74 matches found
CVE-2026-8622
The Image Sizes on Demand plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Server Variable in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...
EUVD-2026-36887
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot = 1.3.7 versions...
CVE-2026-9014
The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the resetstats function in versions up to, and including, 1.3. The function is hooked to both the wpajaxwpp-resetstats and wpajaxnoprivwpp-resetstats actions and contains n...
WordPress Remove Yellow BGBOX plugin <= 1.0 - Cross-Site Request Forgery vulnerability
Cross-Site Request Forgery vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Remove Yellow BGBOX versions = 1.0...
PT-2026-39948
The Rate Star Review Vote - AJAX Reviews, Votes, Star Ratings plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. The vwrsr review AJAX handler lacks both capability checks and nonce verification. The only access control is an is user logged in...
WordPress Next Date plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Next Date versions = 1.0...
CVE-2026-6674
The CVE refers to the WordPress plugin “Plugin: CMS für Motorrad Werkstätten”, affected through all versions up to and including 1.0.0. The root cause is insufficient escaping of the user-supplied arthtype parameter and lack of proper SQL query preparation, resulting in SQL Injection. The impact ...
WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Ashtanga versions = 1.2...
EUVD-2025-209493
The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the...
CVE-2026-5532 ScrapeGraphAI scrapegraph-ai GenerateCodeNode generate_code_node.py create_sandbox_and_execute os command injection
A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function createsandboxandexecute of the file scrapegraphai/nodes/generatecodenode.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be...
CVE-2026-32299
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and...
CVE-2026-25438
The CVE describes a Reflected XSS in the WordPress Gutenberg Blocks “Unlimited blocks for Gutenberg” plugin, affecting versions up to and including 1.2.8. The root cause is improper neutralization of input during web page generation. The affected component is the WordPress Gutenberg Blocks integr...
CVE-2026-27341 WordPress TopScorer - Sports WordPress Theme theme <= 1.2 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through = 1.2...
CVE-2026-25501
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, SMF panics due to nil pointer dereference and the SMF process terminates. This is triggered by a malformed PFCP...
CVE-2025-53231
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpdevstudio Easy Taxonomy Images easy-taxonomy-images allows Stored XSS.This issue affects Easy Taxonomy Images: from n/a through = 1.0.1...
CVE-2025-67970 WordPress Schedula plugin <= 1.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through = 1.0...
PT-2026-21148
Name of the Vulnerable Software and Affected Versions TeconceTheme Emerce Core versions through 1.8 Description A flaw exists in TeconceTheme Emerce Core that allows for Blind SQL Injection due to improper neutralization of special elements used in SQL commands. This issue affects the emerce-core...
PT-2026-21147
Name of the Vulnerable Software and Affected Versions TeconceTheme Uroan Core versions through 1.4.4 Description A flaw exists in TeconceTheme Uroan Core that allows for Blind SQL Injection. This is due to improper neutralization of special elements used in an SQL command. Recommendations Update...
WordPress WP Server Log Viewer <= 1.0 - Stored Cross Site Scripting vulnerability
Stored Cross Site Scripting vulnerability discovered by strider in WordPress Plugin WP Server Log Viewer versions = 1.0...
CVE-2026-1748
The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access...