Lucene search
K

265627 matches found

CVE
CVE
added 4 hours ago4 views

CVE-2026-15097

CVE-2026-15097 affects Themify Builder for WordPress (up to version 7.7.6). The issue is a Stored Cross-Site Scripting via the height_slider Slider Module Field caused by insufficient input sanitization and output escaping, exploitable by authenticated users with contributor-level access and high...

6.4CVSS6.2AI score
Exploits0References6
CVE
CVE
added 5 hours ago5 views

CVE-2026-13353

CVE-2026-13353 affects the WP Ultimate CSV Importer (WordPress plugin) up to version 8.0.1. The root cause is missing capability checks on AJAX handlers (install_addon, saveMappedFields, StartImport) and exposure of the plugin nonce to any authenticated admin page, which enables a Subscriber+ to ...

8.8CVSS6.3AI score
Exploits0References6
CVE
CVE
added 5 hours ago5 views

CVE-2026-12426

The CVE-2026-12426 affects the WordPress plugin Members – Membership & User Role Editor, up to version 3.2.22. The vulnerability enables unauthenticated attackers to perform sensitive information exposure via the REST API pagination side channel, using the members_filter_protected_posts_for_rest ...

5.3CVSS6.1AI score
Exploits0References6
CVE
CVE
added 5 hours ago8 views

CVE-2026-15338

CVE-2026-15338 concerns the LA-Studio Element Kit for Elementor plugin for WordPress. Affected: all versions up to 1.6.1. Issue: Local File Inclusion via the get_type_template function in the progress_type widget setting. Exploitation requires authenticated access at contributor level or higher, ...

7.5CVSS6.5AI score
Exploits0References7
CVE
CVE
added 5 hours ago5 views

CVE-2026-3367

The CVE-2026-3367 entry concerns the WordPress plugin Lockme Cal­endars Integration (

4.4CVSS6.2AI score
Exploits0References14
CVE
CVE
added 5 hours ago5 views

CVE-2026-8678

The CVE-2026-8678 entry concerns the WordPress MyParcel plugin and its versions up to 4.25.1. Affected component: the MyParcel plugin (WordPress). Root cause: missing authorization verification for certain AJAX actions (wcmp_get_shipment_options and wcmp_save_shipment_options). Impact: authentica...

4.3CVSS6.2AI score
Exploits0References8
EUVD
EUVD
added 6 hours ago6 views

EUVD-2026-43118

The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the update handler for the /wp-json/wpgb/v2/metadata REST endpoint. This makes it possible for authenticated...

8.8CVSS6.1AI score
Exploits0References2
EUVD
EUVD
added 6 hours ago6 views

EUVD-2026-43117

The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the templatethumbnail parameter and copying their contents into a publicly accessible uploads file...

6.5CVSS6.2AI score
Exploits0References2
CVE
CVE
added yesterday5 views

CVE-2026-57807

The CVE-2026-57807 entry concerns miniOrange OAuth Single Sign On - SSO (OAuth Client) for WordPress, affected through version 38.5.8. The vulnerability is an Authentication Bypass via an alternate path or channel (broken authentication), enabling Password Recovery Exploitation. No exploitation d...

9.8CVSS6.1AI score
Exploits0References1
CVE
CVE
added yesterday4 views

CVE-2026-12761

Summary (CVE-2026-12761) The miniOrange Social Login and Register plugin for WordPress is vulnerable through the Profile Completion OTP flow in versions up to and including 7.7.0. The flow accepts an arbitrary email via the email_field POST parameter and does not verify that the email belongs to ...

9.8CVSS6.2AI score
Exploits0References6
EUVD
EUVD
added yesterday5 views

EUVD-2026-43026

The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...

9.8CVSS6.2AI score
Exploits0References6
EUVD
EUVD
added yesterday5 views

EUVD-2026-43002

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS6.2AI score
Exploits0References2
CVE
CVE
added yesterday6 views

CVE-2026-15295

CVE-2026-15295 affects the WordPress Infinite Scroll – Ajax Load More plugin for WordPress, vulnerable in all versions up to 7.0.1 due to insufficient input sanitization and output escaping. Stored XSS can be triggered by authenticated attackers with administrator-level permissions (and above) vi...

4.4CVSS6.2AI score
Exploits0References2
NVD
NVD
added yesterday8 views

CVE-2026-1667

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...

7.2CVSS
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-1667

The CVE concerns the SEO Plugin by Squirrly SEO for WordPress (up to version 14.0.0) with a vulnerability in savePost() that allows unauthenticated users to create arbitrary posts and, if Advanced Custom Fields is installed, to inject stored XSS scripts. Root cause is a leak of an API token and i...

7.2CVSS6.2AI score
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-42949

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...

7.2CVSS6.2AI score
Exploits0References2
Cvelist
Cvelist
added yesterday8 views

CVE-2026-1667 SEO Plugin by Squirrly SEO <= 14.0.0 - Unauthenticated Arbitrary Post Creation and Stored Cross-Site Scripting via savePost()

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...

7.2CVSS
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-9857

The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

4.3CVSS0.00473EPSS
Exploits0References12
NVD
NVD
added yesterday8 views

CVE-2026-13710

The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Box widget's 'sgbodydescription' parameter in versions up to, and including, 3.2.6. This is due to insufficient input...

6.4CVSS0.00357EPSS
Exploits0References8
NVD
NVD
added yesterday8 views

CVE-2026-13247

The Logo Slider – Logo Carousel, Client Logo Slider & Brand Showcase for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'lgxtooltipposition' parameter in all versions up to, and including, 5.5 due to insufficient input sanitization and output escaping. This...

6.4CVSS0.00331EPSS
Exploits0References5
Rows per page
Query Builder