107 matches found
WordPress WP EasyCart plugin <= 5.9.0 - SQL Injection vulnerability
SQL Injection vulnerability discovered by HaiND in WordPress Plugin WP EasyCart versions = 5.9.0...
CVE-2026-12133
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Group Deletion in versions up to, and including, 5.7.8. This is due to a missing capability check in the joomsportseasongroupdel AJAX handler, which only...
WordPress Tourmaster plugin <= 5.4.5 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Plugin Tourmaster versions = 5.4.5...
CVE-2026-11987
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.4 via the 'id' parameter due to missing validation on a user controlled key. This...
CVE-2026-52701
Unauthenticated Broken Access Control in User Registration = 5.2.2 versions...
CVE-2026-56030
CVE-2026-56030 affects WordPress Paytium plugin (versions
CVE-2026-52701
CVE-2026-52701 is an unauthenticated broken access control vulnerability affecting WordPress User Registration plugin versions
EUVD-2026-36989
Subscriber Broken Authentication in AutomatorWP = 5.6.7 versions...
CVE-2026-52697
CVE-2026-52697 affects the WordPress Taskbuilder plugin (versions <= 5.0.7). The vulnerability is an SQL Injection in the Taskbuilder component, with CVSSv3.1 metrics indicating a high-severity issue (8.5) that is network-exploitable, requires low privileges, and does not require user interact...
CVE-2026-40785 WordPress AutomatorWP plugin <= 5.6.7 - Broken Authentication vulnerability
Subscriber Broken Authentication in AutomatorWP = 5.6.7 versions...
PT-2026-49516
Name of the Vulnerable Software and Affected Versions Dokan versions prior to 5.0.3 Description A privilege escalation issue exists that allows a user with customer privileges to gain higher access levels. Recommendations Update to a version later than 5.0.2...
CVE-2026-11769 Operator - Namespaced User Path Traversal
We have released version 5.24.0 of the Grafana Operator. This patch includes a CRITICAL severity security fix for a path traversal/privilege escalation vulnerability in the Grafana Operator. Summary The Grafana Operator supports loading dashboards & library panels using the jsonnet data templatin...
📄 Craft CMS 5.9.5 Missing Authorization / Authentication Bypass
This script is an assessment and exploitation framework targeting a missing authorization vulnerability in affected versions of Craft CMS that may permit unauthorized access to privileged migration functionality. Versions 5.9.5 and below are affected...
CVE-2026-8853
The CVE-2026-8853 entry concerns the WordPress plugin MW WP Form (versions up to and including 5.1.3) with a Stored Cross-Site Scripting vulnerability via the memo parameter. The root cause is insufficient input sanitization and output escaping, enabling authenticated attackers with editor-level ...
WordPress MW WP Form plugin <= 5.1.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin MW WP Form versions = 5.1.3...
CVE-2026-9673
CVE-2026-9673 affects json-2-csv versions 3.15.0 and earlier up to 5.5.11, vulnerable to CSV Injection via the preventCsvInjection option, which can be bypassed. An attacker can inject formulas into CSV files that execute when opened in spreadsheet apps. The SNYK entry describes a PoC and recomme...
CVE-2026-6960
The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpressvalidatesubmittedbookingformfunc' function in all versions up to, and including, 5.6. This makes it possible for unauthenticated attackers to upload arbitrary...
WordPress InfusedWoo Pro plugin <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation vulnerability
Authenticated Subscriber+ Missing Authorization to Privilege Escalation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...
EUVD-2026-29954
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the pminviteuser function in all versions up to, and including, 5.9.8.4. This makes it possible for authenticated attackers, with Subscriber-level...
WordPress WP fail2ban – Advanced Security plugin <= 5.3.4 - Unauthenticated Reflected Cross-Site Scripting vulnerability
Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WP fail2ban versions = 5.3.4...