7763 matches found
CVE-2026-57394 WordPress Newsletters plugin <= 4.14 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Tribulant Software Newsletters newsletters-lite allows Reflected XSS.This issue affects Newsletters: from n/a through = 4.14...
CVE-2026-57706 WordPress Dokan plugin <= 5.0.6 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Dokan, Inc. Dokan dokan-lite allows Reflected XSS.This issue affects Dokan: from n/a through = 5.0.6...
CVE-2026-57385 WordPress Vitepos plugin <= 3.4.2 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in appsbd Vitepos vitepos-lite allows Blind SQL Injection.This issue affects Vitepos: from n/a through = 3.4.2...
WordPress Modern Events Calendar Lite <5.16.5 - Sensitive Information Disclosure
WordPress Modern Events Calendar Lite before 5.16.5 does not properly restrict access to the export files, allowing unauthenticated users to exports all events data in CSV or XML format. id: CVE-2021-24146 info: name: WordPress Modern Events Calendar Lite 5.16.5 - Sensitive Information Disclosure...
Duplicator < 1.5.7.1; Duplicator Pro < 4.5.14.2 - Unauthenticated Sensitive Data Exposure
The Duplicator WordPress plugin before 1.5.7.1, Duplicator Pro WordPress plugin before 4.5.14.2 does not disallow listing the backups-dup-lite/tmp directory or the backups-dup-pro/tmp directory in the Pro version, which temporarily stores files containing sensitive data. When directory listing is...
Documentor <= 1.5.3 - Unauthenticated SQL Injection
The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users. id: CVE-2022-0773 info: name: Documentor = 1.5.3 - Unauthenticated SQL...
PT-2026-57706
Name of the Vulnerable Software and Affected Versions Tribulant Software Newsletters newsletters-lite versions prior to 4.15 Description Improper neutralization of input during web page generation leads to a Reflected Cross-site Scripting XSS issue. This occurs when an application includes...
CVE-2026-13347
The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...
CVE-2026-13347
The CVE-2026-13347 entry documents an unauthenticated Arbitrary File Read in WordPress Hide My WP Lite (versions ≤ 1.3) via the he_wrapper_js and he_wrapper_css parameters. The vulnerability stems from elementor_assets_filter() concatenating user input onto ABSPATH and passing it to file_get_cont...
EUVD-2026-42831
The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...
CVE-2026-13347 Hide My WP Lite <= 1.3 - Unauthenticated Path Traversal to Arbitrary File Read via 'he_wrapper_js' Parameter
The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...
CVE-2026-13347
The Hide My WP Lite plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 1.3 via the hewrapperjs and hewrappercss query parameters processed by the elementorassetsfilter function. This is due to the function concatenating user-supplied input directly onto...
WordPress Hide My WP Lite plugin <= 1.3 - Unauthenticated Path Traversal to Arbitrary File Read vulnerability
Unauthenticated Path Traversal to Arbitrary File Read vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Hide My WP Lite versions = 1.3...
CVE-2026-15293
The WP Business Intelligence Lite WordPress plugin (versions up to and including 3.2.0) is affected by an authorization bypass vulnerability. The issue arises because the plugin does not properly verify user permissions before performing an action, enabling authenticated users with Subscriber-lev...
CVE-2026-15293
The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.2.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
CVE-2026-15293 WP Business Intelligence Lite <= 3.2.0 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary SQL Modification
The WP Business Intelligence Lite plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.2.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
CVE-2026-4275
The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...
EUVD-2026-42563
The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...
CVE-2026-4275 Divi Torque Lite <= 4.2.3 - Cross-Site Request Forgery to Arbitrary Plugin Installation via 'install_plugin' REST Endpoint
The Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.3. This is due to the use of 'returntrue' as the permissioncallback for the /installplugin and /activateplugin REST API endpoint...
CVE-2026-4275
CVE-2026-4275 affects the Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme plugin for WordPress up to version 4.2.3. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw arising from using __return_true as the permission_callback for the /install_plugin and /activate_plugin REST...