Lucene search
K

15 matches found

CVE
CVE
added 4 hours ago7 views

CVE-2026-10089

CVE-2026-10089 concerns the WordPress plugin Insert Pages (versions up to 3.11.4). It describes a Stored XSS where the meta field key (not the value) is interpolated into rendered HTML without escaping when rendering a page via the [insert page] shortcode. The underlying cause is insufficient esc...

6.4CVSS5.9AI score
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/06/07 12:43 a.m.14 views

CVE-2026-8976

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action...

4.3CVSS5.6AI score0.0029EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/06 12:0 a.m.7 views

WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.6AI score0.0029EPSS
Exploits0References23
ATTACKERKB
ATTACKERKB
added 2026/06/05 11:28 p.m.13 views

CVE-2026-8976

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.7. This is due to the plugin not properly verifying that a user is authorized to perform an action...

4.3CVSS5.6AI score0.0029EPSS
Exploits0References23
Vulnrichment
Vulnrichment
added 2026/04/09 2:25 a.m.1 views

CVE-2026-3568 MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

4.3CVSS6AI score0.00226EPSS
Exploits0References8
NVD
NVD
added 2026/01/24 9:15 a.m.11 views

CVE-2025-15516

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackstoreusermeta function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

4.3CVSS0.00161EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/24 8:26 a.m.2 views

CVE-2025-15516 All-in-One Video Gallery 4.1.0 - 4.6.4 - Missing Authorization to Authenticated (Subscriber+) Limited User Meta Update

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxcallbackstoreusermeta function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

4.3CVSS6AI score0.00161EPSS
Exploits0References2
NVD
NVD
added 2025/12/13 4:16 p.m.5 views

CVE-2025-12512

The GenerateBlocks plugin for WordPress is vulnerable to information exposure due to missing object-level authorization checks in versions up to, and including, 2.1.2. This is due to the plugin registering multiple REST API routes under generateblocks/v1/meta/ that gate access with...

4.3CVSS0.00336EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2024-33434

Malicious code in bioql PyPI...

4.3CVSS8.6AI score0.00366EPSS
Exploits0References2
NVD
NVD
added 2024/11/23 4:15 a.m.19 views

CVE-2024-10537

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validateusermetakey function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with...

4.3CVSS0.00366EPSS
Exploits0References2
OSV
OSV
added 2024/11/23 4:15 a.m.4 views

CVE-2024-10537

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validateusermetakey function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00366EPSS
Exploits0References2
CVE
CVE
added 2024/11/23 3:25 a.m.56 views

CVE-2024-10537

CVE-2024-10537: The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized data access due to a missing capability check in validate_user_meta_key() across versions up to and including 2.9.11. This allows authenticated attackers with Subscriber-leve...

4.3CVSS4.2AI score0.00366EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2024/11/23 3:25 a.m.20 views

CVE-2024-10537 WP User Manager – User Profile Builder & Membership <= 2.9.11 - Missing Authorization to Authenticated (Subscriber+) User Meta Key Enumeration

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the validateusermetakey function in all versions up to, and including, 2.9.11. This makes it possible for authenticated attackers, with...

4.3CVSS0.00366EPSS
Exploits0References2
Patchstack
Patchstack
added 2024/11/22 9:31 p.m.4 views

WordPress WP User Manager plugin <= 2.9.11 - Missing Authorization to Authenticated (Subscriber+) User Meta Key Enumeration vulnerability

Missing Authorization to Authenticated Subscriber+ User Meta Key Enumeration vulnerability discovered by Tieu Pham Trong Nhan in WordPress Plugin WP User Manager versions = 2.9.11...

4.3CVSS7AI score0.00366EPSS
Exploits0References1Affected Software1
WPVulnDB
WPVulnDB
added 2022/08/30 12:0 a.m.37 views

WP < 6.0.2 - Authenticated Stored Cross-Site Scripting

Description There is a lack of escaping of the meta keys and values in themeta function, which could lead to Cross-Site Scripting issue...

6.5AI score
Exploits0References1
Rows per page
Query Builder