CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 6 days ago•6 views

EUVD-2026-36270

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wpajaxnoprivftfgetsiteinfo includes/SiteInfo.php that verified a nonce ftf-fediverse-embeds-nonce and then called filegethtml$siteurl on the...

5.3CVSS5.4AI score0.00236EPSS

Exploits0References2

RedhatCVE•added 2026/06/10 8:59 a.m.•9 views

CVE-2026-8940

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...

4.3CVSS5.4AI score0.00128EPSS

RedhatCVE•added 2026/06/10 8:59 a.m.•8 views

CVE-2026-8907

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the processinit function hooked to admininit, which saves plugin settings zoom-level, focus-lat, focus-lng, selplaces, selroutes v...

6.1CVSS5.5AI score0.00119EPSS

RedhatCVE•added 2026/06/10 8:59 a.m.•7 views

CVE-2026-8910

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web...

6.1CVSS5.4AI score0.0012EPSS

RedhatCVE•added 2026/06/10 8:59 a.m.•5 views

CVE-2026-9185

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

7.5CVSS5.5AI score0.00403EPSS

NVD•added 2026/06/09 5:16 a.m.•11 views

CVE-2026-8902

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rcoptionspage function. This makes it possible for unauthenticated attackers to modify plugin settings...

4.3CVSS0.00124EPSS

Exploits0References3

NVD•added 2026/06/09 5:16 a.m.•11 views

CVE-2026-8909

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's...

4.3CVSS0.00128EPSS

EUVD•added 2026/06/09 3:41 a.m.•6 views

EUVD-2026-35314

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotesoptionssubpanel function. This makes it possible for unauthenticated attackers to update th...

4.3CVSS5.5AI score0.00145EPSS

Cvelist•added 2026/06/09 3:41 a.m.•31 views

CVE-2026-8909 WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action

4.3CVSS0.00128EPSS

EUVD•added 2026/06/09 3:41 a.m.•8 views

EUVD-2026-35306

4.3CVSS5.5AI score0.00128EPSS

EUVD•added 2026/06/09 3:41 a.m.•6 views

EUVD-2026-35307

7.5CVSS5.5AI score0.00403EPSS

Exploits0References11

CVE•added 2026/06/09 3:41 a.m.•15 views

CVE-2026-8907

CVE-2026-8907 affects the WordPress plugin WP-Ultimate-Map (versions ≤ 1.1). The root cause is missing nonce validation on the process_init() handler (hooked to admin_init), which saves settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) based solely on a save-setting POST paramet...

6.1CVSS5.5AI score0.00119EPSS

Cvelist•added 2026/06/09 3:41 a.m.•31 views

CVE-2026-8907 WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

6.1CVSS0.00119EPSS

Cvelist•added 2026/06/09 3:41 a.m.•29 views

CVE-2026-8940 WP Meta Sort Posts <= 0.9 - Cross-Site Request Forgery to Plugin Settings Update

4.3CVSS0.00128EPSS

Vulnrichment•added 2026/06/09 3:41 a.m.•5 views

CVE-2026-8940 WP Meta Sort Posts <= 0.9 - Cross-Site Request Forgery to Plugin Settings Update

4.3CVSS5.4AI score0.00128EPSS

Positive Technologies•added 2026/06/09 12:0 a.m.•8 views

PT-2026-47637

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotes options subpanel function. This makes it possible for unauthenticated attackers to update...

4.3CVSS5.4AI score0.00145EPSS

Positive Technologies•added 2026/06/09 12:0 a.m.•8 views

PT-2026-47682

Name of the Vulnerable Software and Affected Versions WP Emoticon Rating versions prior to 1.0.2 Description The WP Emoticon Rating plugin for WordPress is subject to Cross-Site Request Forgery CSRF, a type of attack where an unauthorized user tricks a victim into performing actions they did not...

6.1CVSS5.3AI score0.0012EPSS

Exploits0References11

CNNVD•added 2026/06/09 12:0 a.m.•5 views

WordPress plugin FastPicker 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

4.3CVSS5.3AI score0.00124EPSS

Exploits0References2

CNNVD•added 2026/06/09 12:0 a.m.•6 views

WordPress plugin jQuery Hover Footnotes 跨站请求伪造漏洞

4.3CVSS5.2AI score0.00145EPSS