Lucene search
K

6894 matches found

NVD
NVD
added 11 hours ago5 views

CVE-2026-13252

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. Th...

6.4CVSS
Exploits0References6
CVE
CVE
added 13 hours ago7 views

CVE-2026-13252

The CVE-2026-13252 entry concerns the WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator. Affected: the plugin’s handling of the aspectRatio attribute allows Stored Cross-Site Scripting due to insufficient input sanitization and output es...

6.4CVSS5.9AI score
Exploits0References6
NVD
NVD
added 15 hours ago7 views

CVE-2026-11781

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

2.7CVSS
Exploits0References1
Cvelist
Cvelist
added 16 hours ago12 views

CVE-2026-11592 Email Subscribers & Newsletters <= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification via ig_es_handle_request AJAX Action

The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perfor...

4.3CVSS
Exploits0References12
NVD
NVD
added yesterday6 views

CVE-2026-10095

The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS
Exploits0References11
NVD
NVD
added yesterday5 views

CVE-2026-13733

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00206EPSS
Exploits0References8
NVD
NVD
added yesterday5 views

CVE-2026-12732

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...

6.4CVSS0.00193EPSS
Exploits0References4
EUVD
EUVD
added yesterday5 views

EUVD-2026-40923

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'nodatamsg' Shortcode Attribute in all versions up to, and including, 3.3.60 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
EUVD
EUVD
added yesterday5 views

EUVD-2026-40934

The LearnPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classwrapperform' shortcode attribute in versions up to, and including, 4.4.0. This is due to insufficient input sanitization and output escaping in the FilterCourseTemplate::sections method at line 98, wher...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References4
CVE
CVE
added yesterday7 views

CVE-2026-12732

CVE-2026-12732 concerns the LearnPress WordPress plugin (versions &lt;= 4.4.0). The vulnerability is a Stored Cross-Site Scripting (XSS) via the short code attribute class_wrapper_form . Root cause: insufficient input sanitization and output escaping in FilterCourseTemplate::sections(), where att...

6.4CVSS5.9AI score0.00193EPSS
Exploits0References4
NVD
NVD
added yesterday7 views

CVE-2026-9107

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'metakaliformsfieldcomponents' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS0.00241EPSS
Exploits0References10
NVD
NVD
added yesterday7 views

CVE-2026-2387

The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the 'eoevents' shortcode accepting attacker-controlled 'noevents' content and rendering it in event list templates without output escaping. This makes...

6.4CVSS0.00156EPSS
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-12904

The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the...

4.3CVSS0.00293EPSS
Exploits0References20
NVD
NVD
added yesterday8 views

CVE-2026-12135

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoplayer' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS0.00205EPSS
Exploits0References6
NVD
NVD
added yesterday6 views

CVE-2026-12902

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00272EPSS
Exploits0References10
EUVD
EUVD
added yesterday6 views

EUVD-2026-40899

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoplayer' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS5.9AI score0.00205EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday29 views

CVE-2026-12135 FV Flowplayer Video Player <= 7.5.51.7212 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'video_player' Shortcode

The FV Flowplayer Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoplayer' shortcode 'align' attribute in all versions up to, and including, 7.5.51.7212 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

6.4CVSS0.00205EPSS
Exploits0References6
EUVD
EUVD
added yesterday5 views

EUVD-2026-40895

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References10
CVE
CVE
added yesterday10 views

CVE-2026-12902

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor (WordPress) contains an authorization bypass in all versions up to 3.7.7. Authenticated attackers with contributor-level access can create arbitrary Media Library attachments by downloading remote images into the uploads directory via wp_...

4.3CVSS5.9AI score0.00272EPSS
Exploits0References10
EUVD
EUVD
added yesterday6 views

EUVD-2026-40891

The Kali Forms — Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'metakaliformsfieldcomponents' parameter in all versions up to, and including, 2.4.13 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References10
Rows per page
Query Builder