Lucene search
K

265 matches found

NVD
NVD
added 4 days ago8 views

CVE-2026-12122

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the getsinglesymbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and...

5.3CVSS0.00285EPSS
Exploits0References8
CVE
CVE
added 4 days ago11 views

CVE-2026-12122

The CVE-2026-12122 entry documents a vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions up to and including 6.0.11). The issue is a Sensitive Information Exposure via get_single_symbol that allows unauthenticated attackers to extract full b...

5.3CVSS5.8AI score0.00285EPSS
Exploits0References8
NVD
NVD
added 2026/06/27 8:16 a.m.15 views

CVE-2026-11987

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This...

4.3CVSS0.00271EPSS
Exploits0References14
CVE
CVE
added 2026/06/27 6:50 a.m.14 views

CVE-2026-11987

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution (WordPress) up to version 5.0.4 is vulnerable to Insecure Direct Object Reference via the id parameter due to missing validation on a user‑controlled key. Authenticated attackers with subscriber+ access can read other vendors’ pro...

4.3CVSS5.7AI score0.00271EPSS
Exploits0References14
EUVD
EUVD
added 2026/06/27 6:50 a.m.9 views

EUVD-2026-39948

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This...

4.3CVSS5.7AI score0.00271EPSS
Exploits0References14
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.3 views

Astra Linux – Vulnerability in Mutt

Null pointer dereferencing when composing from a specially crafted draft message in Mutt 1.5.2 2.2.12...

5.7CVSS6.2AI score0.00506EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/16 4:30 a.m.10 views

EUVD-2026-37034

The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the staticblockcontent shortcode handler retrieving a post via getpost using an attacker-supplied 'id' attribute and outputting its postcontent without...

4.3CVSS5.4AI score0.00211EPSS
Exploits0References4
NVD
NVD
added 2026/06/12 7:16 p.m.12 views

CVE-2026-10715

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary postid to POST /admin/posttype//drafts and overwrite the draft associated with another user's post...

5.1CVSS0.00215EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/12 6:22 p.m.9 views

EUVD-2026-36536

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary postid to POST /admin/posttype//drafts and overwrite the draft associated with another user's post...

5.1CVSS5.4AI score0.00215EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.12 views

PT-2026-48984

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.1 Description ApostropheCMS, an open-source Node.js content management system, contains a stored cross-site scripting issue. This occurs because the user display name is not properly sanitized when displaye...

5.3CVSS4.8AI score0.00286EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/12 12:0 a.m.13 views

PT-2026-48948

Name of the Vulnerable Software and Affected Versions Camaleon CMS version 2.9.2 Description Improper authorization in the administrator draft autosave endpoint allows a low-privileged authenticated user to overwrite a draft associated with another user's post. This is achieved by sending an...

5.1CVSS5.3AI score0.00215EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/06 12:0 a.m.6 views

WordPress plugin Page-list 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

4.3CVSS5.4AI score0.00224EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/06/06 12:0 a.m.8 views

WordPress plugin LearnPress – WordPress LMS Plugin for Create and Sell Online Courses 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

5.3CVSS5.4AI score0.00353EPSS
Exploits0References15
RedhatCVE
RedhatCVE
added 2026/06/05 7:45 p.m.9 views

CVE-2026-4338

The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts...

7.5CVSS5.4AI score0.0035EPSS
Exploits0References1
Snyk
Snyk
added 2026/05/26 11:55 p.m.9 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the pages.access permission check during the rendering process of page drafts. An attacker can gain unauthorized access to sensitive page draft content by authenticating as a user without the required permission...

6CVSS5.8AI score0.00033EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/26 11:55 p.m.24 views

Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or via a combination of both settings. Kirby sites...

5.7AI score0.00033EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/05/26 11:55 p.m.7 views

GHSA-2XW4-V2WX-HQQ9 Kirby CMS's `pages.access` permission is not checked during rendering of page drafts

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or via a combination of both settings. Kirby sites...

6CVSS5.7AI score0.00033EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.10 views

PT-2026-43451

TL;DR This vulnerability affects all Kirby sites where users of a particular role have no permission to access pages pages.access permission is disabled. This can be due to configuration in the user blueprints, via options in the model blueprints or via a combination of both settings. Kirby sites...

6CVSS5.7AI score0.00033EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/22 7:50 a.m.12 views

EUVD-2026-31421

The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handleplaylistendpoint function hooked to templateredirect accepting a user-controlled playlist ID via the audioigniterplaylistid query var or the...

7.5CVSS5.8AI score0.01508EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/22 7:50 a.m.9 views

CVE-2026-9011 Ditty <= 3.1.65 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via ditty_init AJAX Action

The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

7.5CVSS5.8AI score0.00447EPSS
Exploits0References8
Rows per page
Query Builder