Lucene search
K

3566 matches found

Nuclei
Nuclei
added 17 hours ago62 views

Show all comments < 7.0.1 - Cross-Site Scripting

The Show All Comments WordPress plugin before 7.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin. id: CVE-2022-4295 info: name: Show all commen...

6.1CVSS6.4AI score0.00897EPSS
Exploits2References3
Nuclei
Nuclei
added yesterday95 views

WordPress Core <6.5.2 - Cross-Site Scripting

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...

7.2CVSS6.9AI score0.70822EPSS
Exploits4References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-43288

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS6.2AI score0.0017EPSS
Exploits0References2
NVD
NVD
added 2 days ago4 views

CVE-2026-12273

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS0.0017EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago33 views

CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

0.0017EPSS
Exploits0References1
CVE
CVE
added 2 days ago10 views

CVE-2026-12273

The CVE-2026-12273 entry concerns Tutor LMS for WordPress (MITRE CVE-2026-12273). Affected component: Tutor LMS WordPress plugin prior to version 3.9.13. Description details a lack of authorization checks and post-target validation in a comment-creation handler, resulting in pre-approved comments...

4.3CVSS6.2AI score0.0017EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago5 views

EUVD-2026-43130

The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content and User Biographical Info in all versions up to, and including, 1.4.112 due to insufficient input sanitization and output escaping. This makes it possibl...

7.2CVSS6.2AI score0.00247EPSS
Exploits0References8
Fedora
Fedora
added 6 days ago8 views

[SECURITY] Fedora 43 Update: perl-CSS-Minifier-XS-0.15-1.fc43

'CSS::Minifier::XS' is a CSS "minifier". It's designed to remove unnecessary white-space and comments from CSS files, while also not breaking the CSS. 'CSS::Minifier::XS' is similar in function to 'CSS::Minifier', but is substantially faster as it's written in XS and not just pure Perl...

6.5CVSS5.9AI score0.00238EPSS
Exploits0
Positive Technologies
Positive Technologies
added 6 days ago5 views

PT-2026-57027

Name of the Vulnerable Software and Affected Versions YesWiki versions prior to 4.6.6 Description An issue exists in the erasespamedcomments wiki action, located in actions/EraseSpamedCommentsAction.php, which allows unauthenticated users to permanently delete arbitrary wiki pages. The action...

9.1CVSS6.2AI score0.00052EPSS
Exploits0References5
CVE
CVE
added 2026/07/08 5:34 a.m.12 views

CVE-2026-11798

The CVE concerns the WordPress plugin Social Share, Social Login and Social Comments Plugin – Super Socializer . It is vulnerable to Reflected Cross-Site Scripting via the parameter heateor_mastodon_share in all versions up to and including 7.14.5 , caused by insufficient input sanitization and o...

6.1CVSS6.1AI score0.00204EPSS
Exploits0References3
Fedora
Fedora
added 2026/07/08 1:11 a.m.6 views

[SECURITY] Fedora 43 Update: perl-JavaScript-Minifier-XS-0.16-1.fc43

JavaScript::Minifier::XS is a JavaScript "minifier"; it's designed to remove unnecessary white space and comments from JavaScript files without breaking the JavaScript...

7.5CVSS6AI score0.00609EPSS
Exploits0
Fedora
Fedora
added 2026/07/08 12:58 a.m.6 views

[SECURITY] Fedora 44 Update: perl-JavaScript-Minifier-XS-0.16-1.fc44

JavaScript::Minifier::XS is a JavaScript "minifier"; it's designed to remove unnecessary white space and comments from JavaScript files without breaking the JavaScript...

7.5CVSS5.9AI score0.00609EPSS
Exploits0
OSV
OSV
added 2026/07/07 10:5 p.m.3 views

CVE-2026-14740 DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment

DBI versions before 1.650 for Perl read one byte out-of-bounds in preparse when deleting an initial SQL comment. The preparse method normalises SQL and removes comments. When the SQL starts with a comment line, the deletion of that line during normalisation led to an out-of-bounds read by one byt...

9.1CVSS6.1AI score0.00407EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.9 views

PT-2026-56062

Name of the Vulnerable Software and Affected Versions Langroid versions prior to 0.65.1 Description Langroid is a framework for building large-language-model-powered applications. The SQLChatAgent component implements a SQL-injection mitigation that uses a raw-text regex blocklist DANGEROUS SQL...

9.3CVSS6.2AI score0.00646EPSS
Exploits0References14
Cvelist
Cvelist
added 2026/07/03 6:50 a.m.38 views

CVE-2026-9148 Comments <= 7.6.56 - Unauthenticated Stored Cross-Site Scripting via 'Website' Field

The Comments – wpDiscuz plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the guest commenter 'Website' field in versions up to, and including, 7.6.56 This is due to insufficient output escaping in the getCommentAuthor function, which interpolates the stored commentauthorurl...

7.2CVSS0.00305EPSS
Exploits0References11
CVE
CVE
added 2026/07/03 6:50 a.m.18 views

CVE-2026-9148

The Comments – wpDiscuz plugin for WordPress (affected: versions up to 7.6.56) is vulnerable to Stored XSS via the guest commenter field Website. The root cause is insufficient output escaping in getCommentAuthor(), which interpolates the stored comment_author_url directly into single-quoted HTML...

7.2CVSS6.1AI score0.00305EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.16 views

PT-2026-55500

Name of the Vulnerable Software and Affected Versions JSON API User versions prior to 4.1.1 Description The JSON API User plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the post comment function fails to properly sanitize input, allowing the comment content...

6.4CVSS6.1AI score0.00228EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/02 6:0 a.m.40 views

CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

0.00189EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 6:0 a.m.16 views

CVE-2026-11781

The CVE-2026-11781 entry affects the Adminify WordPress plugin prior to version 4.2.10. The vulnerability arises because the plugin does not perform per-user read-capability checks on results returned by an administration search feature. As a result, users with a low-privilege role (Contributor) ...

2.7CVSS5.7AI score0.00189EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 11:16 p.m.6 views

CVE-2026-14440

Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design e.g. 'issue "letsencrypt.org"' without parameters. On Universal SSL zones,...

7.6CVSS0.00135EPSS
Exploits0References8
Rows per page
Query Builder