EUVD-2026-6144

eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials user:user, admin:admin that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitiv...

CVE-2026-26366 JUNG eNet SMART HOME server 2.2.1/2.3.1 Use of Default Credentials

eNet SMART HOME server 2.2.1 and 2.3.1 ships with default credentials user:user, admin:admin that remain active after installation and commissioning without enforcing a mandatory password change. Unauthenticated attackers can use these default credentials to gain administrative access to sensitiv...

CVE-2026-1258

The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by',...

CVE-2025-13681

The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied firstfile parameter in the zip function. This makes it possible for authenticated attackers, with...

CVE-2026-0745

The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'downloadlanguage' function. This makes it possible for authenticated attackers, with Administrator-level access and above, ...

eNet SMART HOME server 安全漏洞

The eNet SMART HOME server is a wireless smart home console developed by the German company eNet. Both the eNet SMART HOME server 2.2.1 version and 2.3.1 version have security vulnerabilities. These vulnerabilities stem from the use of default credentials, which may allow unauthenticated attacker...

PT-2026-8250

Name of the Vulnerable Software and Affected Versions eNet SMART HOME server versions 2.2.1 and 2.3.1 Description The eNet SMART HOME server is affected by a default credentials issue. The server ships with default credentials 'user:user', 'admin:admin' that remain active after installation and...

CVE-2026-1258

The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by',...

CVE-2026-0693

The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the wpksesdata output filter for termdescription, linkdescription,...

CVE-2026-0735

The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2025-15483

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hopname’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, ...

CVE-2026-0735 User Language Switch <= 1.6.10 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'tab_color_picker_language_switch' Parameter

The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tabcolorpickerlanguageswitch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-0693

The Allow HTML in Category Descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via category descriptions in all versions up to, and including, 1.2.4. This is due to the plugin unconditionally removing the wpksesdata output filter for termdescription, linkdescription,...

PT-2026-8099

The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by',...

PT-2026-8060

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access,...

WordPress plugin BFG Tools – Extension Zipper 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-8065

The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab color picker language switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

PT-2026-8054

The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

CVE-2025-14892

The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret...

CVE-2019-25344

Wondershare MobileGo 8.5.0 is affected by an insecure file permissions vulnerability that allows local users to modify executable files in the application directory. Attackers can replace MobileGo.exe with a malicious executable to create a new user account and add it to the Administrators group,...