CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

63 matches found

ATTACKERKB•added 2026/05/28 5:30 a.m.•6 views

CVE-2026-7533

The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.6.7. This is due to missing nonce verification in the handleoauthredirect function, which is registered on the admininit hook and processes Square OAuth tokens from ...

4.3CVSS5.8AI score0.00015EPSS

Exploits0References9

Positive Technologies•added 2026/03/21 12:0 a.m.•2 views

PT-2026-26852

The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the arv lbmessage parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the arv lb options val sanitize callback...

5.5CVSS6AI score0.00045EPSS

Exploits0References6

NVD•added 2026/03/18 4:16 p.m.•3 views

CVE-2025-55044

The Trash Restore CSRF vulnerability in MuraCMS through 10.1.10 allows attackers to restore deleted content from the trash to unauthorized locations through CSRF. The vulnerable cTrash.restore function lacks CSRF token validation, enabling malicious websites to forge requests that restore content...

8.8CVSS0.00023EPSS

Exploits0References3

NVD•added 2026/02/23 5:23 p.m.•3 views

CVE-2026-27513

Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55multi contains a cross-site request forgery CSRF vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit...

5.1CVSS0.0002EPSS

Exploits0References2

Positive Technologies•added 2026/02/18 12:0 a.m.•5 views

PT-2026-20505

Name of the Vulnerable Software and Affected Versions InvoicePlane version 1.7.0 Description InvoicePlane is a self-hosted open source application used for managing invoices, clients, and payments. A Stored Cross-Site Scripting XSS issue exists in the upload Invoice Logo function. The function...

5.7CVSS5.5AI score0.00058EPSS

Exploits1References7

OSV•added 2026/02/11 1:15 p.m.•1 views

CVE-2025-58471

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of...

4.9CVSS5.8AI score

Exploits0References1

RedhatCVE•added 2026/01/09 12:31 p.m.•3 views

CVE-2023-4209

The POEditor WordPress plugin before 0.9.8 does not have CSRF checks in various places, which could allow attackers to make logged in admins perform unwanted actions, such as reset the plugin's settings and update its API key via CSRF attacks...

4.3CVSS6.8AI score0.00083EPSS

Exploits2References1

RedhatCVE•added 2026/01/09 11:12 a.m.•4 views

CVE-2016-10947

The Post Indexer plugin before 3.0.6.2 for WordPress has SQL injection via the period parameter by a super admin...

7.2CVSS8.2AI score0.00539EPSS

Exploits1References1

RedhatCVE•added 2026/01/09 10:41 a.m.•5 views

CVE-2022-26482

An issue was discovered in Poly EagleEye Director II before 2.2.2.1. os.system command injection can be achieved by an admin...

7.2CVSS7.4AI score0.23625EPSS

Exploits3References1

RedhatCVE•added 2026/01/09 10:6 a.m.•5 views

CVE-2019-20842

An issue was discovered in Mattermost Server before 5.18.0, 5.17.2, 5.16.4, 5.15.4, and 5.9.7. There is SQL injection by admins via SearchAllChannels...

7.2CVSS8AI score0.00432EPSS

Exploits0References1

Positive Technologies•added 2025/11/04 12:0 a.m.•2 views

PT-2025-44961

The Visit Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the widgets.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged...

6.1CVSS5.8AI score0.00013EPSS

Exploits0References3