37397 matches found
CVE-2026-10095
The WP Photo Album Plus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subtext' parameter in all versions up to, and including, 9.1.13.005 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-12435
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter
The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...
EUVD-2026-40937
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permissioncallback performin...
CVE-2026-12435
The Motors – Car Dealership & Classified Listings Plugin for WordPress is affected up to version 1.4.111 by an authorization bypass. An authenticated user with subscriber-level access can mark or unmark another user’s car listing as Sold by replaying a valid nonce from their own listing against a...
CVE-2026-12435 Motors <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification via 'stm_mark_as_sold_car' Parameter
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
EUVD-2026-40935
The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.111. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-20462
creationtimestamp| type| source ---|---|--- 2026-07-01 05:09:18+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mpkqssa4si2l...
EUVD-2026-40902
The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'algwccpginputfields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
CVE-2026-48283
creationtimestamp| type| source ---|---|--- 2026-07-01 04:07:06+00:00| seen| https://bsky.app/profile/cyberhub.blog/post/3mpkndl637t2x 2026-07-01 09:45:05+00:00| seen| https://www.cert.dk/news/2026-07-01/Kritiske-ColdFusion-saarbarheder-aabner-for-fuld-serverovertagelse 2026-07-01 13:00:13+00:00|...
CVE-2026-12904
The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress (versions ≤ 3.7.7) is affected by an Insecure Direct Object Reference. The root cause is a mismatch between the authorization object and the object actually accessed in Optimize_Rest_Controller endpoints (create_...
EUVD-2026-40890
The Kadence Blocks – Gutenberg Blocks for Page Builder Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.7.7. This is due to a mismatch between the object used for authorization and the object actually accessed in the...
mooSocial 3.1.8 - External Service Interaction
mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function. id: CVE-2023-43323 info: name: mooSocial 3.1.8 - External Service Interaction author: ritikchaddha severity: medium description: | mooSocial 3.1.8 is vulnerable to external service...
DomainMOD 4.13.0 - Cross-Site Scripting
DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...
QCube Cross-Site-Scripting
A reflected cross-site scripting vulnerability in qcubed all versions including 3.1.1 in profile.php via the stQuery-parameter allows unauthenticated attackers to steal sessions of authenticated users. id: CVE-2020-24912 info: name: QCube Cross-Site-Scripting author: pikpikcu severity: medium...
WordPress amtyThumb Posts 8.1.3 - Cross-Site Scripting
WordPress amty-thumb-recent-post plugin 8.1.3 contains a cross-site scripting vulnerability via the query string to amtyThumbPostsAdminPg.php. id: CVE-2017-17059 info: name: WordPress amtyThumb Posts 8.1.3 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress...
Social Login by BestWebSoft < 0.2 - Cross-Site Scripting
The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues. id: CVE-2017-18501 info: name: Social Login by BestWebSoft 0.2 - Cross-Site Scripting author: luisfelipe146 severity: medium description: | The social-login-bws plugin before 0.2 for WordPress has multiple XSS issues...
WordPress AJAX Random Post <=2.00 - Cross-Site Scripting
WordPress AJAX Random Post 2.00 is vulnerable to reflected cross-site scripting. id: CVE-2016-1000127 info: name: WordPress AJAX Random Post =2.00 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress AJAX Random Post 2.00 is vulnerable to reflected cross-site scripting...
WordPress Post Status Notifier Lite <1.10.1 - Cross-Site Scripting
WordPress Post Status Notifier Lite plugin before 1.10.1 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the...
Flatpress < v1.2.1 - Cross Site Scripting
Flatpress v1.2.1 was discovered to contain a reflected cross-site scripting XSS vulnerability via the page parameter at /flatpress/admin.php. id: CVE-2022-40047 info: name: Flatpress v1.2.1 - Cross Site Scripting author: r3Y3r53 severity: medium description: | Flatpress v1.2.1 was discovered to...