Lucene search
K

3790 matches found

CVE
CVE
added 16 hours ago10 views

CVE-2026-8489

The CVE-2026-8489 case involves the WordPress plugin Ultimate Member (User Profile, Registration, Login, etc.). Affected: all versions up to 2.11.4. Vulnerability: Stored Cross-Site Scripting via the about_me field in user profiles, caused by insufficient input sanitization and output escaping. I...

6.4CVSS5.9AI score
Exploits0References11
ATTACKERKB
ATTACKERKB
added 16 hours ago6 views

CVE-2026-8489

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aboutme' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and...

6.4CVSS5.9AI score
Exploits0References12
EUVD
EUVD
added 16 hours ago4 views

EUVD-2026-41486

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aboutme' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and...

6.4CVSS5.9AI score
Exploits0References11
Nuclei
Nuclei
added 18 hours ago26 views

WordPress Supsystic Ultimate Maps <1.2.5 - Cross-Site Scripting

WordPress Supsystic Ultimate Maps plugin before 1.2.5 contains an unauthenticated reflected cross-site scripting vulnerability due to improper sanitization of the tab parameter on the options page before outputting it in an attribute. id: CVE-2021-24274 info: name: WordPress Supsystic Ultimate Ma...

6.1CVSS6.3AI score0.17638EPSS
Exploits5References5
Nuclei
Nuclei
added 18 hours ago28 views

WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution

Shortcodes Ultimate plugin before 5.0.1 for WordPress contains a remote code execution caused by a filter in meta, post, or user shortcode, letting remote attackers execute arbitrary code, exploit requires sending crafted shortcode data. id: CVE-2017-18580 info: name: WordPress Shortcodes Ultimat...

9.8CVSS8AI score0.12092EPSS
Exploits1References4
Nuclei
Nuclei
added 18 hours ago10 views

WordPress Image Hover Ultimate - Unauthenticated Settings Update

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin. id: CVE-2021-36888 info: name: WordPress Image Hover Ultimate - Unauthenticated Settings Update author: riteshs4hu severity:...

9.8CVSS7.2AI score0.0674EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago12 views

Ultimate Member < 2.1.12 - Unauthenticated Privilege Escalation via User Meta

An issue was discovered in the Ultimate Member plugin before 2.1.12 for WordPress, aka Unauthenticated Privilege Escalation via User Meta. An attacker could supply an array parameter for sensitive metadata, such as the wpcapabilities user meta that defines a user's role. During the registration...

10CVSS7.2AI score0.08975EPSS
Exploits2References3
Nuclei
Nuclei
added 18 hours ago8 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated Options Import and Export

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows unauthenticated options import. id: CVE-2019-17232 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated Options Import and Export author: daffainfo severity: high description: |...

7.5CVSS7.3AI score0.03518EPSS
Exploits1References4
Nuclei
Nuclei
added 18 hours ago10 views

WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection

Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. id: CVE-2019-17233 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated HTML Content Injection author: daffainfo severity: medium description: | Functions/EWDUFAQImport.ph...

6.1CVSS7AI score0.01843EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago24 views

WordPress Ultimate FAQ <1.8.30 - Cross-Site Scripting

WordPress Ultimate FAQ plugin before 1.8.30 is susceptible to cross-site scripting via DisplayFAQ to Shortcodes/DisplayFAQs.php. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based...

6.1CVSS6.4AI score0.02195EPSS
Exploits1References5
Nuclei
Nuclei
added 18 hours ago25 views

Ultimate Weather Plugin <= 1.0 - Cross-Site Scripting

The ultimate-weather plugin 1.0 for WordPress contains a cross-site scripting vulnerability. id: CVE-2014-4561 info: name: Ultimate Weather Plugin = 1.0 - Cross-Site Scripting author: daffainfo severity: medium description: The ultimate-weather plugin 1.0 for WordPress contains a cross-site...

6.1CVSS6.3AI score0.03686EPSS
Exploits2References4
Nuclei
Nuclei
added yesterday94 views

WordPress Ultimate Member 2.1.3 - 2.8.2 – SQL Injection

The Ultimate Member - User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of...

9.8CVSS7.6AI score0.89431EPSS
Exploits8References5
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-12404

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00281EPSS
Exploits0References9
NVD
NVD
added 2026/06/24 8:16 a.m.11 views

CVE-2026-7761

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

8.8CVSS0.00499EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/06/24 6:49 a.m.6 views

CVE-2026-7761

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

8.8CVSS5.9AI score0.00499EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/06/24 6:49 a.m.30 views

CVE-2026-7761 Ultimate Member <= 2.11.4 - Authenticated (Contributor+) Account Takeover via Password Reset Link Disclosure

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

8.8CVSS0.00499EPSS
Exploits0References10
CVE
CVE
added 2026/06/24 6:49 a.m.8 views

CVE-2026-7761

CVE-2026-7761 affects the WordPress plugin Ultimate Member up to version 2.11.4. The description in connected sources details a chain of three logic flaws causing account takeover via password reset URL disclosure: (1) an MD5 hash fallback in get_directory_by_hash() allows routing to a crafted po...

8.8CVSS5.9AI score0.00499EPSS
Exploits0References10
EUVD
EUVD
added 2026/06/24 6:49 a.m.9 views

EUVD-2026-38714

The Ultimate Member plugin for WordPress is vulnerable to Account Takeover via Password Reset Link Disclosure in all versions up to and including 2.11.4. This is due to a chain of three logic bugs: 1 an MD5 hash fallback in getdirectorybyhash that allows any post to be used as a member directory ...

8.8CVSS5.9AI score0.00499EPSS
Exploits0References10
Patchstack
Patchstack
added 2026/06/23 12:0 a.m.5 views

WordPress Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin <= 2.11.4 - Authenticated (Contributor+) Account Takeover vulnerability

Authenticated Contributor+ Account Takeover vulnerability discovered by tiborisaak in WordPress Plugin Ultimate Member versions = 2.11.4...

8.8CVSS5.8AI score0.00499EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/22 6:0 a.m.8 views

EUVD-2026-38211

The ultimate-woocommerce-auction-pro WordPress plugin through 2.4.5 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

6.1CVSS5.8AI score0.00152EPSS
Exploits0References1
Rows per page
Query Builder