Lucene search
K

580 matches found

Nuclei
Nuclei
added 11 hours ago25 views

Easy Appointments <= 3.12.21 - Information Disclosure

Easy Appointments WordPress plugin = 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/eaappointments/ registered with permissioncallback allowing unrestricted access, letting unauthenticated attackers extract sensitive custom...

7.5CVSS7AI score0.0239EPSS
Exploits1References2
Nuclei
Nuclei
added 11 hours ago27 views

Stop User Enumeration WordPress plugin - Authentication Bypass

Stop User Enumeration WordPress plugin 1.7.3 contains an authentication bypass caused by URL-encoding the REST API path /wp-json/wp/v2/users/, letting attackers bypass user enumeration restrictions, exploit requires crafted URL encoding. id: CVE-2025-4302 info: name: Stop User Enumeration WordPre...

5.3CVSS7AI score0.00847EPSS
Exploits3References3
Nuclei
Nuclei
added 11 hours ago14 views

NotificationX Dropshipping < 4.4 - SQL Injection

The plugin does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection id: CVE-2022-3481 info: name: NotificationX Dropshipping 4.4 - SQL Injection author: ritikchaddha severity: critical...

9.8CVSS7.1AI score0.03686EPSS
Exploits2References2
Nuclei
Nuclei
added 11 hours ago15 views

WordPress Bookit < 2.5.1 - Unauthenticated Stripe Settings Update

Bookit WordPress plugin 2.5.1 contains a broken access control vulnerability caused by a publicly accessible REST endpoint allowing unauthenticated update of Stripe payment options, letting remote attackers modify payment settings without authentication. id: CVE-2025-12841 info: name: WordPress...

5.3CVSS6.1AI score0.00654EPSS
Exploits0References3
Nuclei
Nuclei
added 11 hours ago14 views

LiteLLM - Command Injection

A critical unauthenticated remote code execution vulnerability exists in LiteLLM due to improper input handling in the MCP stdio test endpoint. An attacker can send a specially crafted request to the /mcp-rest/test/connection endpoint with controlled parameters, resulting in arbitrary command...

8.8CVSS7.2AI score0.80188EPSS
Exploits4References4
Nuclei
Nuclei
added 11 hours ago15 views

LearnPress < 4.3.0 - Arbitrary Callback Execution to Information Exposure

The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 4.2.9.4. This is due to missing capability checks in the REST endpoint /wp-json/lp/v1/loadcontentviaajax which allows arbitrary callback execution of...

5.3CVSS6.3AI score0.00934EPSS
Exploits0References1
NVD
NVD
added yesterday8 views

CVE-2026-56238

Capgo before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST globalstats endpoint that allows unauthenticated attackers to read sensitive financial and operational metrics using only the public apikey. Remote attackers can query the /rest/v1/globalstats endpoin...

8.7CVSS
Exploits0References2
CVE
CVE
added 2 days ago19 views

CVE-2026-6939

The CVE-2026-6939 entry concerns the CorvusPay WooCommerce Payment Gateway for WordPress. It is vulnerable to Unauthenticated Stored Cross-Site Scripting via the approval_code parameter in all versions up to 2.7.4 due to insufficient input sanitization and output escaping. An unauthenticated REST...

7.2CVSS6.2AI score0.00324EPSS
Exploits0References11
EUVD
EUVD
added 2 days ago4 views

EUVD-2026-43143

The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References10
CVE
CVE
added 2 days ago11 views

CVE-2026-15335

The Booking Package WordPress plugin is vulnerable up to version 1.7.20 due to insufficient escaping on the email parameter in the REST endpoint /wp-json/booking-package/v1/request, allowing unauthenticated SQL injection. Root cause: user-supplied email input reaches the SQL sink without proper e...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References10
CVE
CVE
added 2 days ago14 views

CVE-2026-13756

Technical details are not publicly available in the provided documents for CVE-2026-13756. Monitor for updates.

8.8CVSS6.1AI score0.00309EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-57393

Name of the Vulnerable Software and Affected Versions Booking Package versions prior to 1.7.21 Description Insufficient escaping of user-supplied parameters and lack of preparation in SQL queries allow unauthenticated attackers to perform SQL Injection. This occurs via the email parameter in the...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References14
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-42847

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the updateform due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.1AI score0.00226EPSS
Exploits1References8
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-40452 Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to...

0.00256EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 3 days ago6 views

CVE-2026-40452

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to...

7.5CVSS6.1AI score0.00256EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 3 days ago7 views

CVE-2026-15286

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'getitemspermissioncheck' function permission callback of the...

4.3CVSS5.9AI score0.00268EPSS
Exploits0References5
NVD
NVD
added 4 days ago9 views

CVE-2026-9027

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspaysuccesshandler function registers the REST endpoint POST /wp-json/corvuspay/success/ with...

5.3CVSS0.00222EPSS
Exploits0References8
NVD
NVD
added 4 days ago6 views

CVE-2026-9028

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...

5.3CVSS0.00288EPSS
Exploits0References8
NVD
NVD
added 4 days ago8 views

CVE-2026-12428

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS0.00285EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-12428

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References9
Rows per page
Query Builder