CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2026/05/20 12:0 a.m.•6 views

PT-2026-42060

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the import demo function accepting a user-supplied URL in the demo json file POST parameter and...

5.4CVSS5.9AI score0.001EPSS

Exploits0References9

RedhatCVE•added 2026/05/04 8:21 p.m.•2 views

CVE-2026-6378

The Maxi Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the /wp-json/maxi-blocks/v1.0/style-card REST API endpoint in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping of the scstyles parameter. This makes it possible...

6.4CVSS6AI score0.00073EPSS

Exploits0References1

NVD•added 2026/05/02 5:16 a.m.•0 views

CVE-2026-4658

The Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the className, classHook, and blockId attributes in the Add to Cart block essential-blocks/add-to-cart in all versions up to, and including, 6.0.4. This...

6.4CVSS0.00027EPSS

CVE•added 2026/05/02 4:27 a.m.•6 views

CVE-2026-4658

The CVE-2026-4658 entry concerns the WordPress plugin Essential Blocks – Page Builder Gutenberg Blocks, Patterns & Templates (Add-to-Cart block). Affected: all versions up to 6.0.4. Root cause: insufficient output escaping in render_callback() where class and data-id attributes are built via raw ...

6.4CVSS6AI score0.00027EPSS

NVD•added 2026/05/02 4:16 a.m.•1 views

CVE-2026-6378

6.4CVSS0.00073EPSS

EUVD•added 2026/05/02 3:36 a.m.•1 views

EUVD-2026-26728

6.4CVSS6AI score0.00073EPSS

Cvelist•added 2026/05/02 3:36 a.m.•23 views

CVE-2026-6378 Maxi Blocks <= 2.1.9 - Authenticated (Author+) Stored Cross-Site Scripting via Style Card REST API

6.4CVSS0.00073EPSS

RedhatCVE•added 2026/05/01 8:48 p.m.•2 views

CVE-2026-2892

The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'getcustomerdata' method relying on an unsigned 'ostripedata' cookie to determine Stripe product ownership for unauthenticated users. The...

7.5CVSS5.8AI score0.00081EPSS

Exploits0References1

CVE•added 2026/04/30 1:28 p.m.•4 views

CVE-2026-2892

Summary (CVE-2026-2892): The Otter Blocks WordPress plugin (all versions up to 3.1.4) is vulnerable to a Purchase Verification Bypass. The root cause is the get_customer_data function relying on an unsigned o_stripe_data cookie to determine Stripe product ownership for unauthenticated users, whil...

7.5CVSS5.3AI score0.00081EPSS

Exploits0References5

NVD•added 2026/04/28 6:16 a.m.•1 views

CVE-2026-6551

The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS0.00046EPSS

ATTACKERKB•added 2026/04/22 7:45 a.m.•3 views

CVE-2026-5820

The Zypento Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table of Contents block in all versions up to, and including, 1.0.6. This is due to the front-end TOC rendering script reading heading text via innerText and inserting it into the page using innerHTML...

NVD•added 2026/04/21 7:16 a.m.•1 views

Exploits0References4

CVE-2026-6703

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...

4.3CVSS0.0004EPSS

Exploits0References8

EUVD•added 2026/04/21 2:25 a.m.•1 views

EUVD-2026-24058

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This is due to insufficient authorization checks and missing server-side validation of the recipient email address supplie...

5.3CVSS5.8AI score0.00032EPSS

CVE•added 2026/04/21 2:25 a.m.•5 views

CVE-2026-6675

The CVE entry maps to a concrete vulnerability in the WordPress Responsive Blocks plugin (versions ≤ 2.2.0). It describes an unauthenticated open email relay via the REST API 'email_to' parameter, enabling abuse of email delivery functions without login. The source does not provide exploit steps ...

5.3CVSS5.8AI score0.00032EPSS

RedhatCVE•added 2026/04/20 7:22 p.m.•0 views

CVE-2026-0894

The Content Blocks Custom Post Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's contentblock shortcode in all versions up to, and including, 3.3.9 due to insufficient input sanitization and output escaping on user supplied values consumed from user-created...

ATTACKERKB•added 2026/04/18 9:26 a.m.•2 views

Exploits0References1

CVE-2026-0894

5.9AI score0.00012EPSS

Exploits0References3

EUVD•added 2026/04/18 9:26 a.m.•0 views

EUVD-2026-23670

CVE•added 2026/04/18 9:26 a.m.•6 views

Exploits0References2

CVE-2026-0894

The CVE-2026-0894 entry concerns the Content Blocks (Custom Post Widget) WordPress plugin, affecting all versions up to 3.3.9. The vulnerability is a Stored Cross-Site Scripting via the content_block shortcode caused by insufficient input sanitization and output escaping on user-created content b...