CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/05/27 5:31 a.m.•5 views

EUVD-2026-32089

The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on the 'id' shortcode attribute, which is interpolated directly into an HTML iframe 'src' attribute...

6.4CVSS6AI score0.00032EPSS

Exploits0References3

RedhatCVE•added 2026/05/26 8:14 p.m.•9 views

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00044EPSS

Exploits0References1

EUVD•added 2026/05/26 7:31 p.m.•6 views

EUVD-2026-31966

Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24...

4.3CVSS5.8AI score0.00029EPSS

Exploits0References1

CVE•added 2026/05/19 9:54 p.m.•7 views

CVE-2026-34390

MantisBT before 2.28.2 is affected by a Privilege Escalation in ProjectUsersAddCommand (manage_proj_user_add.php). A user with manage_project_threshold (default manager) can forge a higher access_level value and grant project-level administrator rights to any user within a project they manage, by...

Vulnrichment•added 2026/05/19 9:54 p.m.•3 views

CVE-2026-34390 MantisBT: Privilege Escalation from Manager to Administrator

Mantis Bug Tracker MantisBT is an open source issue tracker. Versions 2.28.1 and prior have a Privilege Escalation vulnerability where insufficient access control checks in ProjectUsersAddCommand manageprojuseradd.php allow users having manageprojectthreshold access level manager by default to...

EUVD•added 2026/05/19 9:54 p.m.•3 views

EUVD-2026-30994

NVD•added 2026/05/13 5:16 a.m.•3 views

CVE-2026-6828

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permissionmessage' parameter in all versions up to, and including, 6.2.1 due to insufficient input sanitization and output escaping...

6.4CVSS0.0004EPSS

Positive Technologies•added 2026/05/13 12:0 a.m.•7 views

PT-2026-40586

The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle ajax action' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated...

5.3CVSS5.7AI score0.0003EPSS

Snyk•added 2026/05/11 7:32 p.m.•1 views

Access Control Bypass

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Access Control Bypass via insufficient access control checks in the ProjectUsersAddCommand process. An attacker can escalate their project-level privileges by submitting a forged higher...

Positive Technologies•added 2026/05/11 12:0 a.m.•4 views

Exploits0References2

PT-2026-39899

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker MantisBT versions 1.3.0 through 2.28.1 Description An issue exists where an unescaped Project Name allows an attacker with manager or administrator access levels to inject HTML into the Move Attachments admin page. This lead...

8.6CVSS5.9AI score0.00057EPSS

Exploits0References7

NVD•added 2026/04/24 6:16 a.m.•1 views

CVE-2026-5428

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This is due to insufficient output escaping in the renderpostthumbnail function, where wpksespost is...

6.4CVSS0.00015EPSS

Positive Technologies•added 2026/04/24 12:0 a.m.•1 views

PT-2026-34851

The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate openai content callback function, which relies solely on a nonce rather than verifying user permissions. This makes it...

4.3CVSS5.7AI score0.00031EPSS

Exploits0References8

EUVD•added 2026/04/10 1:24 a.m.•4 views

EUVD-2026-21248

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

6.4CVSS6.1AI score0.00015EPSS

CVE•added 2026/04/04 11:16 a.m.•7 views

CVE-2026-0626

CVE-2026-0626 affects the WordPress plugin WPFunnels – Easy Funnel Builder (all versions up to and including 3.7.9). The vulnerability is in the wpf_optin_form shortcode, where insufficient input sanitization and output escaping of the button_icon parameter allows an authenticated attacker with c...

6.4CVSS6.1AI score0.00012EPSS

Exploits0References2

Positive Technologies•added 2026/03/18 12:0 a.m.•2 views

PT-2026-26022

The WP Go Maps formerly WP Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza custom js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin post...

6.4CVSS6AI score0.00043EPSS