Lucene search
K

705 matches found

NVD
NVD
added 4 days ago8 views

CVE-2026-15288

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'createpaymentintent' and...

7.5CVSS0.00333EPSS
Exploits0References3
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42797

The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'createpaymentintent' and...

7.5CVSS6.1AI score0.00333EPSS
Exploits0References3
NVD
NVD
added 2026/07/07 6:16 a.m.21 views

CVE-2026-14345

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...

9.8CVSS0.00745EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/07/07 5:34 a.m.5 views

CVE-2026-14345

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...

9.8CVSS6.3AI score0.00745EPSS
Exploits0References12
EUVD
EUVD
added 2026/07/07 5:34 a.m.8 views

EUVD-2026-42009

The WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.12.7 via the 'postData' parameter parameter. This is due to unsanitized write of attacker-controlled postData values...

9.8CVSS6.3AI score0.00745EPSS
Exploits0References11
CVE
CVE
added 2026/07/07 5:34 a.m.32 views

CVE-2026-14345

The CVE-2026-14345 entry concerns the WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell (WordPress plugin). Affected versions up to and including 3.12.7 are vulnerable to Remote Code Execution via the postData parameter. The root cause is an unsanitized write of attacker...

9.8CVSS6.3AI score0.00745EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/07/07 12:0 a.m.11 views

PT-2026-56149

Name of the Vulnerable Software and Affected Versions WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell versions prior to 3.12.8 Description Unauthenticated attackers can achieve Remote Code Execution by sending unsanitized values through the postData parameter. The plug...

9.8CVSS6.2AI score0.00745EPSS
Exploits0References17
Snyk
Snyk
added 2026/06/30 5:26 p.m.3 views

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the POST /api/n9e/datasource/list route, which lacks proper authorization checks. An attacker can obtain sensitive credentials, such as database passwords, HTTP bearer tokens, and mTLS client keys, by sending...

7.1CVSS6AI score0.00238EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/24 6:49 a.m.40 views

CVE-2026-7761 Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

8.8CVSS0.00499EPSS
Exploits0References10
NVD
NVD
added 2026/06/19 6:17 a.m.13 views

CVE-2026-9013

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogorestcreateposttranslation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt,...

4.3CVSS0.00254EPSS
Exploits0References9
EUVD
EUVD
added 2026/06/19 4:31 a.m.11 views

EUVD-2026-37983

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogorestcreateposttranslation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt,...

4.3CVSS5.8AI score0.00254EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/06/19 4:31 a.m.7 views

CVE-2026-9013

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogorestcreateposttranslation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt,...

4.3CVSS5.8AI score0.00254EPSS
Exploits0References10
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 5:0 a.m.14 views

Malicious code in @bestlzk/sectest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0cfce552ac72417ec7db2c48e0e13b1d060007167e82bd0f9b10799efe85e7f4 On npm install, postinstall.js collects platform, Node version, current working directory, and OS username, then POSTs them as JSON to...

6.4AI score
Exploits0References1
EUVD
EUVD
added 2026/06/08 7:13 p.m.11 views

EUVD-2026-35194

WACRM prior to commit 73041bf contain an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contactid in the POST request body without tenant ownership...

7.1CVSS5.6AI score0.00216EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/08 12:0 a.m.14 views

TencentOS Server 4: python-django (TSSA-2026:0341)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0341 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

9.8CVSS5.5AI score0.00458EPSS
Exploits0References2
CVE
CVE
added 2026/06/06 2:28 a.m.50 views

CVE-2026-7665

CVE-2026-7665 affects the WordPress plugin Essential Addons for Elementor (up to version 6.6.4). The issue arises in the ajax_load_more handler, with insufficient restrictions on which posts can be returned, enabling unauthenticated attackers to extract data from password-protected, private, or d...

5.3CVSS5.5AI score0.0515EPSS
Exploits1References14
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.11 views

CVE-2026-3454

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...

6.5CVSS5.5AI score0.00539EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:24 p.m.10 views

CVE-2026-8327

Concrete CMS below 9.5.0 and below is vulnerable to password change without reauthorization and session-hardening bypass. The user-profile edit controller passes the entire raw POST array to UserInfo::update without field whitelisting resulting in password change without requiring the current...

5.3CVSS5.5AI score0.00182EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.11 views

CVE-2026-41143

YesWiki is a wiki system written in PHP. Prior to version 4.6.1, YesWiki bazar module contains a SQL injection vulnerability in tools/bazar/services/EntryManager.php at line 704. The $data'idfiche' value sourced from $POST'idfiche' is concatenated directly into a raw SQL query without any...

8.8CVSS5.5AI score0.00342EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:12 p.m.13 views

CVE-2026-39394

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

9.8CVSS5.7AI score0.00516EPSS
Exploits1References1
Rows per page
Query Builder