Lucene search
+L

193 matches found

Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.15 views

PT-2026-42506

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient w.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers...

5.4CVSS5.8AI score0.00169EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.20 views

PT-2026-42505

Open ISES Tickets before 3.44.2 contains a reflected cross-site scripting vulnerability in patient.php that allows authenticated attackers to inject arbitrary JavaScript by passing an unsanitized value through the id and ticket id GET parameters directly into an HTML form action URL. Attackers ca...

5.4CVSS5.8AI score0.00169EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.22 views

PT-2026-44727

Name of the Vulnerable Software and Affected Versions symfony/html-sanitizer versions prior to 6.4 Description The UrlAttributeSanitizer visitor fails to validate the schemes of several URL-valued attributes because they are missing from the getSupportedAttributes list. Specifically, the action...

6.1CVSS5.2AI score0.00297EPSS
Exploits0References22
NVD
NVD
added 2026/05/20 2:16 a.m.20 views

CVE-2026-8626

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS0.00266EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.19 views

CVE-2026-8626

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS6AI score0.00266EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/20 1:25 a.m.13 views

EUVD-2026-31024

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS6AI score0.00266EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.9 views

CVE-2026-8627 Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in versions up to and including 1.0. This is due to the correctpricespage function echoing $SERVER'PHPSELF' into a form's action attribute without any input sanitization or...

6.1CVSS6AI score0.00221EPSS
Exploits0References2
CVE
CVE
added 2026/05/20 1:25 a.m.21 views

CVE-2026-8627

The CVE-2026-8627 entry affects the WordPress plugin Correct Prices (

6.1CVSS6AI score0.00221EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.42 views

CVE-2026-8627 Correct Prices <= 1.0 - Reflected Cross-Site Scripting via PHP_SELF Parameter

The Correct Prices plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in versions up to and including 1.0. This is due to the correctpricespage function echoing $SERVER'PHPSELF' into a form's action attribute without any input sanitization or...

6.1CVSS0.00221EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.20 views

PT-2026-42083

Name of the Vulnerable Software and Affected Versions SponsorMe versions prior to 0.5.3 Description Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. This occurs when a user is tricked into clicking a crafted link. The...

6.1CVSS5.9AI score0.00266EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/20 12:0 a.m.19 views

PT-2026-42084

Name of the Vulnerable Software and Affected Versions Correct Prices versions prior to 1.1 Description The Correct Prices plugin for WordPress is subject to Reflected Cross-Site Scripting, a flaw where an application includes untrusted data in a web page without proper validation, allowing an...

6.1CVSS6AI score0.00221EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/05/06 8:22 p.m.8 views

CVE-2026-3601

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS5.9AI score0.003EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/05 9:31 a.m.9 views

EUVD-2026-27241

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS5.9AI score0.003EPSS
Exploits0References7
NVD
NVD
added 2026/05/05 9:16 a.m.16 views

CVE-2026-3601

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS0.003EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/05 8:27 a.m.65 views

CVE-2026-3601 User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS0.003EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/05 8:27 a.m.7 views

CVE-2026-3601

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS5.9AI score0.003EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/05 8:27 a.m.8 views

CVE-2026-3601 User Registration & Membership <= 5.1.4 - Missing Authorization to Authenticated (Contributor+) Limited Page Content Modification

The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the embedformaction function in all versions up to, and including, 5.1.4. This makes it possible for authenticated attackers, with Contributor-level acce...

4.3CVSS5.9AI score0.003EPSS
Exploits0References6
CVE
CVE
added 2026/05/05 8:27 a.m.23 views

CVE-2026-3601

Summary: CVE-2026-3601 affects the WordPress plugin “User Registration & Membership” (versions

4.3CVSS5.9AI score0.003EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/05 6:31 a.m.44 views

EUVD-2026-27185

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS6AI score0.00359EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/05 3:37 a.m.7 views

CVE-2026-4803 Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS6AI score0.00359EPSS
Exploits0References6
Rows per page
Query Builder