Lucene search
K

2351 matches found

Cvelist
Cvelist
added 2026/05/07 1:25 a.m.58 views

CVE-2026-6222 Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the processRequest method in ForminatorAdminModuleEditPage admin/abstracts/class-admin-module-edit-page.php dispatching sensitive module-management actions —...

5.3CVSS0.00425EPSS
Exploits0References8
Snyk
Snyk
added 2026/05/06 8:11 p.m.9 views

Incorrect Authorization

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Incorrect Authorization in the userHasPermission process. An attacker can gain unauthorized access to sensitive administrative data by sending requests ...

7.1CVSS5.8AI score0.00303EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/06 8:11 p.m.11 views

phpMyFAQ has an Authorization Bypass in All Admin Pages Due to Non-Terminating Permission Check

Summary AbstractAdministrationController::userHasPermission catches the ForbiddenException thrown when a user lacks a specific permission, sends a "forbidden" HTML page via $response-send, but does not terminate execution. The calling controller method continues to execute, fetches protected data...

7.1CVSS6AI score0.00303EPSS
Exploits0References4Affected Software2
Github Security Blog
Github Security Blog
added 2026/05/05 8:32 p.m.12 views

YAFNET: Pre-Handler Authorization Bypass on Admin Pages Enables Blind SQL Execution via `/Admin/RunSql`

Issue Details: YAFNET's only admin authorization gate is PageSecurityCheckAttribute, implemented as a ResultFilterAttribute that runs after the page handler completes rather than before it. No other gate exists. Any admin OnPost… handler therefore executes its side effects before the filter...

8.8CVSS6.2AI score0.00488EPSS
Exploits0References5Affected Software1
EUVD
EUVD
added 2026/05/05 3:31 a.m.8 views

EUVD-2026-27207

The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This makes it possible for unauthenticated attackers t...

6.1CVSS5.7AI score0.0012EPSS
Exploits0References8
CVE
CVE
added 2026/05/05 2:26 a.m.21 views

CVE-2026-6702

The CVE-2026-6702 entry concerns the WordPress plugin Publish 2 Ping.fm (versions

6.1CVSS5.7AI score0.0012EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/05 2:26 a.m.6 views

CVE-2026-6696

The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...

6.1CVSS6AI score0.00219EPSS
Exploits0References7
CNNVD
CNNVD
added 2026/05/05 12:0 a.m.12 views

WordPress plugin Publish 2 Ping.fm 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

6.1CVSS5.7AI score0.0012EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.17 views

PT-2026-36960

Name of the Vulnerable Software and Affected Versions Publish 2 Ping.fm plugin for WordPress versions prior to 1.2 Description Cross-Site Request Forgery occurs due to missing or incorrect nonce validation on the '/wp-admin/options-general.php?page=admin.php' page. This allows unauthenticated...

6.1CVSS5.8AI score0.0012EPSS
Exploits0References13
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.19 views

PT-2026-37309

Name of the Vulnerable Software and Affected Versions YetAnotherForum.NET YAF.NET versions prior to 4.0.5 YetAnotherForum.NET YAF.NET versions prior to 3.2.12 Description Stored Cross-Site Scripting XSS occurs when attacker-controlled input is persisted and later rendered without proper...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/28 6:0 p.m.9 views

EUVD-2026-26138

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /admin/index.php?page=savesettings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit h...

4.8CVSS3.4AI score0.00206EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/04/28 6:0 p.m.35 views

CVE-2026-7294 SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function savesettings of the file /admin/index.php?page=savesettings. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit h...

4.8CVSS0.00206EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/28 12:0 a.m.11 views

SourceCodester Pizzafy Ecommerce System 跨站脚本漏洞

SourceCodester Pizzafy Ecommerce System is an open-source e-commerce system developed by SourceCodester. Version 1.0 of the SourceCodester Pizzafy Ecommerce System contains a cross-site scripting vulnerability. This vulnerability arises from the parameter Name in the savesettings function located...

4.8CVSS5.6AI score0.00206EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/04/26 12:0 a.m.9 views

CodeAstro Online Job Portal 注入漏洞

CodeAstro Online Job Portal is an online job portal operated by CodeAstro Corporation. Version 1.0 of CodeAstro Online Job Portal has a vulnerability due to improper handling of ID parameters in the admin/jobs-admins/delete-jobs.php file within the All Jobs Page component, which may lead to SQL...

5.8CVSS5.9AI score0.00311EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/22 7:45 a.m.3 views

CVE-2026-4131 WP Responsive Popup + Optin <= 1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'wpo_image_url' Parameter

The WP Responsive Popup + Optin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.4. This is due to the settings form on the admin page wpoadminpage.php lacking nonce generation wpnoncefield and verification wpverifynonce/checkadminreferer. Thi...

6.1CVSS5.7AI score0.00181EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2026/04/20 5:33 p.m.4 views

CVE-2026-23752 GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can...

4.8CVSS5.8AI score0.00151EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/04/17 1:24 a.m.8 views

CVE-2026-5231 WP Statistics <= 14.16.4 - Unauthenticated Stored Cross-Site Scripting via 'utm_source' Parameter

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utmsource' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utmsource value into the...

7.2CVSS5.9AI score0.00476EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/17 1:24 a.m.7 views

EUVD-2026-23342

The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utmsource' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utmsource value into the...

7.2CVSS5.9AI score0.00476EPSS
Exploits0References6
EUVD
EUVD
added 2026/04/14 6:30 p.m.5 views

EUVD-2025-209447

In manikandan580 School-management-system 1.0, a reflected XSS vulnerability exists in /studentms/admin/contact-us.php via the pagedes POST parameter...

6.1CVSS5.8AI score0.00181EPSS
Exploits1References2
Tenable Nessus
Tenable Nessus
added 2026/04/14 12:0 a.m.2 views

Linux Distros Unpatched Vulnerability : CVE-2019-25710

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary...

9.1CVSS6.2AI score0.00311EPSS
Exploits1References2
Rows per page
Query Builder