper Privilege Management, Improper Access Control vulnerability in Apache IoTDB. Authenticated users can escalate to full tree-path access by renaming themselves to internalauditor. This issue affects Apache IoTDB: from 2.0.8 before 2.0.10. Users are recommended to upgrade to version 2.0.10,...

0.00132EPSS
Exploits0References1
Patchstack
Patchstack
added yesterday3 views

WordPress All-in-One Video Gallery plugin <= 4.8.5 - Authenticated (Subscriber+) Server-Side Request Forgery vulnerability

Authenticated Subscriber+ Server-Side Request Forgery vulnerability discovered by KoreaInfoSec - Korea University in WordPress Plugin All-in-One Video Gallery versions = 4.8.5...

6.4CVSS6.1AI score0.00246EPSS
Exploits0References1Affected Software1
NVD
NVD
added yesterday8 views

CVE-2026-15287

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

6.5CVSS0.00276EPSS
Exploits0References2
Cvelist
Cvelist
added yesterday32 views

CVE-2026-15301 BuddyHolis TableSearch <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

The BuddyHolis TableSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder’ parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00156EPSS
Exploits0References2
CVE
CVE
added yesterday9 views

CVE-2026-15299

CVE-2026-15299 : The Animation Addons for Elementor WordPress plugin is vulnerable to Stored Cross-Site Scripting in all versions up to 2.6.3 via the Weather widget’s weather_style and move_direction parameters. The root cause is insufficient output escaping in Weather widget render() (widgets/we...

6.4CVSS6AI score0.00193EPSS
Exploits0References4
CVE
CVE
added yesterday6 views

CVE-2026-15296

The CVE-2026-15296 entry identifies a Stored Cross-Site Scripting vulnerability in the affiliate-toolkit – WP Affiliate Plugin with Amazon for WordPress, exploitable via the atkp_product shortcode in all versions

6.4CVSS6.1AI score0.00266EPSS
Exploits0References3
CVE
CVE
added yesterday7 views

CVE-2026-15293

The WP Business Intelligence Lite WordPress plugin (versions up to and including 3.2.0) is affected by an authorization bypass vulnerability. The issue arises because the plugin does not properly verify user permissions before performing an action, enabling authenticated users with Subscriber-lev...

8CVSS6.3AI score0.00348EPSS
Exploits0References3
Cvelist
Cvelist
added yesterday29 views

CVE-2026-15292 Sudoku Shortcode <= 1.0.0 - Authenticated (Contributor+) Cross-Site Scripting via 'background' Shortcode Attribute

The Sudoku Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'background' parameter in the 'sudoku-sc' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00243EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added yesterday4 views

CVE-2026-15292

The Sudoku Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'background' parameter in the 'sudoku-sc' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6.1AI score0.00243EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday30 views

CVE-2026-15287 rtMedia for WordPress, BuddyPress and bbPress <= 4.6.18 - Authenticated (Subscriber+) SQL Injection

The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to time-based SQL Injection via the orderby parameter in all versions up to, and including, 4.6.18 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQ...

6.5CVSS0.00276EPSS
Exploits0References2
CVE
CVE
added yesterday6 views

CVE-2026-15284

The King Addons for Elementor plugin (WordPress) has a Stored Cross-Site Scripting vulnerability affecting versions up to 51.1.62 via the form_page_id parameter. The root cause is insufficient input sanitization in add_to_submissions() (sanitize_text_field() preserves quotes) combined with missin...

6.4CVSS6.1AI score0.00307EPSS
Exploits0References10
CVE
CVE
added yesterday8 views

CVE-2026-15285

The Plus Addons for Elementor plugin for WordPress is affected by an Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability in the Button widget via the custom_attributes setting, affecting versions up to 6.4.11. The root cause is in render() for the Button widget, where the raw c...

6.4CVSS5.9AI score0.00261EPSS
Exploits0References5
Cvelist
Cvelist
added 2 days ago32 views

CVE-2026-33799 Junos OS and Junos OS Evolved: Receipt of a specific SNMPv3 request results in memory leak and eventual snmpd crash

An Out-of-bounds Write vulnerability in the SNMP daemon snmpd of Juniper Networks Junos OS and Junos OS Evolved allows an authenticated network-based attacker sending specific valid SNMPv3 queries to trigger a memory leak. Over time, continuous receipt of these queries will result in snmpd proces...

5.3CVSS0.0036EPSS
Exploits0References1
Patchstack
Patchstack
added 2 days ago4 views

WordPress Logo Slider WP – Responsive Logo Carousel, Logo Gallery & Logo Showcase plugin <= 5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin Logo Slider versions = 5.5...

6.4CVSS6.1AI score0.00331EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2 days ago4 views

WordPress Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) plugin <= 4.1.15 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by PRISM in WordPress Plugin WP Event SOlution versions = 4.1.15...

6.4CVSS6.1AI score0.00206EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2 days ago10 views

CVE-2026-13492

The CVE-2026-13492 entry concerns the WordPress UsersWP plugin (affected versions up to and including 1.2.65). The vulnerability arises from insufficient validation of file-field values in UsersWP_Validation::validate_fields(), which falls through to sanitize_text_field() for fields of type 'file...

8.8CVSS6AI score0.00525EPSS
Exploits0References8
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-42686

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS6AI score0.00525EPSS
Exploits0References8
Cvelist
Cvelist
added 2 days ago28 views

CVE-2026-13492 UsersWP <= 1.2.65 - Authenticated (Subscriber+) Arbitrary File Deletion via File Upload Field

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS0.00525EPSS
Exploits0References8
CVE
CVE
added 2 days ago10 views

CVE-2026-12428

The CVE concerns the WordPress plugin Blocks for ACF Fields (versions up to 1.6.2). A missing capability check on the REST endpoint /wp-json/acf-field-blocks/v1/values (get_all_values) allows unauthorized access to ACF field data. The permission_callback only verifies publish_posts, and the handl...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References8
Rows per page
Query Builder