Lucene search
K

1104 matches found

NVD
NVD
added 2026/04/29 9:16 p.m.3 views

CVE-2026-7407

A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /pizzafy/admin/ajax.php?action=savesettings of the component Setting Handler. Such manipulation leads to sql injection. It is possible...

5.8CVSS0.00253EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/04/23 8:38 p.m.6 views

CVE-2026-4121

The Kcaptcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.0.1. This is due to missing nonce validation in the plugin's settings page handler admin/setting.php. The settings form does not include a wpnoncefield and the form processing code...

4.3CVSS5.7AI score0.00178EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/22 9:31 a.m.5 views

EUVD-2026-24672

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References12
EUVD
EUVD
added 2026/04/22 9:31 a.m.6 views

EUVD-2026-24635

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/22 9:31 a.m.4 views

EUVD-2026-24634

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS5.8AI score0.0029EPSS
Exploits0References4
NVD
NVD
added 2026/04/22 9:16 a.m.7 views

CVE-2026-1379

The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

4.4CVSS0.0029EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.5 views

CVE-2026-1845 Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/22 7:45 a.m.32 views

CVE-2026-1845 Real Estate Pro <= 1.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting via Settings

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS0.00241EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/04/22 7:45 a.m.9 views

CVE-2026-1845

The Real Estate Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

5.5CVSS5.8AI score0.00241EPSS
Exploits0References3
CVE
CVE
added 2026/04/22 7:45 a.m.13 views

CVE-2026-4131

The CVE-2026-4131 entry concerns the WP Responsive Popup + Optin WordPress plugin (versions up to 1.4). Root cause: the admin settings form (wpo_admin_page.php) does not generate or verify a nonce (wp_nonce_field/wp_verify_nonce/check_admin_referer), enabling CSRF that can update plugin settings,...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References11
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.10 views

PT-2026-34294

Name of the Vulnerable Software and Affected Versions TextP2P Texting Widget versions prior to 1.8 Description The TextP2P Texting Widget plugin for WordPress is susceptible to Cross-Site Request Forgery. This occurs because the imTextP2POptionPage function, which handles settings updates, lacks...

4.3CVSS5.7AI score0.00156EPSS
Exploits0References8
Positive Technologies
Positive Technologies
added 2026/04/22 12:0 a.m.5 views

PT-2026-34269

Name of the Vulnerable Software and Affected Versions Real Estate Pro versions prior to 1.1.0 Description The Real Estate Pro plugin for WordPress contains a Stored Cross-Site Scripting issue within the admin settings. This occurs because of insufficient input sanitization and output escaping,...

5.5CVSS5.9AI score0.00241EPSS
Exploits0References5
NVD
NVD
added 2026/04/21 7:16 a.m.4 views

CVE-2026-6712

The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

4.4CVSS0.00157EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/04/21 6:43 a.m.29 views

CVE-2026-6712 Website LLMs.txt <= 8.2.6 - Authenticated (Admin+) Stored Cross-Site Scripting

The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

4.4CVSS0.00157EPSS
Exploits0References2
CVE
CVE
added 2026/04/21 6:43 a.m.25 views

CVE-2026-6712

CVE-2026-6712 describes a Stored Cross-Site Scripting vulnerability in the Website LLMs.txt WordPress plugin. The flaw affects versions up to 8.2.6 and arises from insufficient input sanitization and output escaping in admin settings, enabling authenticated attackers with administrator-level (or ...

4.4CVSS5.8AI score0.00157EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.8 views

PT-2026-33921

Name of the Vulnerable Software and Affected Versions LLMs.txt plugin for WordPress versions prior to 8.2.7 Description The plugin is subject to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping in admin settings. Authenticated attackers with administrator-lev...

4.4CVSS5.4AI score0.00157EPSS
Exploits0References5
EUVD
EUVD
added 2026/04/16 9:31 a.m.4 views

EUVD-2026-23203

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler laeadminajax and insufficient...

6.4CVSS5.9AI score0.00322EPSS
Exploits0References10
EUVD
EUVD
added 2026/04/16 6:31 a.m.11 views

EUVD-2026-23179

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

4.4CVSS5.9AI score0.00361EPSS
Exploits0References18
NVD
NVD
added 2026/04/16 6:16 a.m.6 views

CVE-2026-3551

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

4.4CVSS0.00361EPSS
Exploits0References17
Vulnrichment
Vulnrichment
added 2026/04/16 5:29 a.m.5 views

CVE-2026-3551 Custom New User Notification <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'User Mail Subject' Setting

The Custom New User Notification plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's admin settings in all versions up to, and including, 1.2.0. This is due to insufficient input sanitization and output escaping on multiple settings fields including 'User Mail...

4.4CVSS5.9AI score0.00361EPSS
Exploits0References17
Rows per page
Query Builder