84136 matches found
CVE-2026-8848
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-14245
The CVE-2026-14245 entry concerns the miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress (versions up to and including 5.5.1). The root cause is that um_reset_password_process_hook() performs no server-side verification of OTP completion and relies on a public form_nonc...
CVE-2026-12418
CVE-2026-12418 describes a vulnerability in the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” (versions up to 4.3.7). An insecure direct object reference exists via the wpuf_files_data parameter due to missing validation on ...
CVE-2026-12406
The CVE concerns the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” (WPUF). All versions up to 4.3.7 are affected by an authorization bypass that allows unauthenticated attackers to delete arbitrary media attachments with pos...
CVE-2026-6910
Overview : CVE-2026-6910 affects the Bookero.pl online booking plugin for WordPress. Issue : Stored Cross-Site Scripting via the bookero_products shortcode attributes hide_products and filter_products in versions up to 2.2. The root cause is insufficient input sanitization and output escaping in ...
CVE-2026-8996
The CVE-2026-8996 entry describes a Sensitive Information Exposure in the WordPress plugin “Backup and Staging by WP Time Capsule” up to version 1.22.26. The flaw is exposed via download_recent_decrypted_file_wptc, enabling authenticated users with subscriber-level access (or higher) to obtain th...
CVE-2026-13080
The CVE concerns the WordPress plugin WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell . It is vulnerable to Local File Inclusion (LFI) in all versions up to and including 3.12.7 via the logKey parameter. The issue can be exploited by an attacker with at least administr...
CVE-2026-7558
CVE-2026-7558 affects the WordPress plugin Age Verification & Identity Verification by Token of Trust (
CVE-2026-15000
The CVE-2026-15000 entry concerns the Connect Contact Form 7 and Mailchimp plugin for WordPress, showing a Stored Cross-Site Scripting vulnerability via Mailchimp Merge Field Values in all versions up to 0.9.78.06. The issue arises from insufficient input sanitization and output escaping, enablin...
CVE-2026-12170
The CVE concerns the AcyMailing WordPress plugin (all versions up to 10.10.2) vulnerability to Stored Cross-Site Scripting via the alignment attribute, caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access at contributor level or higher, enablin...
CVE-2026-13253
Affected software. Ultimate Post plugin for WordPress (up to version 5.0.31). Vulnerability. Stored Cross-Site Scripting via the 'moreResultsText' attribute of the ultimate-post/advanced-search block. Root cause. Advanced_Search::content() concatenates the attribute value into an HTML attribute a...
CVE-2026-12516
The vulnerability CVE-2026-12516 affects the WordPress plugin Fediverse Embeds (pre-1.5.8). The defect is in a server-side media-proxying endpoint that does not validate the destination of outbound requests, allowing unauthenticated users to trigger the site to fetch arbitrary URLs, including int...
CVE-2026-11869
CVE-2026-11869 affects the WP DSGVO Tools (GDPR) WordPress plugin, prior to version 3.1.40. The root cause is a missing authorization check on the immediate-processing path of the data subject access request feature, enabling unauthenticated attackers to generate and download the full personal-da...
CVE-2026-11875
Summary of CVE-2026-11875 : The WP Support Plus Responsive Ticket System WordPress plugin (
CVE-2026-5523
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...
CVE-2026-5523
The CVE describes a privilege-escalation flaw in the Divi Form Builder plugin for WordPress (versions up to and including 5.1.8). The root cause is missing authorization checks: update_user() accepts a user ID from form submissions without validating the editor’s permission for that target user, ...
EUVD-2026-42506
The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...
CVE-2026-58480
Blocksy Companion Pro plugin for WordPress before 2.1.47 contains an unauthenticated arbitrary file upload vulnerability that allows attackers to upload executable files by bypassing extension validation in the saveattachments function exposed through the Advanced Reviews feature. Attackers can...
CVE-2026-6740
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible...
CVE-2026-5356
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...