CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 5 days ago•6 views

CVE-2026-8935 Advanced Google Maps < 6.1.1 - Unauthenticated Administrator Account Creation

5.2AI score0.00268EPSS

CVE•added 5 days ago•14 views

CVE-2026-8935

The CVE concerns the WP MAPS PRO WordPress plugin prior to version 6.1.1. The vulnerability arises from an unauthenticated AJAX action that, when a valid nonce (publicly emitted on frontend pages enqueuing the map script) is supplied, unconditionally creates an administrator account and returns a...

9.8CVSS5.3AI score0.00268EPSS

CVE•added 2026/06/11 5:15 p.m.•11 views

CVE-2026-46698

Fediverse Embeds (WordPress plugin) prior to 1.5.9 registered an unauthenticated AJAX action, wp_ajax_nopriv_ftf_get_site_info, which validated a nonce ftf-fediverse-embeds-nonce and then performed file_get_html($site_url) on an attacker-supplied URL. The same nonce was enqueued on every public p...

5.3CVSS5.4AI score0.00236EPSS

Exploits0References2

ATTACKERKB•added 2026/06/06 4:28 a.m.•7 views

CVE-2026-9016

The Debug Log Manager – Conveniently Monitor and Inspect Errors plugin for WordPress is vulnerable to Improper Output Neutralization for Logs in all versions up to, and including, 2.5.0. This is due to the logjserrors AJAX handler being registered for unauthenticated users via...

5.3CVSS5.6AI score0.00256EPSS

Exploits0References7

RedhatCVE•added 2026/06/05 7:32 p.m.•7 views

CVE-2026-6937

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.11.8 due to the plugin not properly verifying that a user is authorized to perform an action via the bulk appointmen...

5.3CVSS5.6AI score0.00377EPSS

RedhatCVE•added 2026/06/05 7:31 p.m.•7 views

CVE-2026-6394

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...

5.4CVSS5.6AI score0.00316EPSS

RedhatCVE•added 2026/06/05 7:28 p.m.•7 views

CVE-2026-4807

The Appointment Booking Calendar plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.6.10.6. This is due to a flawed authorization logic in the noncepermissionscheck method combined with the public exposure of a site-wide reusable nonce. The plugin expose...

6.5CVSS5.5AI score0.0034EPSS

RedhatCVE•added 2026/06/05 7:24 p.m.•8 views

CVE-2026-8684

The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite or...

5.3CVSS5.5AI score0.00278EPSS

RedhatCVE•added 2026/06/05 7:14 p.m.•4 views

CVE-2026-4365

The LearnPress plugin for WordPress is vulnerable to unauthorized data deletion due to a missing capability check on the deletequestionanswer function in all versions up to, and including, 4.3.2.8. The plugin exposes a wprest nonce in public frontend HTML lpData to unauthenticated visitors, and...

9.1CVSS5.5AI score0.00867EPSS

GithubExploit•added 2026/05/30 12:28 a.m.•225 views

Exploit for CVE-2026-8732

CVE-2026-8732 — WP Maps Pro ≤ 6.1.0 ♡ Unauthenticated Privil...

9.8CVSS5.8AI score0.00358EPSS

Exploits7

NVD•added 2026/05/29 7:16 a.m.•16 views

CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

9.8CVSS0.00358EPSS

Exploits7References2

NVD•added 2026/05/28 8:16 a.m.•9 views

CVE-2026-7797

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'appendwheresql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and lac...

7.5CVSS0.00398EPSS

CVE•added 2026/05/28 7:43 a.m.•12 views

CVE-2026-6937

The CVE covers the WordPress plugin Simply Schedule Appointments (Appointment Booking Calendar) with versions up to 1.6.11.8. Root cause: Missing authorization on the bulk appointments REST API endpoint, allowing unauthenticated attackers to modify arbitrary appointment records (including custome...

5.3CVSS5.9AI score0.00377EPSS

EUVD•added 2026/05/28 6:45 a.m.•8 views

EUVD-2026-32739

Cvelist•added 2026/05/28 6:45 a.m.•32 views

CVE-2026-7797 Appointment Booking Calendar <= 1.6.11.8 - Unauthenticated SQL Injection via 'append_where_sql' Parameter

7.5CVSS0.00398EPSS

ATTACKERKB•added 2026/05/28 6:45 a.m.•6 views

CVE-2026-7797

CVE•added 2026/05/28 6:45 a.m.•16 views

Exploits0References12

CVE-2026-7797

The CVE covers the WordPress plugin Appointment Booking Calendar – Simply Schedule Appointments . The vulnerability exists in versions up to

Positive Technologies•added 2026/05/28 12:0 a.m.•10 views

PT-2026-44206

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'append where sql' parameter in all versions up to, and including, 1.6.11.8 due to insufficient escaping on the user supplied parameter and...