CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added 2 days ago•42 views

WordPress Paid Memberships Pro <2.6.7 - Blind SQL Injection

WordPress Paid Memberships Pro plugin before 2.6.7 is susceptible to blind SQL injection. The plugin does not escape the discountcode in one of its REST routes before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...

9.8CVSS7.4AI score0.7852EPSS

Exploits2References5

Nuclei•added 2 days ago•182 views

WordPress Paid Memberships Pro <2.9.8 - Blind SQL Injection

WordPress Paid Memberships Pro plugin before 2.9.8 contains a blind SQL injection vulnerability in the 'code' parameter of the /pmpro/v1/order REST route. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of th...

9.8CVSS7.4AI score0.83832EPSS

Exploits6References5

Cvelist•added 3 days ago•24 views

CVE-2026-45155 Nextcloud: Private circle can be added to another circle via API

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.7 and 33.0.0 to before 33.0.1, a missing access check on API level allowed to add unknown circles by their ID directly to other circles. Since circle IDs have 62^15 complexity by...

2.6CVSS0.00025EPSS

CVE•added 3 days ago•6 views

CVE-2026-45155

Nextcloud Server is affected by CVE-2026-45155 due to a missing API-level access check that allows adding unknown circle IDs to other circles. Affected versions are 32.0.0–32.0.6 and 33.0.0–33.0.0 (i.e., before 32.0.7 and before 33.0.1). The underlying issue could enable unauthorized membership t...

2.6CVSS5.7AI score0.00025EPSS

NCSC•added 2026/05/15 9:27 a.m.•10 views

Vulnerabilities are handled in GitLab through GitLab Inc.

GitLab Inc. has addressed several vulnerabilities in GitLab Community Edition CE and Enterprise Edition EE in various versions, particularly in releases from version 8.3 to 18.11.3. These vulnerabilities concern various components and functions within GitLab, including Jira integration, container...

8.7CVSS5.8AI score0.00064EPSS

Exploits0References1

Positive Technologies•added 2026/05/06 12:0 a.m.•8 views

PT-2026-38301

Name of the Vulnerable Software and Affected Versions Lemur versions prior to 1.9.0 Description When LDAP TLS is enabled via the LDAP USE TLS variable, the LDAP authentication module in the bind function unconditionally disables TLS certificate verification at the global ldap module level. This...

6.8CVSS5.9AI score0.0001EPSS

Exploits0References6

Patchstack•added 2026/05/05 4:22 p.m.•5 views

WordPress Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption vulnerability

Missing Authorization to Authenticated Subscriber+ Stripe Webhook Deletion and Payment Processing Disruption vulnerability discovered by Jared Reyes in WordPress Plugin Paid Memberships Pro versions = 3.6.5...

Exploits0References1Affected Software1

RedhatCVE•added 2026/05/04 8:21 p.m.•2 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

NVD•added 2026/05/02 12:16 p.m.•2 views

Exploits0References1

CVE-2026-4100

7.1CVSS0.00047EPSS

EUVD•added 2026/05/02 11:16 a.m.•3 views

EUVD-2026-26782

CVE•added 2026/05/02 11:16 a.m.•11 views

CVE-2026-4100

The CVE concerns the Paid Memberships Pro plugin for WordPress, affecting all versions up to 3.6.5. The root cause is missing capability checks on three AJAX handlers: wp_ajax_pmpro_stripe_create_webhook, wp_ajax_pmpro_stripe_delete_webhook, and wp_ajax_pmpro_stripe_rebuild_webhook. This allows a...

Cvelist•added 2026/05/02 11:16 a.m.•25 views

CVE-2026-4100 Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption

7.1CVSS0.00047EPSS

ATTACKERKB•added 2026/05/02 11:16 a.m.•2 views

CVE-2026-4100

Vulnrichment•added 2026/05/02 11:16 a.m.•1 views

CVE-2026-4100 Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption

CNNVD•added 2026/05/02 12:0 a.m.•7 views

WordPress plugin Paid Memberships Pro 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

Positive Technologies•added 2026/05/02 12:0 a.m.•2 views

Exploits0References1

PT-2026-36609

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wp ajax pmpro stripe create webhook, wp ajax pmpro stripe delete...

NVD•added 2026/04/22 12:16 a.m.•0 views

CVE-2026-41128

Craft CMS is a content management system CMS. In versions 5.6.0 through 5.9.14, the actionSavePermissions endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While saveUserGroups enforces per-group authorization for additions, it performs no...

5.3CVSS0.00041EPSS

ATTACKERKB•added 2026/04/21 11:32 p.m.•0 views

CVE-2026-41128

5.3CVSS5.9AI score0.00041EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2026/04/21 11:32 p.m.•1 views

CVE-2026-41128 Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action

5.3CVSS5.9AI score0.00041EPSS