Lucene search
+L

6627 matches found

cvelist
cvelist
added 6 hours ago8 views

CVE-2026-15727 WP Bulk Delete <= 1.4.2 - Authenticated (Administrator+) SQL Injection via 'delete_user_roles' Parameter

The WP Bulk Delete plugin for WordPress is vulnerable to generic SQL Injection via the 'deleteuserroles' parameter in all versions up to, and including, 1.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

4.9CVSS
Exploits0References10
cve
cve
added 6 hours ago6 views

CVE-2026-15651

The CVE concerns the WP TripAdvisor Review Slider plugin for WordPress. All versions up to 14.6 are vulnerable to a generic SQL Injection via the filtersource parameter due to insufficient escaping of user input and lack of proper SQL query preparation. Exploitation is described as feasible by au...

4.9CVSS6.1AI score
Exploits0References6
nvd
nvd
added 7 hours ago4 views

CVE-2026-12907

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, whic...

Exploits0References1
euvd
euvd
added 8 hours ago5 views

EUVD-2026-44882

The FunnelKit WordPress plugin before 3.15.0.6 does not validate a user-supplied path before deleting a file during a template-import operation, allowing users with administrator privileges to delete arbitrary .json files outside the intended directory through path traversal, which can disable...

5.5CVSS6.2AI score
Exploits0References1
cve
cve
added yesterday7 views

CVE-2026-53446

CVE-2026-53446 affects Wekan prior to 9.32, where webhook integration URLs stored in models/integrations.js are fetched by server/notifications/outgoing.js without applying the private-network checks in models/lib/attachmentUrlValidation.js. This enables a board administrator to configure webhook...

6.2CVSS6.1AI score0.00018EPSS
Exploits0References3
attackerkb
attackerkb
added yesterday2 views

CVE-2026-40953

CVE-2026-40953 is a heap overflow in the certificate parsing function of Secure Access clients prior to 14.55. Attackers with local access and administrator permissions can create a denial of service attack against the client over which they have control...

6.7CVSS6.1AI score
Exploits0References2
euvd
euvd
added yesterday3 views

EUVD-2026-44784

CVE-2026-40953 is a heap overflow in the certificate parsing function of Secure Access clients prior to 14.55. Attackers with local access and administrator permissions can create a denial of service attack against the client over which they have control...

6.7CVSS6.1AI score
Exploits0References1
cve
cve
added yesterday11 views

CVE-2026-40953

CVE-2026-40953: heap overflow in the certificate parsing function of Secure Access clients prior to 14.55. Local access with administrator permissions can cause a denial of service on the client. Affected software is Secure Access clients (versions before 14.55); root cause is a heap overflow in ...

6.7CVSS6.1AI score
Exploits0References1Affected Software1
nuclei
nuclei
added yesterday97 views

FlatnuX CMS - Directory Traversal

A path traversal vulnerability in controlcenter.php in FlatnuX CMS 2011 08.09.2 allows remote administrators to read arbitrary files via a full pathname in the dir parameter in a contents/Files action. id: CVE-2012-4878 info: name: FlatnuX CMS - Directory Traversal author: daffainfo severity:...

5CVSS6.2AI score0.08761EPSS
Exploits1References5
nuclei
nuclei
added yesterday13 views

Skitter Slideshow <= 2.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

The Skitter Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. id: CVE-2025-28906 info: name: Skitter Slideshow = 2.5.2 - Authenticated Administrator+ Stored Cross-Site...

5.9CVSS7AI score0.00492EPSS
Exploits0References3
euvd
euvd
added yesterday7 views

EUVD-2026-44588

Out-of-bounds Read in ASUS System Control Interface v3, ASUS System Control Interface, and ASUS Business Manager allows a local administrator to read memory regions beyond the intended firmware boundary by supplying a crafted IOCTL request that bypasses the validation. Refer to the ' Security...

5.6CVSS6.1AI score0.00101EPSS
Exploits0References1
cvelist
cvelist
added 4 days ago34 views

CVE-2026-61875 luci-app-upnp Stored XSS via UPnP Port Mapping Description

luci-app-upnp contains a stored cross-site scripting vulnerability that allows unauthenticated LAN clients to inject JavaScript via UPnP IGD AddPortMapping SOAP requests. Attackers can send malicious HTML in the NewPortMappingDescription field, which miniupnpd stores and luci-app-upnp renders...

8.8CVSS0.00289EPSS
Exploits0References2
nvd
nvd
added 5 days ago9 views

CVE-2025-5017

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

4.9CVSS0.00258EPSS
Exploits0References3
cve
cve
added 5 days ago17 views

CVE-2025-5017

Summary: The Catalyst Connect Zoho CRM Client Portal WordPress plugin (≤ 2.2.0) is vulnerable to time-based SQL Injection via the uid parameter. The root cause is insufficient escaping of user input and lack of proper query parameterization, enabling authenticated attackers with Administrator-lev...

4.9CVSS6.1AI score0.00258EPSS
Exploits0References3
cvelist
cvelist
added 5 days ago35 views

CVE-2026-11898 White Label CMS <= 2.7.12 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import Settings

The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...

4.4CVSS0.00246EPSS
Exploits0References10
cve
cve
added 5 days ago8 views

CVE-2026-9738

The WordPress plugin Print, PDF, Email by PrintFriendly (for WordPress) is vulnerable to Stored Cross-Site Scripting via the content_position_css parameter in all versions up to 5.5.10. Root cause: insufficient input sanitization and output escaping. Affected: Print, PDF, Email by PrintFriendly p...

4.4CVSS6.2AI score0.00208EPSS
Exploits0References8
cve
cve
added 6 days ago15 views

CVE-2026-15295

CVE-2026-15295 affects the WordPress Infinite Scroll – Ajax Load More plugin for WordPress, vulnerable in all versions up to 7.0.1 due to insufficient input sanitization and output escaping. Stored XSS can be triggered by authenticated attackers with administrator-level permissions (and above) vi...

4.4CVSS6.2AI score0.0019EPSS
Exploits0References2
nvd
nvd
added 6 days ago6 views

CVE-2026-22660

FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...

8.6CVSS0.00328EPSS
Exploits0References3
cvelist
cvelist
added 6 days ago37 views

CVE-2026-12918 Mail Mint <= 1.24.1 - Authenticated (Administrator+) SQL Injection via 'recipients' Parameter

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of...

4.9CVSS0.00319EPSS
Exploits0References6
nvd
nvd
added 6 days ago5 views

CVE-2025-11977

The Happyforms – Form Builder for WordPress: Drag & Drop Contact Forms, Surveys, Payments & Multipurpose Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.26.12 via the happyformsgetformpartial function. This makes it possible for authenticat...

6.6CVSS0.00516EPSS
Exploits0References4
Rows per page
Query Builder