Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

312 matches found

EUVD
EUVDadded 2026/05/28 5:30 a.m.7 views

EUVD-2026-32722

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS5.9AI score0.00031EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/05/28 5:30 a.m.8 views

CVE-2026-3173 Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS5.9AI score0.00031EPSS
Exploits0References4
CVE
CVEadded 2026/05/28 5:30 a.m.10 views

CVE-2026-3173

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.5.1. Authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta from any object, potentially exposing PII (...

6.5CVSS5.9AI score0.00031EPSS
Exploits0References4
Cvelist
Cvelistadded 2026/05/28 5:30 a.m.27 views

CVE-2026-3173 Meta Field Block <= 1.5.1 - Insecure Direct Object Reference to Authenticated (Contributor+) Arbitrary User Meta Exposure

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS0.00031EPSS
Exploits0References4
Positive Technologies
Positive Technologiesadded 2026/05/28 12:0 a.m.6 views

PT-2026-44188

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS5.9AI score0.00031EPSS
Exploits0References5
Patchstack
Patchstackadded 2026/05/20 1:15 p.m.5 views

WordPress Broadstreet plugin <= 1.52.2 - Authenticated (Subscriber+) Private Post Meta Disclosure vulnerability

Authenticated Subscriber+ Private Post Meta Disclosure vulnerability discovered by Tarcísio Luchesi De Almeida Silva Poystick in WordPress Plugin Broadstreet Ads versions = 1.52.2...

4.3CVSS5.8AI score0.00009EPSS
Exploits0References1Affected Software1
EUVD
EUVDadded 2026/05/05 9:31 a.m.4 views

EUVD-2026-27225

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...

6.5CVSS5.9AI score0.00015EPSS
Exploits0References9
NVD
NVDadded 2026/05/05 7:16 a.m.7 views

CVE-2026-3454

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...

6.5CVSS0.00015EPSS
Exploits0References8
Vulnrichment
Vulnrichmentadded 2026/05/05 6:43 a.m.1 views

CVE-2026-3454 GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...

6.5CVSS5.9AI score0.00015EPSS
Exploits0References8
CVE
CVEadded 2026/05/05 6:43 a.m.10 views

CVE-2026-3454

CVE-2026-3454 affects the WordPress plugin GenerateBlocks (versions &lt;= 2.2.0). The vulnerability is an Insecure Direct Object Reference in the REST endpoint /wp-json/generateblocks/v1/dynamic-tag-replacements . The endpoint only checks user capability (edit_posts) and does not verify that the ...

6.5CVSS5.9AI score0.00015EPSS
Exploits0References8
ATTACKERKB
ATTACKERKBadded 2026/05/05 6:43 a.m.0 views

CVE-2026-3454

The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...

6.5CVSS5.9AI score0.00015EPSS
Exploits0References9
CVE
CVEadded 2026/05/02 8:27 a.m.4 views

CVE-2026-4024

Technical details about CVE-2026-4024 are not provided in the connected documents. Public specifics (affected versions, impact, fixes) require additional sources; monitor for updates.

5.3CVSS5.8AI score0.00027EPSS
Exploits0References7
Cvelist
Cvelistadded 2026/05/02 8:27 a.m.25 views

CVE-2026-4024 Royal Addons for Elementor <= 1.7.1056 - Missing Authorization to Unauthenticated Form Action Meta Modification

The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both wpajax and wpajaxnopriv hooks, maki...

5.3CVSS0.00027EPSS
Exploits0References7
RedhatCVE
RedhatCVEadded 2026/04/23 8:38 p.m.2 views

CVE-2026-4088

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...

6.4CVSS5.9AI score0.00027EPSS
Exploits0References1
Vulnrichment
Vulnrichmentadded 2026/04/23 3:26 a.m.0 views

CVE-2026-3361 WP Store Locator <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsladdress' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00037EPSS
Exploits0References2
Patchstack
Patchstackadded 2026/04/23 3:25 a.m.1 views

WordPress WP Store Locator plugin <= 2.2.261 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpsl_address' Post Meta vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'wpsladdress' Post Meta vulnerability discovered by kai63001 in WordPress Plugin WP Store Locator versions = 2.2.261...

6.4CVSS5.8AI score0.00037EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologiesadded 2026/04/23 12:0 a.m.1 views

PT-2026-34631

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsl address' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS5.9AI score0.00037EPSS
Exploits0References3
EUVD
EUVDadded 2026/04/22 9:31 a.m.1 views

EUVD-2026-24652

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...

6.4CVSS5.9AI score0.00027EPSS
Exploits0References10
NVD
NVDadded 2026/04/22 9:16 a.m.0 views

CVE-2026-4088

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...

6.4CVSS0.00027EPSS
Exploits0References9
ATTACKERKB
ATTACKERKBadded 2026/04/22 7:45 a.m.2 views

CVE-2026-4088

The Switch CTA Box plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wppwctabox' shortcode in all versions up to, and including, 1.1. This is due to insufficient input sanitization and output escaping on user-supplied post meta values including 'ctaboxbuttonlink',...

6.4CVSS5.9AI score0.00027EPSS
Exploits0References10
Rows per page
Query Builder