CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 9 hours ago•9 views

CVE-2026-8379

7.5CVSS5.9AI score

NVD•added 5 days ago•9 views

CVE-2026-10023

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

4.3CVSS0.0025EPSS

CVE•added 5 days ago•15 views

CVE-2026-12407

CVE-2026-12407 affects the E2Pdf – Export Pdf Tool for WordPress plugin versions up to 1.32.26. The screen_action() path bypasses nonce and capability checks, reading attacker-controlled options from $_POST['wp_screen_options'] and passing them to update_option() with no allowlist, enabling authe...

8.8CVSS5.4AI score0.00387EPSS

Cvelist•added 5 days ago•20 views

CVE-2026-12407 E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screenaction function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path...

8.8CVSS0.00387EPSS

EUVD•added 5 days ago•7 views

EUVD-2026-37836

8.8CVSS5.3AI score0.00387EPSS

RedhatCVE•added 2026/06/05 7:19 p.m.•7 views

CVE-2026-10737

The SP Project & Document Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the viewfile function in all versions up to, and including, 4.71. This makes it possible for unauthenticated attackers to read file metadata and obtain download links f...

7.5CVSS5.6AI score0.003EPSS

Cvelist•added 2026/05/27 5:31 a.m.•31 views

CVE-2026-8938 auto making JSON-LD <= 4.5.3 - Cross-Site Request Forgery to Plugin Certification Settings via Nonce Validation Bypass

The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJLcertification function. This makes it possible for unauthenticated attackers to update the plugin's...

4.3CVSS0.0014EPSS

Vulnrichment•added 2026/05/27 5:31 a.m.•7 views

CVE-2026-8938 auto making JSON-LD <= 4.5.3 - Cross-Site Request Forgery to Plugin Certification Settings via Nonce Validation Bypass

4.3CVSS5.7AI score0.0014EPSS

CVE•added 2026/05/27 5:31 a.m.•16 views

CVE-2026-8938

The CVE-2026-8938 entry concerns the WordPress plugin “auto making JSON-LD” (versions

4.3CVSS5.7AI score0.0014EPSS

ATTACKERKB•added 2026/05/26 8:2 p.m.•6 views

CVE-2026-44443

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, consumeNonce only checks that the module-level variable is set and unexpired. It does not validate any value from the incoming HTTP request or bind the nonce to the admin's session. If the admin's auth.api.signUpEmail call fails...

4.8CVSS5.8AI score0.00118EPSS

Exploits0References2Affected Software1

Vulnrichment•added 2026/05/10 12:12 p.m.•5 views

CVE-2022-50955 WordPress Plugin Curtain 1.0.2 Cross-site Request Forgery

WordPress Plugin Curtain 1.0.2 contains a cross-site request forgery vulnerability that allows attackers to activate or deactivate site maintenance mode by crafting malicious requests. Attackers can trick authenticated administrators into submitting forged requests to the options-general.php page...

5.3CVSS5.7AI score0.0013EPSS

RedhatCVE•added 2026/05/04 8:21 p.m.•5 views

CVE-2026-5324

The Brizy – Page Builder plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to, and including, 2.8.11 This is due to a combination of missing nonce verification for unauthenticated form submissions, insufficient handling of FileUpload fields when ...

7.2CVSS6AI score0.00266EPSS

NVD•added 2026/05/02 9:16 a.m.•5 views

CVE-2026-5324

7.2CVSS0.00266EPSS

Exploits0References8

NVD•added 2026/04/17 5:16 a.m.•5 views

CVE-2026-3330

The Form Maker by 10Web plugin for WordPress is vulnerable to SQL Injection via the 'ipsearch', 'startdate', 'enddate', 'usernamesearch', and 'useremailsearch' parameters in all versions up to, and including, 1.15.40. This is due to the WDWFMLibrary::validatedata method calling stripslashes on us...

4.9CVSS0.00428EPSS

Exploits0References8

RedhatCVE•added 2026/04/02 5:4 a.m.•2 views

CVE-2026-4668

The Booking for Appointments and Events Calendar - Amelia plugin for WordPress is vulnerable to SQL Injection via the sort parameter in the payments listing endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied sort parameter and lack of...

6.5CVSS6AI score0.0036EPSS

EUVD•added 2026/04/01 12:31 a.m.•3 views

EUVD-2026-17727

6.5CVSS6AI score0.0036EPSS

ATTACKERKB•added 2026/03/31 11:25 p.m.•2 views

CVE-2026-4668

6.5CVSS6AI score0.0036EPSS

NVD•added 2026/03/21 12:16 a.m.•3 views

CVE-2026-3567

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the...

5.3CVSS0.00236EPSS

Cvelist•added 2026/03/20 11:25 p.m.•29 views

CVE-2026-3567 RepairBuddy <= 4.1132 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification via wc_rep_shop_settings_submission AJAX Action

5.3CVSS0.00236EPSS