43 matches found
CVE-2026-42382 WordPress Audrey theme <= 1.5 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Audrey = 1.5 versions...
CVE-2026-10104 Product Video Gallery for Woocommerce <= 1.5.1.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via custom_thumbnail Parameter
The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via customthumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
CVE-2026-57646 WordPress Majestic Support plugin <= 1.1.7 - Insecure Direct Object References (IDOR) vulnerability
Subscriber Insecure Direct Object References IDOR in Majestic Support = 1.1.7 versions...
CVE-2026-6696
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...
CVE-2026-22495
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through = 1.3.2...
WordPress myLinksDump plugin <= 1.6 - Authenticated (Administrator+) SQL Injection via 'sort_by' and 'sort_order' Parameters vulnerability
Authenticated Administrator+ SQL Injection via 'sortby' and 'sortorder' Parameters vulnerability discovered by san6051 - PWC in WordPress Plugin myLinksDump versions = 1.6...
CVE-2026-28104 WordPress Site Suggest plugin <= 1.3.9 - Broken Access Control vulnerability
Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through = 1.3.9...
CVE-2026-27326 WordPress AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme theme <= 1.2.5 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air...
CVE-2026-2956 qinming99 dst-admin restore revertBackup command injection
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be...
WordPress WP Quick Contact Us plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability
Cross-Site Request Forgery to Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin WP Quick Contact Us versions = 1.0...
CVE-2026-0743
CVE-2026-0743 (WP Content Permission plugin for WordPress) is a Stored Cross-Site Scripting vulnerability affecting versions up to 1.2. The flaw arises from insufficient input sanitization and output escaping in the ohmem-message parameter, enabling an authenticated attacker with Administrator-le...
CVE-2025-69052
Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Registration & Login with Mobile Phone Number for...
CVE-2026-0813
The CVE-2026-0813 entry concerns the WordPress Short Link plugin. A Stored Cross-Site Scripting (XSS) vulnerability exists in all versions up to and including 1.0 due to insufficient input sanitization and output escaping of the short_link_post_title and short_link_page_title parameters. This all...
CVE-2025-12178
The CVE-2025-12178 entry covers a Stored Cross-Site Scripting vulnerability in the WordPress plugin SpiceForms Form Builder (versions
CVE-2025-13892
The MG AdvancedOptions plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-63004 WordPress All in One Accessibility plugin <= 1.14 - Broken Access Control vulnerability
Missing Authorization vulnerability in Skynet Technologies USA LLC All in One Accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All in One Accessibility: from n/a through 1.14...
CVE-2025-68981 WordPress HomeFix Elementor Portfolio plugin <= 1.0.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in designthemes HomeFix Elementor Portfolio homefix-ele-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeFix Elementor Portfolio: from n/a through = 1.0.1...
CVE-2025-68978
CVE-2025-68978 is a DOM-based XSS flaw in DesignThemes Core (DesignThemes Core) that can be triggered through improper input handling during web page generation. Affected up to version 1.6, the issue is classified as an authenticated (Contributor+) Stored Cross-Site Scripting vulnerability in the...
CVE-2025-68897 WordPress IF AS Shortcode plugin <= 1.2 - Remote Code Execution (RCE) vulnerability
Improper Control of Generation of Code 'Code Injection' vulnerability in Mohammad I. Okfie IF AS Shortcode if-as-shortcode allows Code Injection.This issue affects IF AS Shortcode: from n/a through = 1.2...
CVE-2025-59132
CVE-2025-59132 is a CSRF vulnerability in the WordPress plugin Duplicate Content Cure (versions