Lucene search
+L

295 matches found

Positive Technologies
Positive Technologies
added 2026/01/16 12:0 a.m.8 views

PT-2026-3223

The DK PDF – WordPress PDF Generator plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.3.0 via the 'addContentToMpdf' function. This makes it possible for authenticated attackers, author level and above, to make web requests to arbitrary...

5CVSS5.8AI score0.00242EPSS
Exploits0References6
NVD
NVD
added 2026/01/15 2:16 p.m.8 views

CVE-2025-13062

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON fil...

8.8CVSS0.00505EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/15 1:23 p.m.3 views

CVE-2025-13062

The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. This is due to insufficient file type validation detecting JSON files, allowing double extension files to bypass sanitization while being accepted as a valid JSON fil...

8.8CVSS6.6AI score0.00505EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/10 12:0 a.m.5 views

PT-2026-1744

Name of the Vulnerable Software and Affected Versions ConvertForce Popup Builder plugin for WordPress versions up to and including 0.0.7 Description The ConvertForce Popup Builder plugin for WordPress is susceptible to Stored Cross-Site Scripting. The issue stems from inadequate input sanitizatio...

6.4CVSS5.6AI score0.00192EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/01/09 9:33 a.m.7 views

CVE-2024-39877

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a docmd parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to...

8.8CVSS8.7AI score0.01726EPSS
Exploits0References1
NVD
NVD
added 2026/01/09 9:15 a.m.8 views

CVE-2026-0627

The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file content that only removes tags while allowing other XSS vectors such as event handlers onload,...

6.4CVSS0.00188EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/09 6:34 a.m.5 views

CVE-2025-14893 IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter

The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and...

6.4CVSS4.7AI score0.00205EPSS
Exploits2References2
Cvelist
Cvelist
added 2026/01/08 9:20 a.m.30 views

CVE-2025-14984 Gutenverse Form <= 2.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the uploadmimes filter without implementing any...

6.4CVSS0.00273EPSS
Exploits0References4
CVE
CVE
added 2026/01/08 9:20 a.m.23 views

CVE-2025-14984

CVE-2025-14984 : Gutenverse Form for WordPress is vulnerable to Stored Cross-Site Scripting via SVG uploads in all versions up to and including 2.3.2. The issue arises because the plugin framework adds SVG to allowed MIME types without sanitizing contents, enabling authenticated attackers with Au...

6.4CVSS4.9AI score0.00273EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/01/08 12:0 a.m.12 views

PT-2026-1763

Name of the Vulnerable Software and Affected Versions Gutenverse Form plugin for WordPress versions prior to 2.3.3 Description The Gutenverse Form plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG file uploads. The plugin’s framework component allows SVG files through...

6.4CVSS5.5AI score0.00273EPSS
Exploits0References6
NVD
NVD
added 2026/01/07 12:16 p.m.4 views

CVE-2025-15158

The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpsefileandextwebp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload...

8.8CVSS0.00433EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/07 9:20 a.m.29 views

CVE-2025-13418 Responsive Pricing Table <= 5.1.12 - Authenticated (Author+) Stored Cross-Site Scripting

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

6.4CVSS0.00598EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/01/07 9:20 a.m.6 views

CVE-2025-13418 Responsive Pricing Table <= 5.1.12 - Authenticated (Author+) Stored Cross-Site Scripting

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

6.4CVSS4.7AI score0.00598EPSS
Exploits0References2
CVE
CVE
added 2026/01/07 9:20 a.m.22 views

CVE-2025-13418

CVE-2025-13418 affects the WordPress plugin Responsive Pricing Table (versions

6.4CVSS4.7AI score0.00598EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/01/07 9:13 a.m.9 views

CVE-2024-2619

The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject...

5.4CVSS6.2AI score0.00377EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/06 7:22 a.m.4 views

CVE-2025-12067 Table Field Add-on for ACF and SCF <= 1.3.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via Table Cell Content

The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS4.7AI score0.00159EPSS
Exploits0References2
CVE
CVE
added 2026/01/06 4:31 a.m.19 views

CVE-2025-14120

CVE-2025-14120 affects the URL Image Importer WordPress plugin and enables a Stored XSS via SVG uploads. Exploitation requires authenticated access at Author level or higher, affecting versions up to 1.0.7. Remediation: upgrade to version 1.0.7 (patched).

6.4CVSS4.7AI score0.00197EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/01/06 3:21 a.m.33 views

CVE-2025-14153 Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute

The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

6.5CVSS0.00242EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/06 3:21 a.m.3 views

CVE-2025-14153 Page Expire Popup/Redirection for WordPress <= 1.0 - Authenticated (Author+) SQL Injection via 'id' Shortcode Attribute

The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

6.5CVSS6AI score0.00242EPSS
Exploits0References4
CVE
CVE
added 2025/12/21 3:20 a.m.22 views

CVE-2025-13693

CVE-2025-13693 affects the Image Photo Gallery Final Tiles Grid plugin (WordPress) up to version 3.6.8. It is a Stored Cross-Site Scripting vulnerability via the plugin’s ‘Custom scripts’ setting caused by insufficient input sanitization and output escaping. The issue requires an attacker to have...

6.4CVSS4.7AI score0.00197EPSS
Exploits0References4
Rows per page
Query Builder