Lucene search
K

1109 matches found

Positive Technologies
Positive Technologies
added 2026/05/08 12:0 a.m.20 views

PT-2026-39284

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.0 Description The AccountPending.svelte component renders admin-configured "Pending User Overlay Content" using marked.parse inside @html with an incorrect DOMPurify application order. DOMPurify is applied to t...

4.8CVSS5.9AI score0.0017EPSS
Exploits1References4
ATTACKERKB
ATTACKERKB
added 2026/05/05 2:26 a.m.3 views

CVE-2026-6700

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

4.3CVSS5.7AI score0.00128EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/05/04 10:7 p.m.8 views

pyload-ng: non-admin SETTINGS users can disable outbound TLS peer verification via unrestricted `ssl_verify` config (incomplete fix for CVE-2026-33509 / -35463 / -35464 / -35586)

Summary The setconfigvalue API method @permissionPerms.SETTINGS in src/pyload/core/api/init.py gates security-sensitive options behind a hand-maintained allowlist ADMINONLYCOREOPTIONS. The option "general", "sslverify" is not on that allowlist. Any authenticated user with the non-admin SETTINGS...

6.8CVSS5.8AI score0.00174EPSS
Exploits1References8Affected Software1
Cvelist
Cvelist
added 2026/05/02 5:29 a.m.36 views

CVE-2026-6447 Call for Price for WooCommerce <= 4.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Call for Price' Label Settings

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS0.00252EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/02 12:0 a.m.10 views

PT-2026-36578

The Call for Price for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS6AI score0.00252EPSS
Exploits0References7
NVD
NVD
added 2026/04/29 9:16 p.m.3 views

CVE-2026-7407

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...

5.8CVSS0.00253EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/23 8:38 p.m.6 views

CVE-2026-4121

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

4.3CVSS5.7AI score0.00178EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/22 9:31 a.m.5 views

EUVD-2026-24672

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References12
EUVD
EUVD
added 2026/04/22 9:31 a.m.4 views

EUVD-2026-24634

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS5.8AI score0.0029EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/22 9:31 a.m.6 views

EUVD-2026-24635

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS
Exploits0References3
NVD
NVD
added 2026/04/22 9:16 a.m.7 views

CVE-2026-1379

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS0.0029EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.5 views

CVE-2026-1845 Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.10 views

CVE-2026-1845

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.32 views

CVE-2026-1845 Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS0.00241EPSS
Exploits0References2
CVE
CVE
added 2026/04/22 7:45 a.m.14 views

CVE-2026-4131

The CVE-2026-4131 entry concerns the WP Responsive Popup + Optin WordPress plugin (versions up to 1.4). Root cause: the admin settings form (wpo_admin_page.php) does not generate or verify a nonce (wp_nonce_field/wp_verify_nonce/check_admin_referer), enabling CSRF that can update plugin settings,...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.10 views

PT-2026-34294

Name of the Vulnerable Software and Affected Versions TextP2P Texting Widget versions prior to 1.8 Description The TextP2P Texting Widget plugin for WordPress is susceptible to Cross-Site Request Forgery. This occurs because the imTextP2POptionPage function, which handles settings updates, lacks...

4.3CVSS5.7AI score0.00156EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.5 views

PT-2026-34269

Name of the Vulnerable Software and Affected Versions Real Estate Pro versions prior to 1.1.0 Description The Real Estate Pro plugin for WordPress contains a Stored Cross-Site Scripting issue within the admin settings. This occurs because of insufficient input sanitization and output escaping,...

5.5CVSS5.9AI score0.00241EPSS
Exploits0References5
NVD
NVD
added 2026/04/21 7:16 a.m.4 views

CVE-2026-6712

The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

4.4CVSS0.00157EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 6:43 a.m.29 views

CVE-2026-6712 Website LLMs.txt <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting

The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

4.4CVSS0.00157EPSS
Exploits0References2
CVE
CVE
added 2026/04/21 6:43 a.m.26 views

CVE-2026-6712

CVE-2026-6712 describes a Stored Cross-Site Scripting vulnerability in the Website LLMs.txt WordPress plugin. The flaw affects versions up to 8.2.6 and arises from insufficient input sanitization and output escaping in admin settings, enabling authenticated attackers with administrator-level (or ...

4.4CVSS5.8AI score0.00157EPSS
Exploits0References2
Rows per page
Query Builder