176 matches found
CVE-2026-57756
Contributor SQL Injection in nicen-localize-image = 1.4.9 versions...
EUVD-2026-39667
Contributor SQL Injection in Contest Gallery = 30.0.0 versions...
EUVD-2026-39738
Contributor Broken Access Control in SEOPress PRO = 9.1.1 versions...
CVE-2026-27041 WordPress Unlimited Elements for Elementor (Premium) plugin <= 2.0.6 - Arbitrary File Upload vulnerability
Contributor Arbitrary File Upload in Unlimited Elements for Elementor Premium = 2.0.6 versions...
CVE-2025-69177 WordPress Roneous theme <= 2.1.5 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Roneous = 2.1.5 versions...
EUVD-2026-36967
Subscriber Broken Access Control in RepairBuddy = 4.1132 versions...
CVE-2026-4074
The Quran Live Multilanguage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cheikh' and 'lang' shortcode attributes in all versions up to, and including, 1.0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Th...
WordPress Happyforms plugin <= 1.26.13 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by longnv719 in WordPress Plugin Happyforms versions = 1.26.13...
WordPress ilGhera Support System for WooCommerce plugin <= 1.3.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability
Missing Authorization to Unauthenticated Sensitive Information Exposure vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Woocommerce Support System versions = 1.3.0...
CVE-2026-40576 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in excel-mcp-server
excel-mcp-server is a Model Context Protocol server for Excel file manipulation. A path traversal vulnerability exists in excel-mcp-server versions up to and including 0.1.7. When running in SSE or Streamable-HTTP transport mode the documented way to use this server remotely, an unauthenticated...
WordPress WPFunnels plugin <= 3.7.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'wpf_optin_form' Shortcode vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting via 'wpfoptinform' Shortcode vulnerability discovered by Paolo Tresso - Wordfence in WordPress Plugin WPFunnels versions = 3.7.9...
@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +12 more potentially affected by CVE-2026-35640 via openclaw (>=0.0.1 <=2026.3.24)
openclaw NPM version =0.0.1, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =3.3.2, =3.3.7 Source cves: CVE-2026-35640 Source advisory: OSV:GHSA-3H52-CX59-C456...
CVE-2025-69373 WordPress VidoRev theme <= 2.9.9.9.9.9.7 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through = 2.9.9.9.9.9.7...
CVE-2026-2502 xmlrpc attacks blocker <= 1.0 - Unauthenticated Stored Cross-Site Scripting via 'X-Forwarded-For'
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without outp...
WordPress Toret Manager plugin <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Options Update via AJAX actions vulnerability
Authenticated Subscriber+ Arbitrary Options Update via AJAX actions vulnerability discovered by vgo0 in WordPress Plugin Toret Manager versions = 1.2.7...
CVE-2026-1320
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'X-Forwarded-For' HTTP header in all versions up to, and including, 4.9.8 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-1232
A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions =25.7. Under certain conditions, a local authenticated user with elevated privileges may be able to bypass the product’s anti-tamper protections, which could allow access to protected...
CVE-2025-69097
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in VibeThemes WPLMS wplmsplugin allows Path Traversal.This issue affects WPLMS: from n/a through = 1.9.9.5.4...
CVE-2025-68011
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS.This issue affects GLS Shipping for WooCommerce: from n/a through = 1.4.0...
CVE-2023-29440
Cross-Site Request Forgery CSRF vulnerability in PressTigers Simple Job Board plugin = 2.10.3 versions...