Lucene search
K

84123 matches found

CVE
CVE
added 1 hour ago3 views

CVE-2026-12516

The Fediverse Embeds WordPress plugin before 1.5.8 does not validate the destination of the server-side request performed by an unauthenticated media-proxying endpoint, allowing anonymous users to make the site fetch arbitrary URLs, including internal and private-network addresses, and read back...

5.9AI score
Exploits0References1
CVE
CVE
added 1 hour ago3 views

CVE-2026-11869

The WP DSGVO Tools GDPR WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export including name, postal address, pho...

6AI score
Exploits0References1
CVE
CVE
added 1 hour ago2 views

CVE-2026-11875

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not sign or verify its guest-session cookie, allowing unauthenticated attackers to forge it and impersonate any ticket owner identified by email address to read, reply to, and close that person's support tickets...

6AI score
Exploits0References1
CVE
CVE
added 2 hours ago8 views

CVE-2026-5523

The CVE describes a privilege-escalation flaw in the Divi Form Builder plugin for WordPress (versions up to and including 5.1.8). The root cause is missing authorization checks: update_user() accepts a user ID from form submissions without validating the editor’s permission for that target user, ...

8.8CVSS5.9AI score
Exploits0References2
NVD
NVD
added yesterday8 views

CVE-2026-58480

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the saveattachments function exposed through the Advanced Reviews feature. Attackers can...

9.8CVSS
Exploits0References4
NVD
NVD
added yesterday5 views

CVE-2026-6740

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS
Exploits0References2
NVD
NVD
added yesterday4 views

CVE-2026-5356

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...

7.5CVSS
Exploits0References2
NVD
NVD
added yesterday7 views

CVE-2026-5459

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...

5.3CVSS
Exploits0References2
NVD
NVD
added yesterday5 views

CVE-2026-12002

The Smash Balloon Social Photo Feed – Easy Social Feeds Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.11.1. This is due to missing or incorrect nonce validation on the maybeconnectiondata function. This makes it possible for...

4.7CVSS
Exploits0References2
EUVD
EUVD
added yesterday4 views

EUVD-2026-42233

Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the saveattachments function exposed through the Advanced Reviews feature. Attackers can...

9.8CVSS6.4AI score
Exploits0References4
CVE
CVE
added yesterday6 views

CVE-2026-58480

Blocksy Companion Pro

9.8CVSS6.4AI score
Exploits0References4
CVE
CVE
added yesterday10 views

CVE-2026-6740

CVE-2026-6740 affects the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress. The vulnerability is a Stored XSS via the ‘commentIcon’ block attribute, caused by insufficient input sanitization and output escaping. It affects all versions up to and including 4...

6.4CVSS6.1AI score
Exploits0References2
Cvelist
Cvelist
added yesterday14 views

CVE-2026-6740 Nexter Blocks <= 4.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'commentIcon' Block Attribute

The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible...

6.4CVSS
Exploits0References2
EUVD
EUVD
added yesterday4 views

EUVD-2026-42228

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced...

6.4CVSS6.1AI score
Exploits0References3
CVE
CVE
added yesterday8 views

CVE-2026-5459

The CVE-2026-5459 entry concerns the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” up to version 4.3.1. The vulnerability is an Insecure Direct Object Reference in the payment_page() function caused by missing validation on ...

5.3CVSS5.9AI score
Exploits0References2
CVE
CVE
added yesterday8 views

CVE-2026-6459

The CVE concerns The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress. A Stored Cross-Site Scripting vulnerability exists in the Event Calendar widget for all versions up to 6.6.2, caused by insufficient input sanitization and output escaping on event ti...

6.4CVSS6.1AI score
Exploits0References3
CVE
CVE
added yesterday8 views

CVE-2026-12002

The CVE-2026-12002 entry concerns the Smash Balloon Social Photo Feed – Easy Social Feeds Plugin for WordPress. A CSRF vulnerability exists in all versions up to and including 6.11.1 due to missing/incorrect nonce validation in the maybe_connection_data function. This allows unauthenticated attac...

4.7CVSS5.8AI score
Exploits0References2
EUVD
EUVD
added yesterday3 views

EUVD-2026-42229

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...

5.3CVSS5.9AI score
Exploits0References2
Cvelist
Cvelist
added yesterday11 views

CVE-2026-5459 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Unauthenticated Insecure Direct Object Reference to Arbitrary User Subscription Overwrite

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...

5.3CVSS
Exploits0References2
CVE
CVE
added yesterday11 views

CVE-2026-5356

The CVE-2026-5356 entry concerns the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, affected up to version 5.4.0. The root cause is improper input validation in the Stripe Connect payment processor, which accepts a client-supplied PaymentIntent ID. This misstep can...

7.5CVSS6AI score
Exploits0References2
Rows per page
Query Builder