CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

497 matches found

WordPress Automatic Plugin - Unauthenticated Options Change

WordPress Automatic Plugin versions 3.53.2 and below contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the processform.php script. The vulnerable script uses updateoption on all POST parameters without authentication or capability...

9.8CVSS7.9AI score0.74987EPSS

Exploits3References2

The Hacker News•added 4 days ago•11 views

Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts

Threat actors are attempting to actively exploit a critical security flaw impacting WP Maps Pro, a WordPress plugin that has had over 15,000 sales on the Envato Market, to create malicious administrator accounts on susceptible sites. WP Maps Pro allows site owners to embed customizable Google Map...

9.8CVSS5.7AI score0.00097EPSS

Exploits6

NVD•added 2026/05/29 4:16 p.m.•8 views

CVE-2018-25397

PHP-SHOP 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to add administrative users by crafting malicious HTML forms. Attackers can trick authenticated administrators into visiting a page containing a hidden form that automatically submits POST...

6.9CVSS0.00021EPSS

Exploits0References3

Vulnrichment•added 2026/05/29 2:46 p.m.•5 views

CVE-2018-25397 PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

6.9CVSS5.7AI score0.00021EPSS

Exploits0References3

Cvelist•added 2026/05/29 2:46 p.m.•26 views

CVE-2018-25397 PHP-SHOP 1.0 Cross-Site Request Forgery via users.php

6.9CVSS0.00021EPSS

Exploits0References3

Positive Technologies•added 2026/05/29 12:0 a.m.•9 views

PT-2026-44875

6.9CVSS5.7AI score0.00021EPSS

Exploits0References4

CVE•added 2026/05/28 4:25 p.m.•12 views

CVE-2026-9095

Casdoor CVE-2026-9095 affects versions 2.362.0 and earlier. The ParseSamlResponse() in object/saml_sp.go maps retrieved SAML assertions directly to user sessions without replay protection, lacking an assertion ID cache, OneTimeUse enforcement, or replay detection in the SAML SP code path. This en...

8.1CVSS5.9AI score0.00054EPSS

Exploits0References1

CNNVD•added 2026/05/28 12:0 a.m.•8 views

WordPress plugin Advanced Custom Fields: Extended 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

9.8CVSS5.8AI score0.0023EPSS

Exploits0References6

EUVD•added 2026/05/23 4:27 a.m.•10 views

EUVD-2026-31523

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember3Hooks::generateapikey' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00044EPSS

Exploits0References2

CNNVD•added 2026/05/23 12:0 a.m.•5 views

WordPress plugin Wishlist Member 安全漏洞

8.8CVSS6AI score0.00044EPSS

Exploits0References3

CNNVD•added 2026/05/23 12:0 a.m.•5 views

WordPress plugin WishList Member 安全漏洞

8.8CVSS5.9AI score0.00044EPSS

Exploits0References3

CNNVD•added 2026/05/23 12:0 a.m.•4 views

WordPress plugin WishList Member 安全漏洞

8.8CVSS5.8AI score0.00044EPSS

Exploits0References3

Cvelist•added 2026/05/16 3:28 p.m.•32 views

CVE-2020-37241 bloofoxCMS 0.5.2.1 Cross-Site Request Forgery via user add

bloofoxCMS 0.5.2.1 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions by tricking logged-in users into visiting malicious pages. Attackers can craft hidden forms targeting the admin user creation endpoint to add new administrative accounts...

6.9CVSS0.00019EPSS

Exploits0References4

ATTACKERKB•added 2026/05/16 3:28 p.m.•4 views

CVE-2020-37241

6.9CVSS5.8AI score0.00019EPSS

Exploits0References4Affected Software1

EUVD•added 2026/05/16 3:28 p.m.•6 views

EUVD-2020-31233

6.9CVSS5.8AI score0.00019EPSS

Exploits0References4

Positive Technologies•added 2026/05/16 12:0 a.m.•8 views

PT-2026-41441

6.9CVSS5.8AI score0.00019EPSS

Exploits0References5

Cvelist•added 2026/05/15 7:12 p.m.•33 views

CVE-2026-45675 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line...

8.1CVSS0.00115EPSS

Exploits1References3

CVE•added 2026/05/15 7:12 p.m.•4 views

CVE-2026-45675

Open WebUI CVE-2026-45675 describes a TOCTOU race in first-user admin role assignment for LDAP and OAuth paths prior to version 0.9.0. The signup path was fixed to insert with a default role first and upgrade if only one user remains; LDAP and OAuth paths did not receive that fix. Attack scenario...

8.1CVSS5.9AI score0.00115EPSS

Exploits1References3Affected Software1

Vulnrichment•added 2026/05/15 7:12 p.m.•6 views

CVE-2026-45675 Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

8.1CVSS5.9AI score0.00115EPSS

Exploits1References3

Github Security Blog•added 2026/05/14 8:28 p.m.•4 views

Open WebUI: LDAP and OAuth First-User Race Condition Allows Multiple Admin Accounts

Summary The LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line 663 was explicitly patched to prevent this race with the comment "Insert with default role first to avoid...

8.1CVSS5.8AI score0.00115EPSS

Exploits1References6Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by