Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

83594 matches found

Nuclei
Nucleiadded yesterday14 views

FlipperCode Custom CSS, JS & PHP <= 2.0.7 - Remote Code Execution

Custom css-js-php WordPress plugin through 2.0.7 contains a command injection caused by unsanitized user input used in SQL query and passed to eval, letting unauthenticated attackers execute arbitrary PHP code on the server. id: CVE-2026-6433 info: name: FlipperCode Custom CSS, JS & PHP = 2.0.7 -...

7.3CVSS6.2AI score0.00753EPSS
Exploits1References4
Nuclei
Nucleiadded yesterday20 views

JoomSport <= 5.7.7 - SQL Injection

The JoomSport WordPress plugin through 5.7.7 is vulnerable to unauthenticated time-based blind SQL injection via the 'sortf' GET parameter in the player list view. The parameter value is backtick-wrapped and directly concatenated into an ORDER BY clause. id: CVE-2026-42647 info: name: JoomSport =...

9.3CVSS5.8AI score0.01323EPSS
Exploits1References4
Nuclei
Nucleiadded yesterday25 views

Gravity SMTP WordPress Plugin - Sensitive Information Exposure

Gravity SMTP WordPress plugin = 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication. id:...

7.5CVSS6AI score0.39704EPSS
Exploits1References3
Nuclei
Nucleiadded yesterday17 views

Drag and Drop Multiple File Upload - CF7 <= 1.3.9.6 - Remote Code Execution

Drag and Drop Multiple File Upload for Contact Form 7 WordPress plugin = 1.3.9.6 contains an unrestricted file upload caused by insufficient file type validation and bypass of filename sanitization with non-ASCII characters, letting unauthenticated attackers upload arbitrary files and achieve...

8.1CVSS6.1AI score0.04175EPSS
Exploits3References2
Nuclei
Nucleiadded yesterday16 views

WP Responsive Images <= 1.0 - Arbitrary File Read

WP Responsive Images plugin for WordPress = 1.0 contains a path traversal caused by improper sanitization of the 'src' parameter, letting unauthenticated attackers read arbitrary files on the server. id: CVE-2026-1557 info: name: WP Responsive Images = 1.0 - Arbitrary File Read author: Shivam...

7.5CVSS5.9AI score0.01722EPSS
Exploits0References2
Nuclei
Nucleiadded yesterday12 views

Prodigy Commerce <= 3.3.0 - Local File Inclusion

Prodigy Commerce WordPress plugin = 3.2.9 contains a local file inclusion caused by improper sanitization of 'parameterstemplatename' parameter, letting unauthenticated attackers include and execute arbitrary files remotely. id: CVE-2026-0926 info: name: Prodigy Commerce = 3.3.0 - Local File...

9.8CVSS6AI score0.09396EPSS
Exploits5References2
Nuclei
Nucleiadded yesterday22 views

Frontend File Manager Plugin <= 23.5 - Unauthenticated Arbitrary Email Sending

Frontend File Manager Plugin WordPress plugin through 23.5 contains an open relay and unauthorized file access vulnerability caused by lack of authentication and security checks, letting unauthenticated attackers send emails and access files, exploit requires no authentication. id: CVE-2026-0829...

5.8CVSS5.8AI score0.00682EPSS
Exploits0References4
Nuclei
Nucleiadded yesterday13 views

WordPress Slider Future <= 1.0.5 - Unauthenticated Arbitrary File Upload

Slider Future WordPress plugin = 1.0.5 contains an unrestricted file upload vulnerability caused by missing file type validation in 'sliderfuturehandleimageupload', letting unauthenticated attackers upload arbitrary files, exploit requires no authentication. id: CVE-2026-1405 info: name: WordPres...

9.8CVSS5.9AI score0.03177EPSS
Exploits2
Nuclei
Nucleiadded yesterday13 views

Webnus Inc. Modern Events Calendar - Broken Access Control

Webnus Inc. Modern Events Calendar = 7.29.0 contains a broken access control vulnerability caused by incorrectly configured access control security levels, letting attackers bypass authorization, exploit requires no special privileges. id: CVE-2026-32583 info: name: Webnus Inc. Modern Events...

5.3CVSS5.8AI score0.007EPSS
Exploits0References1
Nuclei
Nucleiadded yesterday14 views

wpForo Forum <= 2.4.14 - SQL Injection

wpForo Forum WordPress plugin = 2.4.14 contains a time-based SQL injection caused by insufficient escaping of the 'wpfob' parameter, letting unauthenticated attackers extract sensitive database information. id: CVE-2026-1581 info: name: wpForo Forum = 2.4.14 - SQL Injection author: Shivam Kamboj...

7.5CVSS5.8AI score0.01727EPSS
Exploits1References2
Nuclei
Nucleiadded yesterday27 views

WordPress Tidio Gallery <=1.1 - Cross-Site Scripting

WordPress plugin tidio-gallery v1.1 contains a reflected cross-site scripting vulnerability which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication...

6.1CVSS6.5AI score0.04486EPSS
Exploits2References5
Nuclei
Nucleiadded yesterday26 views

Documentor <= 1.5.3 - Unauthenticated SQL Injection

The Documentor WordPress plugin through 1.5.3 fails to sanitize and escape user input before it is being interpolated in an SQL statement and then executed, leading to an SQL Injection exploitable by unauthenticated users. id: CVE-2022-0773 info: name: Documentor = 1.5.3 - Unauthenticated SQL...

9.8CVSS7.4AI score0.42764EPSS
Exploits2References3
Nuclei
Nucleiadded yesterday25 views

WordPress RobotCPA 5 - Directory Traversal

The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter. id: CVE-2015-9480 info: name: WordPress RobotCPA 5 - Directory Traversal author: daffainfo severity: high description: The RobotCPA plugin 5 for WordPress has directory traversal via the f.php l parameter...

7.5CVSS7.2AI score0.12574EPSS
Exploits2References3
Nuclei
Nucleiadded yesterday33 views

Podcast Channels < 0.28 - Cross-Site Scripting

The Podcast Channels WordPress plugin was affected by an unauthenticated reflected cross-site scripting security vulnerability. id: CVE-2014-4544 info: name: Podcast Channels 0.28 - Cross-Site Scripting author: daffainfo severity: medium description: The Podcast Channels WordPress plugin was...

6.1CVSS6.2AI score0.03779EPSS
Exploits1References4
Nuclei
Nucleiadded yesterday8 views

Geo Mashup <= 1.13.17 - SQL Injection

Geo Mashup WordPress plugin = 1.13.17 contains a SQL injection caused by insufficient escaping of the 'sort' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-2416 info: name: Geo Mashup = 1.13.17 - SQL Injection author: Shivam Kamboj...

7.5CVSS5.8AI score0.01392EPSS
Exploits0References2
Nuclei
Nucleiadded yesterday9 views

WordPress Kali Forms <= 2.4.9 - Remote Code Execution

Kali Forms WordPress plugin = 2.4.9 contains a remote code execution caused by unsafe user input handling in 'formprocess' and 'preparepostdata' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication. id: CVE-2026-3584 info: name: WordPress Kal...

9.8CVSS6.5AI score0.07239EPSS
Exploits2References2
Nuclei
Nucleiadded yesterday20 views

Easy Appointments <= 3.12.21 - Information Disclosure

Easy Appointments WordPress plugin = 3.12.21 contains a sensitive information exposure caused by an unauthenticated REST API endpoint /wp-json/wp/v2/eablocks/eaappointments/ registered with permissioncallback allowing unrestricted access, letting unauthenticated attackers extract sensitive custom...

7.5CVSS5.8AI score0.0239EPSS
Exploits0References2
Nuclei
Nucleiadded yesterday10 views

Hippoo Mobile App for WooCommerce <= 1.9.4 - Authentication Bypass to Admin Account Takeover

Hippoo Mobile App for WooCommerce WordPress plugin = 1.9.4 contains an authentication bypass caused by logic conflation in user permission checks, letting unauthenticated attackers take over administrator accounts via REST API password reset. id: CVE-2026-10580 info: name: Hippoo Mobile App for...

9.8CVSS5.8AI score0.02841EPSS
Exploits0References2
Nuclei
Nucleiadded yesterday16 views

Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure

The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frmformspreview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form. id: CVE-2017-20194 info...

5.3CVSS5.7AI score0.01098EPSS
Exploits1References3
Nuclei
Nucleiadded yesterday20 views

BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion

The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File Inclusion vulnerability via TimThumb. id: CVE-2015-9415 info: name: BJ Lazy Load Timthumb = 0.7.5 - Remote File Inclusion author: s4e-io severity: high description: | The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File...

7.5CVSS7.1AI score0.03399EPSS
Exploits1References3
Rows per page
Query Builder