3425 matches found
CVE-2026-6813
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-6813
The CVE-2026-6813 entry concerns the WordPress Continually plugin (versions up to 4.3.1). It describes a Stored Cross-Site Scripting vulnerability in admin settings caused by insufficient input sanitization and output escaping, exploitable by authenticated attackers with administrator-level permi...
CVE-2026-6813 Continually <= 4.3.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'continually_embed_code' Parameter
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-6800
The CVE-2026-6800 entry concerns the WordPress FastBots plugin (versions up to 1.0.12). The vulnerability is a Stored Cross-Site Scripting flaw in admin settings caused by insufficient input sanitization and output escaping. It affects multi-site installations and installs where unfiltered_html i...
CVE-2026-6800 FastBots <= 1.0.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
CVE-2026-6800
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
PT-2026-40002
The Continually plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
PT-2026-40001
The FastBots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
PT-2026-39335
Name of the Vulnerable Software and Affected Versions Logtivity versions prior to 3.3.7 Description A logic flaw in the verifyAuthorization function allows unauthenticated attackers to bypass authentication checks. Requests that omit the Authorization header skip Bearer token validation and trigg...
WordPress Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin <= 3.3.6 - Unauthenticated Information Disclosure vulnerability
Unauthenticated Information Disclosure vulnerability discovered by Ronnachai Chaipha rxnr - Reconix Co., Ltd. in WordPress Plugin Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity versions = 3.3.6...
GHSA-GH9P-Q46P-57G2 phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
Summary Client::deleteClientFolder in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583 takes a URL from the caller, strips the https:// prefix, and passes the remainder to Filesystem::deleteDirectory relative to the multisite clientFolder. No path-traversal validation runs. An admin with the...
Directory Traversal
Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Directory Traversal in the deleteClientFolder process. An attacker can delete arbitrary directories on the server by submitting a crafted URL containing...
phpMyFAQ: Path Traversal in Client::deleteClientFolder enables arbitrary directory deletion by non-super-admin admins
Summary Client::deleteClientFolder in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583 takes a URL from the caller, strips the https:// prefix, and passes the remainder to Filesystem::deleteDirectory relative to the multisite clientFolder. No path-traversal validation runs. An admin with the...
Directory Traversal
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Directory Traversal in the deleteClientFolder process. An attacker can delete arbitrary directories on the server by submitting a crafted URL containing...
CVE-2026-6447
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-7641
The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...
CVE-2026-6447
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-6447 Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-6447 Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings
The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-6447
The CVE-2026-6447 entry describes a Stored Cross-Site Scripting vulnerability in the Call for Price for WooCommerce plugin for WordPress, affecting all versions up to and including 4.2.0. The root cause is insufficient input sanitization and output escaping in admin settings, allowing authenticat...