Lucene search
K

8712 matches found

Nuclei
Nuclei
added 13 hours ago18 views

WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection

CBX Bookmark & Favorite WordPress plugin = 2.0.4 contains a SQL injection caused by insufficient escaping of the 'orderby' parameter, letting authenticated attackers with Subscriber-level access extract sensitive database information id: CVE-2025-13652 info: name: WordPress CBX Bookmark & Favorit...

6.5CVSS6.1AI score0.01077EPSS
Exploits0References3
Cvelist
Cvelist
added 14 hours ago9 views

CVE-2026-12583 Newsletters < 4.15 - Unauthenticated PHP Object Injection via Subscriber Custom Field

The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, wri...

Exploits0References1
CVE
CVE
added 14 hours ago14 views

CVE-2026-12583

The Newsletters WordPress plugin before 4.15 does not prevent deserialization of untrusted input that is stored through a public form, allowing unauthenticated attackers to inject a PHP object and, via a property-oriented gadget chain bundled with the Newsletters WordPress plugin before 4.15, wri...

8.1CVSS6.4AI score
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-43287

The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail...

5.4CVSS6.1AI score0.00132EPSS
Exploits0References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-43288

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS6.2AI score0.0014EPSS
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-43292

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

4.3CVSS6.1AI score0.00132EPSS
Exploits0References2
EUVD
EUVD
added yesterday7 views

EUVD-2026-43291

The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level self-registerable account to approve, feature, or reject arbitrary jobs, including those owned by other user...

5.4CVSS6.2AI score0.00132EPSS
Exploits0References2
NVD
NVD
added yesterday4 views

CVE-2026-12396

The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level self-registerable account to approve, feature, or reject arbitrary jobs, including those owned by other user...

5.4CVSS0.00132EPSS
Exploits0References1
NVD
NVD
added yesterday4 views

CVE-2026-12397

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

4.3CVSS0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday24 views

CVE-2026-12397 WP Job Portal < 2.5.5 - Subscriber+ Employer Email Disclosure via IDOR

The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level self-registerable account to read other employers' private account email addresses by enumerating job...

0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday27 views

CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

0.0014EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday23 views

CVE-2026-12275 Tutor LMS < 3.9.13 - Subscriber+ Unauthorized Course Enrollment and Private Course Content Disclosure via Droip/Kirki Integration

The Tutor LMS WordPress plugin before 3.9.13 does not, in its Droip and Kirki page-builder integration, perform the enrollment, purchase, and private-course capability checks it enforces in its core course handler, allowing authenticated users with subscriber-level access to enroll in paid or...

0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday25 views

CVE-2026-12396 WP Job Portal < 2.5.5 - Subscriber+ Arbitrary Job Approval, Featuring and Rejection

The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level self-registerable account to approve, feature, or reject arbitrary jobs, including those owned by other user...

0.00132EPSS
Exploits0References1
CVE
CVE
added yesterday8 views

CVE-2026-12397

The CVE-2026-12397 issue affects the WP Job Portal WordPress plugin prior to 2.5.5. The vulnerability arises because the plugin does not verify ownership when returning an employer’s contact email for a given job, enabling authenticated users with a subscriber-level (self-registerable) account to...

4.3CVSS6.1AI score0.00132EPSS
Exploits0References1
CVE
CVE
added yesterday10 views

CVE-2026-12273

The CVE-2026-12273 entry concerns Tutor LMS for WordPress (MITRE CVE-2026-12273). Affected component: Tutor LMS WordPress plugin prior to version 3.9.13. Description details a lack of authorization checks and post-target validation in a comment-creation handler, resulting in pre-approved comments...

4.3CVSS6.2AI score0.0014EPSS
Exploits0References1
CVE
CVE
added yesterday11 views

CVE-2026-12396

The issue concerns the WP Job Portal WordPress plugin (pre-2.5.5). The root cause is missing capability/ownership checks when performing job moderation actions. As a result, authenticated users with a subscriber-level (self-registerable) account can approve, feature, or reject jobs, including tho...

5.4CVSS6.2AI score0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday24 views

CVE-2026-12271 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Quiz Attempt Modification via IDOR

The Tutor LMS WordPress plugin before 3.9.13 does not verify ownership of the targeted quiz attempt before writing to it, allowing authenticated users with subscriber-level access and above to modify and force-complete other students' quiz attempts, overwriting their recorded marks and pass/fail...

0.00132EPSS
Exploits0References1
Patchstack
Patchstack
added yesterday4 views

WordPress Academy LMS plugin <= 3.8.0 - Authenticated (Subscriber+) Insecure Direct Object Reference vulnerability

Authenticated Subscriber+ Insecure Direct Object Reference vulnerability discovered by sorawautsukushiii in WordPress Plugin Academy LMS versions = 3.8.0...

4.3CVSS6.1AI score
Exploits0References1Affected Software1
NVD
NVD
added 3 days ago7 views

CVE-2026-15010

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsptopicfieldsformsave which writes $POST'bsptopicfieldslabeln' directly to...

6.4CVSS0.00208EPSS
Exploits0References4
NVD
NVD
added 3 days ago7 views

CVE-2026-12103

The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS0.00286EPSS
Exploits0References10
Rows per page
Query Builder