Lucene search
K

538 matches found

Vulnrichment
Vulnrichment
added 2026/05/22 7:50 a.m.8 views

CVE-2026-7636 Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the mapmetacap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extra...

4.3CVSS5.8AI score0.00236EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/05/21 7:24 p.m.8 views

WordPress Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin <= 1.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Form Structure Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Form Structure Modification vulnerability discovered by Thanh Toan Bui in WordPress Plugin Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder versions = 1.1.1...

4.3CVSS5.8AI score0.00225EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/20 5:31 a.m.13 views

CVE-2026-6566 Photo Gallery, Sliders, Proofing and Themes <= 4.2.0 - Insecure Direct Object Reference to Authenticated (Subscriber+) Image Deletion via REST API

The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 4.2.0. This is due to insufficient object-level authorization in the image deletion REST flow where the permission callback for...

4.3CVSS5.7AI score0.00264EPSS
Exploits0References2
NVD
NVD
added 2026/05/20 2:16 a.m.16 views

CVE-2026-8685

The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...

6.5CVSS0.00359EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.12 views

PT-2026-42114

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. Thi...

8.8CVSS5.8AI score0.00336EPSS
Exploits0References3
CNNVD
CNNVD
added 2026/05/20 12:0 a.m.10 views

WordPress plugin AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

8.8CVSS5.8AI score0.00336EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/17 2:27 a.m.48 views

CVE-2026-8719 AI Engine 3.4.9 - Authenticated (Subscriber+) Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token

The AI Engine – The Chatbot, AI Framework & MCP for WordPress plugin for WordPress is vulnerable to Privilege Escalation in version 3.4.9. This is due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be...

8.8CVSS0.00359EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/16 12:30 p.m.9 views

CVE-2025-4202 Multicollab: Content Team Collaboration and Editorial Workflow <= 5.2 - Missing Authorization to Authenticated (Subscriber+) Collaboration Comment

The Multicollab: Content Team Collaboration and Editorial Workflow plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'cfaddcomment' function in all versions up to, and including, 5.2. This makes it possible for authenticated attackers...

4.3CVSS5.9AI score0.00237EPSS
Exploits0References3
NVD
NVD
added 2026/05/15 9:16 a.m.39 views

CVE-2026-6415

The Advanced Custom Fields: Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.0.2. This is due to insufficient input validation of JSON field values and unsafe client-side HTML construction in the updatepreview JavaScript function. Th...

6.4CVSS0.00274EPSS
Exploits0References6
CVE
CVE
added 2026/05/15 8:27 a.m.13 views

CVE-2026-7563

The CVE-2026-7563 entry concerns the WordPress plugin Classified Listing – AI-Powered Classified ads & Business Directory (versions up to and including 5.3.10). The vulnerability arises from missing authorization verification, enabling authenticated users with subscriber-level access or higher to...

4.3CVSS5.9AI score0.00265EPSS
Exploits0References14
CVE
CVE
added 2026/05/14 6:44 a.m.21 views

CVE-2026-3892

The Motors – Car Dealership & Classified Listings Plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to 1.4.107 due to insufficient file path validation in the become-dealer logo upload flow. An authenticated user with subscriber+ access can set an arbitrary filesyst...

8.1CVSS5.9AI score0.00256EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/14 6:44 a.m.68 views

CVE-2026-6225 Taskbuilder – Project Management & Task Management Tool With Kanban Board <= 5.0.6 - Authenticated (Subscriber+) Time-Based Blind SQL Injection via 'project_search' Parameter

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'projectsearch' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of...

6.5CVSS0.00224EPSS
Exploits0References2
CVE
CVE
added 2026/05/14 5:30 a.m.15 views

CVE-2026-3829

The WP Encryption – One Click Free SSL Certificate & SSL / HTTPS Redirect, Security & SSL Scan plugin for WordPress is affected by CVE-2026-3829 due to missing capability checks in wple_basic_get_requests across all versions up to 7.8.5.10. This allows authenticated users with subscriber-level ac...

5.4CVSS5.8AI score0.00202EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/13 4:26 a.m.6 views

CVE-2025-9987

The Broadstreet plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.53.1 via the getsponsoredmeta AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protect...

5.3CVSS5.8AI score0.0027EPSS
Exploits0References3
CVE
CVE
added 2026/05/13 4:26 a.m.14 views

CVE-2025-9987

The Broadstreet WordPress plugin (versions

5.3CVSS5.8AI score0.0027EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/13 4:26 a.m.41 views

CVE-2025-9987 Broadstreet <= 1.53.1 - Authenticated (Subscriber+) Information Disclosure

The Broadstreet plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.53.1 via the getsponsoredmeta AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract data from password protect...

5.3CVSS0.0027EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/13 4:26 a.m.7 views

EUVD-2025-209819

The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the createadvertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create...

4.3CVSS5.8AI score0.00158EPSS
Exploits0References2
Patchstack
Patchstack
added 2026/05/12 3:43 p.m.11 views

WordPress Broadstreet plugin <= 1.53.1 - Missing Authorization to Authenticated (Subscriber+) Advertiser Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Advertiser Creation vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

4.3CVSS5.8AI score0.00158EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2026/05/12 7:48 a.m.16 views

CVE-2026-5028

The Eight Day Week Print Workflow WordPress plugin (vulnerable up to 1.2.6) is affected by a time-based blind SQL injection via the title parameter in the pp-get-articles AJAX action. Root cause: insufficient escaping and inadequate SQL query preparation. Impact: authenticated attackers with Subs...

6.5CVSS5.9AI score0.00241EPSS
Exploits0References3
Patchstack
Patchstack
added 2026/05/12 12:0 a.m.9 views

WordPress ProfileGrid – User Profiles, Groups and Communities plugin <= 5.9.8.4 - Missing Authorization to Authenticated (Subscriber+) Group Settings Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Group Settings Modification vulnerability discovered by Chawabhon Netisingha JNX03 in WordPress Plugin ProfileGrid versions = 5.9.8.4...

4.3CVSS5.8AI score0.00234EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder