CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/05/11 8:33 p.m.•32 views

CVE-2026-43876 WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel Subscribers

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail, which substitutes it directly into an HTML email template via strreplace on the message placeholder and...

6.4CVSS0.00156EPSS

Vulnrichment•added 2026/05/11 8:33 p.m.•9 views

CVE-2026-43876 WWBN AVideo: HTML Injection in notifySubscribers.json.php Enables Platform-Branded Phishing Emails to Channel Subscribers

CVE•added 2026/05/11 8:33 p.m.•7 views

CVE-2026-43876

CVE-2026-43876 describes an HTML injection vulnerability in WWBN AVideo: objects/notifySubscribers.json.php passes $_POST['message'] un sanitized into an HTML email template, then renders it with PHPMailer::msgHTML(). Attacker-controlled HTML is substituted into the email body and, due to a permi...

Patchstack•added 2026/05/11 7:56 p.m.•12 views

WordPress Motors – Car Dealership & Classified Listings Plugin plugin <= 1.4.103 - Missing Authorization to Authenticated (Subscriber+) Payment Bypass vulnerability

Missing Authorization to Authenticated Subscriber+ Payment Bypass vulnerability discovered by shrikant bhosale in WordPress Plugin Motors versions = 1.4.103...

4.3CVSS5.8AI score0.00222EPSS

Patchstack•added 2026/05/11 7:7 p.m.•7 views

WordPress Rate Star Review Vote – AJAX Reviews, Votes, Star Ratings plugin <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Post Modification vulnerability discovered by cpforensic in WordPress Plugin Rate Star Review versions = 1.6.4...

4.3CVSS5.8AI score0.00271EPSS

CNNVD•added 2026/05/11 12:0 a.m.•6 views

WWBN AVideo 跨站脚本漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to version 29 contain cross-site scripting vulnerabilities. This vulnerability arises from the lack of HTML cleaning of user input in objects/notifySubscribers.json.php, which...

6.4CVSS5.8AI score0.00156EPSS

NVD•added 2026/05/08 9:16 a.m.•21 views

CVE-2026-5127

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and including, 4.3.1 This is due to insufficient input validation and type checking on the wpuffiles...

8.8CVSS0.00951EPSS

Exploits0References19

Patchstack•added 2026/05/07 10:26 a.m.•15 views

WordPress Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export vulnerability

Missing Authorization to Authenticated Subscriber+ Scheduled Form Submission Export vulnerability discovered by anhcd05 - VNPT Cyber Immunity in WordPress Plugin Forminator versions = 1.53.0...

6.5CVSS5.8AI score0.00438EPSS

Vulnrichment•added 2026/05/07 4:27 a.m.•7 views

CVE-2026-6692 Slider Revolution 7.0.0 - 7.0.10 - Authenticated (Subscriber+) Arbitrary File Upload via _get_media_url

The Slider Revolution plugin for WordPress is vulnerable to Arbitrary File Upload in versions 7.0.0 to 7.0.10 via the 'getmediaurl' and 'checkfilepath' function. This is due to insufficient file type validation. This makes it possible for authenticated attackers, with subscriber-level access and...

8.8CVSS6.4AI score0.00815EPSS

ATTACKERKB•added 2026/05/07 4:27 a.m.•9 views

CVE-2026-6692

8.8CVSS6.4AI score0.00815EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2026/05/07 3:27 a.m.•8 views

CVE-2026-6214 Forminator Forms <= 1.53.0 - Missing Authorization to Authenticated (Subscriber+) Scheduled Form Submission Export via forminator_export_entries Action on wp_loaded Hook

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.53.0. This is due to the listenforsavingexportschedule function in library/class-export.php failing to perform a capability check before saving the scheduled export configuration,...

6.5CVSS5.7AI score0.00438EPSS

Exploits0References6

CVE•added 2026/05/06 4:26 a.m.•20 views

CVE-2026-2306

The CVE concerns the WordPress plugin Ninja Tables – Easy Data Table Builder. All versions up to and including 5.2.6 are affected by missing authorization checks in the createFluentCartTable function, enabling authenticated users with Subscriber-level access and above to create arbitrary Ninja Ta...

4.3CVSS5.9AI score0.00248EPSS

Exploits0References6

Snyk•added 2026/05/05 7:11 p.m.•6 views

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS in the sendSiteEmail process. An attacker can inject arbitrary HTML content into emails sent to subscribers by supplying crafted input to...

6.4CVSS5.6AI score0.00156EPSS

Github Security Blog•added 2026/05/05 7:11 p.m.•9 views

AVideo: HTML Injection in notifySubscribers.json.php Allows Platform-Branded Phishing Emails to Channel Subscribers

Summary objects/notifySubscribers.json.php takes the raw message POST parameter and passes it into sendSiteEmail, which substitutes it directly into an HTML email template via strreplace on the message placeholder and renders it with PHPMailer::msgHTML. There is no HTML sanitization, character...

Exploits0References4Affected Software1

Patchstack•added 2026/05/05 4:22 p.m.•8 views

WordPress Paid Memberships Pro – Content Restriction, User Registration, & Paid Subscriptions plugin <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption vulnerability

Missing Authorization to Authenticated Subscriber+ Stripe Webhook Deletion and Payment Processing Disruption vulnerability discovered by Jared Reyes in WordPress Plugin Paid Memberships Pro versions = 3.6.5...

7.1CVSS5.8AI score0.00247EPSS

Patchstack•added 2026/05/05 3:30 p.m.•5 views

WordPress Ninja Tables – Easy Data Table Builder plugin <= 5.2.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Table Creation vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Table Creation vulnerability discovered by nquangit - Techlab Corporation in WordPress Plugin Ninja Tables versions = 5.2.6...

4.3CVSS5.8AI score0.00248EPSS

Positive Technologies•added 2026/05/05 12:0 a.m.•9 views

PT-2026-37292

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions prior to 29.1 Description An issue exists where the endpoint "/objects/notifySubscribers.json.php" accepts a raw message POST parameter and passes it to the sendSiteEmail function. This function substitutes the input...