Lucene search
+L

601 matches found

CVE
CVE
added 2026/07/11 5:35 a.m.24 views

CVE-2026-6939

The CVE-2026-6939 entry concerns the CorvusPay WooCommerce Payment Gateway for WordPress. It is vulnerable to Unauthenticated Stored Cross-Site Scripting via the approval_code parameter in all versions up to 2.7.4 due to insufficient input sanitization and output escaping. An unauthenticated REST...

7.2CVSS6.2AI score0.00324EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/07/11 5:35 a.m.37 views

CVE-2026-6939 CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Unauthenticated Stored Cross-Site Scripting via 'approval_code' Parameter

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approvalcode' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

7.2CVSS0.00324EPSS
Exploits0References11
NVD
NVD
added 2026/07/11 5:16 a.m.9 views

CVE-2026-15335

The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS0.00481EPSS
Exploits0References10
NVD
NVD
added 2026/07/11 4:17 a.m.8 views

CVE-2026-15073

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...

6.5CVSS0.00249EPSS
Exploits0References5
CVE
CVE
added 2026/07/11 3:44 a.m.14 views

CVE-2026-15335

The Booking Package WordPress plugin is vulnerable up to version 1.7.20 due to insufficient escaping on the email parameter in the REST endpoint /wp-json/booking-package/v1/request, allowing unauthenticated SQL injection. Root cause: user-supplied email input reaches the SQL sink without proper e...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/07/11 3:44 a.m.36 views

CVE-2026-15335 Booking Package <= 1.7.20 - Unauthenticated SQL Injection via 'email' Form Parameter

The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS0.00481EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/11 3:44 a.m.7 views

EUVD-2026-43143

The Booking Package plugin for WordPress is vulnerable to generic SQL Injection via 'email' Form Parameter form in all versions up to, and including, 1.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/07/11 1:29 a.m.2 views

CVE-2026-13756

The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the update handler for the /wp-json/wpgb/v2/metadata REST endpoint. This makes it possible for authenticated...

8.8CVSS6.1AI score0.00309EPSS
Exploits0References3
CVE
CVE
added 2026/07/11 1:29 a.m.17 views

CVE-2026-13756

Technical details are not publicly available in the provided documents for CVE-2026-13756. Monitor for updates.

8.8CVSS6.1AI score0.00309EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/11 1:29 a.m.33 views

CVE-2026-13756 WP Grid Builder <= 2.3.3 - Authenticated (Subscriber+) Privilege Escalation via 'key' Parameter

The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the update handler for the /wp-json/wpgb/v2/metadata REST endpoint. This makes it possible for authenticated...

8.8CVSS0.00309EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/11 12:0 a.m.9 views

PT-2026-57393

Name of the Vulnerable Software and Affected Versions Booking Package versions prior to 1.7.21 Description Insufficient escaping of user-supplied parameters and lack of preparation in SQL queries allow unauthenticated attackers to perform SQL Injection. This occurs via the email parameter in the...

7.5CVSS6.1AI score0.00481EPSS
Exploits0References14
EUVD
EUVD
added 2026/07/10 7:48 a.m.6 views

EUVD-2026-42847

The FlowForms – Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.1 via the updateform due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.1AI score0.00226EPSS
Exploits1References8
Cvelist
Cvelist
added 2026/07/10 7:16 a.m.32 views

CVE-2026-40452 Apache IoTDB: Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to...

0.00256EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/10 7:16 a.m.6 views

CVE-2026-40452

Incorrect Authorization, Improper Access Control vulnerability in Apache IoTDB. Authorization bypass in /rest/v2/fastLastQuery exposes last-value data to unauthorized authenticated users. This issue affects Apache IoTDB: from 1.3.5 before 1.3.8, from 2.0.5 before 2.0.10. Users are recommended to...

7.5CVSS6.1AI score0.00256EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/07/10 4:31 a.m.7 views

CVE-2026-15286

The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'getitemspermissioncheck' function permission callback of the...

4.3CVSS5.9AI score0.00268EPSS
Exploits0References5
NVD
NVD
added 2026/07/09 11:16 a.m.10 views

CVE-2026-9027

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspaysuccesshandler function registers the REST endpoint POST /wp-json/corvuspay/success/ with...

5.3CVSS0.00222EPSS
Exploits0References8
NVD
NVD
added 2026/07/09 11:16 a.m.6 views

CVE-2026-9028

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...

5.3CVSS0.00288EPSS
Exploits0References8
NVD
NVD
added 2026/07/09 11:16 a.m.9 views

CVE-2026-12428

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS0.00285EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/09 9:31 a.m.8 views

EUVD-2026-42568

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/07/09 9:31 a.m.6 views

CVE-2026-12428

The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...

6.5CVSS6.1AI score0.00285EPSS
Exploits0References9
Rows per page
Query Builder