3423 matches found
PT-2026-33717
The Email Encoder WordPress plugin before 2.3.4 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered html capability is disallowed for example in multisite setup...
CVE-2026-40308
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
Summary An unauthenticated Insecure Direct Object Reference IDOR and Denial of Service DoS vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events including private or hidden ones from any sub-site on a WordPress Multisite network. On standard Single Sit...
Authorization Bypass Through User-Controlled Key
Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the mcajaxmcjsaction function. An attacker can access sensitive event data from other sub-sites or cause a denial of service by sending crafted requests to the unauthenticated endpoin...
GHSA-2MVX-F5QM-V2CH Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar
Summary An unauthenticated Insecure Direct Object Reference IDOR and Denial of Service DoS vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events including private or hidden ones from any sub-site on a WordPress Multisite network. On standard Single Sit...
CVE-2026-40308
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
CVE-2026-40308
CVE-2026-40308 - My Calendar (WordPress) plugin : Affected versions are 3.7.6 and earlier. The mc_ajax_mcjs_action AJAX endpoint, exposed to unauthenticated users, passes user-supplied arguments through parse_str() without validation, enabling injection of arbitrary parameters including a site va...
EUVD-2026-23306
My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...
CVE-2026-2396
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
PT-2026-33262
Name of the Vulnerable Software and Affected Versions Custom New User Notification plugin for WordPress versions prior to 1.2.1 Description Stored Cross-Site Scripting is possible via the admin settings due to insufficient input sanitization and output escaping on multiple settings fields. The...
PT-2026-33370
Name of the Vulnerable Software and Affected Versions My Calendar versions prior to 3.7.7 Description An unauthenticated issue exists in the 'mc ajax mcjs action' AJAX endpoint, which is registered for unauthenticated users. The endpoint passes user-supplied arguments through the parse str functi...
CVE-2026-2396
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-2396 List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-2396 List View Google Calendar <= 7.4.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via Event Description
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-2396
The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-4479
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-4479
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...
CVE-2026-4479 WholeSale Products Dynamic Pricing Management WooCommerce <= 1.2 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
The WholeSale Products Dynamic Pricing Management WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...