Lucene search
K

555 matches found

NVD
NVD
added 2026/04/02 8:16 a.m.7 views

CVE-2026-0688

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS0.00201EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/04/02 7:39 a.m.1 views

CVE-2026-0688

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS5.9AI score0.00201EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/02 12:0 a.m.5 views

PT-2026-29687

The Webmention plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.6.2 via the 'Tools::read' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations...

6.4CVSS5.9AI score0.00201EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/03/31 11:58 p.m.4 views

WordPress User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin <= 3.15.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Post Author Reassignment via Avatar Field vulnerability

WordPress User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin = 3.15.5 - Insecure Direct Object Reference to Authenticated Subscriber+ Arbitrary Post Author Reassignment via Avatar Field vulnerability discovered by type5afe in WordPress Plugin Profile...

4.3CVSS5.9AI score0.00171EPSS
Exploits0References1Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/27 3:37 a.m.16 views

CVE-2026-3098

The Smart Slider 3 plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.5.1.33 via the 'actionExportAll' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on th...

6.5CVSS5.9AI score0.00484EPSS
Exploits0References5
NVD
NVD
added 2026/03/26 12:16 a.m.3 views

CVE-2026-4758

The WP Job Portal plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'WPJOBPORTALcustomfields::removeFileCustom' function in all versions up to, and including, 2.4.9. This makes it possible for authenticated attackers, with Subscriber-lev...

8.8CVSS0.0078EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/03/24 4:50 p.m.9 views

WordPress LearnPress plugin <= 4.3.2.8 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Quiz Answer Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Quiz Answer Deletion vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin LearnPress versions = 4.3.2.8...

4.3CVSS5.8AI score0.00262EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/23 11:25 p.m.4 views

CVE-2026-3533 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on importpopuptemplates function as well as insufficient file type validation in the uploadfiles function in all versions up to, and including, 4.14.1. This makes it possible for Authenticat...

8.8CVSS5.9AI score0.00676EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/03/22 10:4 p.m.6 views

WordPress RepairBuddy plugin <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action vulnerability

Missing Authorization to Authenticated Subscriber+ Plugin Settings Modification via wcrepshopsettingssubmission AJAX Action vulnerability discovered by WordFence in WordPress Plugin RepairBuddy versions = 4.1132...

5.3CVSS5.8AI score0.00236EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/03/21 4:17 a.m.6 views

CVE-2026-3460

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS0.00324EPSS
Exploits0References7
NVD
NVD
added 2026/03/21 4:16 a.m.7 views

CVE-2026-2351

The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callbackgettextfromurl function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on th...

6.5CVSS0.00252EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/21 3:26 a.m.29 views

CVE-2026-4087 Pre* Party Resource Hints <= 1.8.20 - Authenticated (Subscriber+) SQL Injection via 'hint_ids' Parameter

The Pre Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hintids' parameter of the pprhupdatehints AJAX action in all versions up to, and including, 1.8.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

6.5CVSS0.00261EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/03/21 3:26 a.m.1 views

CVE-2026-4087

The Pre Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hintids' parameter of the pprhupdatehints AJAX action in all versions up to, and including, 1.8.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

6.5CVSS5.9AI score0.00261EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.10 views

CVE-2026-3460 REST API TO MiniProgram <= 5.1.2 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'userid' REST API Parameter

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback updateuserwechatshopinfopermissionscheck only validating that the supplied 'openid' parameter corresponds to an...

5.3CVSS5.9AI score0.00324EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/21 3:26 a.m.5 views

CVE-2026-1935 Company Posts for LinkedIn <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary LinkedIn Post Data Deletion

The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the linkedincompanypostresethandler function hooked to adminpostresetlinkedincompanypost. This makes it possible for...

4.3CVSS5.8AI score0.00238EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/03/21 12:0 a.m.5 views

PT-2026-26802

The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat update auth ajax' and 'atomchat update layout ajax' functions in all versions up to, and including, 1.1.7. This makes it possible for...

5.3CVSS5.8AI score0.00285EPSS
Exploits0References4
Patchstack
Patchstack
added 2026/03/19 10:16 p.m.4 views

WordPress Download Manager plugin <= 3.3.49 - Missing Authorization to Authenticated (Subscriber+) User Email Enumeration via 'user' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ User Email Enumeration via 'user' Parameter vulnerability discovered by Quốc Huy jtwings - Puramu in WordPress Plugin Download Manager versions = 3.3.49...

4.3CVSS5.8AI score0.00222EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2026/03/16 9:29 p.m.11 views

WordPress NEX-Forms - Ultimate Forms Plugin for WordPress plugin <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license vulnerability

WordPress NEX-Forms - Ultimate Forms Plugin for WordPress plugin = 9.1.9 - Missing Authorization to Authenticated Subscriber+ License Deactivation via deactivatelicense vulnerability discovered by Legion Hunter in WordPress Plugin NEX-Forms versions = 9.1.9...

4.3CVSS5.8AI score0.00212EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/03/16 3:30 p.m.10 views

EUVD-2026-12182

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivatelicense function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00212EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/14 3:24 a.m.6 views

CVE-2026-1948 NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivatelicense function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00212EPSS
Exploits0References2
Rows per page
Query Builder