Lucene search
+L

1119350 matches found

cve
cve
added 4 hours ago7 views

CVE-2026-15324

The CVE-2026-15324 entry concerns the SysBasics Customize My Account for WooCommerce – Live My Account Customizer WordPress plugin. Affected component: the plugin’s handling of the row_type parameter (and variants noted as row type). Root cause: insufficient input sanitization and output escaping...

4.4CVSS6.2AI score
Exploits0References8
euvd
euvd
added 4 hours ago4 views

EUVD-2026-44902

The SysBasics Customize My Account for WooCommerce – Live My Account Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rowtype' parameter in all versions up to, and including, 4.4.14 due to insufficient input sanitization and output escaping. This makes it...

4.4CVSS6.2AI score
Exploits0References8
cve
cve
added 4 hours ago13 views

CVE-2026-15021

The wpForo Forum plugin for WordPress is affected by a Stored Cross-Site Scripting (XSS) vulnerability in the 'location' Profile Field across all versions up to 3.1.1. The issue stems from insufficient input sanitization and output escaping; sanitize_text_field() at input does not encode double q...

6.4CVSS6.2AI score
Exploits0References8
euvd
euvd
added 4 hours ago5 views

EUVD-2026-44899

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS6.2AI score
Exploits0References8
cve
cve
added 5 hours ago6 views

CVE-2026-13755

The Tickera – Sell Tickets & Manage Events WordPress plugin (up to version 3.6.0.0) is affected by a Stored Cross‑Site Scripting vulnerability via the price_wrapper shortcode attribute. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with co...

6.4CVSS6.3AI score
Exploits0References5
cvelist
cvelist
added 5 hours ago11 views

CVE-2026-13755 Tickera <= 3.6.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'price_wrapper' Shortcode Attribute

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS
Exploits0References5
euvd
euvd
added 5 hours ago3 views

EUVD-2026-44894

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6.3AI score
Exploits0References5
euvd
euvd
added 5 hours ago3 views

EUVD-2026-44886

The Breakdance plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fields' parameter in versions up to, and including, 2.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.2CVSS6.2AI score
Exploits0References2
cvelist
cvelist
added 5 hours ago7 views

CVE-2026-15099 WP Delicious <= 1.10.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'steps' Block Attribute

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrapdirectiontext function, which interpolates the...

6.4CVSS
Exploits0References5
cve
cve
added 7 hours ago7 views

CVE-2026-12869

CVE-2026-12869 affects the Header Footer Builder for Elementor WordPress plugin prior to 1.2.1. The dashboard template-import action does not require an administrative capability, allowing a Contributor to import a template containing an Elementor HTML widget configured to display site-wide. This...

6.1AI score
Exploits0References1
cvelist
cvelist
added 7 hours ago7 views

CVE-2026-12869 Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...

Exploits0References1
cve
cve
added 7 hours ago7 views

CVE-2026-12978

The FunnelKit WordPress plugin is vulnerable before version 3.15.0.6 to a Reflected XSS in a page-builder AJAX action when Divi builder is active. The issue arises from insufficient escaping of a user-supplied parameter reflected into the HTML response, enabling unauthenticated attackers to targe...

6.1AI score
Exploits0References1
euvd
euvd
added 7 hours ago5 views

EUVD-2026-44881

The FunnelKit WordPress plugin before 3.15.0.6 does not escape a user-supplied parameter before reflecting it into the HTML response of one of its page-builder AJAX actions, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting against logged-in users who open a crafted pag...

6.1AI score
Exploits0References1
cvelist
cvelist
added 7 hours ago7 views

CVE-2026-11371 BetterDocs < 4.5.5 - Unauthenticated Stored XSS via AI Doc Summarizer Prompt Injection

The BetterDocs WordPress plugin before 4.5.5 does not sanitise an AI-generated documentation summary before storing and outputting it, and the feature that generates it is exposed to unauthenticated users, allowing them to store a malicious payload via prompt injection that executes in the browse...

Exploits0References1
cve
cve
added 7 hours ago4 views

CVE-2026-11371

The BetterDocs WordPress plugin (versions before 4.5.5) is vulnerable to unauthenticated stored XSS via the AI Doc Summarizer prompt injection. An unauthenticated user can store a malicious payload during generation that is later output and executed in the browser of any visitor who views the aff...

6.1AI score
Exploits0References1
euvd
euvd
added 9 hours ago4 views

EUVD-2026-44865

The RPB Chessboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Comment Content in all versions up to, and including, 8.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

7.2CVSS6.2AI score
Exploits0References8
cve
cve
added 9 hours ago8 views

CVE-2026-15306

CVE-2026-15306 affects the WordPress plugin Product Feed Manager For WooCommerce (

6.1CVSS6.2AI score
Exploits0References6
euvd
euvd
added 9 hours ago3 views

EUVD-2026-44863

The Product Feed Manager For WooCommerce – Sell on 200+ Online Marketplaces plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 's' Search Parameter in all versions up to, and including, 7.6.1 due to insufficient input sanitization and output escaping. This makes it possible...

6.1CVSS6.2AI score
Exploits0References6
cve
cve
added 10 hours ago8 views

CVE-2026-15652

The CVE-2026-15652 affects the WordPress plugin Easy Accordion – AI-Powered FAQ & Accordion Blocks. It allows Stored Cross-Site Scripting via the 'align' Block Attribute in all versions up to 3.1.6 due to insufficient input sanitization and output escaping. Exploitation requires authenticated acc...

6.4CVSS6.2AI score
Exploits0References5
euvd
euvd
added 10 hours ago4 views

EUVD-2026-44861

The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score
Exploits0References5
Rows per page
Query Builder