Lucene search
K

132 matches found

CVE
CVE
added 4 days ago10 views

CVE-2026-11359

The CVE-2026-11359 entry relates to the Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress. Affected versions up to 3.4 are vulnerable due to missing capability checks and nonce validation in the pg_install_profilegrid() AJAX handler (wp_ajax_...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References5
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-42541

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References5
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-11359 Memberships and User Profiles for WooCommerce <= 3.4 - Missing Authorization to Authenticated (Subscriber+) ProfileGrid Plugin Installation and Activation

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the...

4.3CVSS0.00246EPSS
Exploits0References5
NVD
NVD
added 5 days ago8 views

CVE-2026-14500

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS0.00333EPSS
Exploits0References4
NVD
NVD
added 2026/07/01 5:16 a.m.7 views

CVE-2026-12110

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'tasksearch' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS0.00328EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/07/01 3:43 a.m.36 views

CVE-2026-12923 Video Gallery <= 4.0.3 - Authenticated (Subscriber+) Arbitrary Function Call via 'path' Parameter

The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emddeletefile AJAX handler in includes/common-functions.php. The user-supplied value is passed through...

7.5CVSS0.00319EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/01 3:43 a.m.46 views

CVE-2026-12110 Taskbuilder <= 5.0.8 - Authenticated (Subscriber+) SQL Injection via 'task_search' Parameter

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'tasksearch' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS0.00328EPSS
Exploits0References11
EUVD
EUVD
added 2026/07/01 3:43 a.m.6 views

EUVD-2026-40894

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'tasksearch' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS5.8AI score0.00328EPSS
Exploits0References11
CVE
CVE
added 2026/07/01 3:43 a.m.26 views

CVE-2026-12110

CVE-2026-12110 relates to the WordPress plugin Taskbuilder – Project Management & Task Management Tool With Kanban Board. All versions up to 5.0.8 are affected by a generic SQL Injection in the task_search parameter caused by insufficient escaping and lack of proper query preparation. This allows...

6.5CVSS5.8AI score0.00328EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/06/29 2:34 p.m.37 views

CVE-2026-49049 Joomla Extension - joomshaper.com - Unauthenticated access to Helix3 template ajax handler

The Helix3 plugin for Joomla exposes an ajax handler task, that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files and update template parameters...

0.00228EPSS
Exploits4References1
CVE
CVE
added 2026/06/29 2:34 p.m.110 views

CVE-2026-49049

The CVE-2026-49049 entry concerns the Helix3 Joomla extension by joomshaper. The vulnerability arises from an exposed ajax handler task within Helix3 that allows unauthenticated attackers to delete arbitrary files, write arbitrary JSON files, and update template parameters. This indicates a remot...

7.5CVSS5.9AI score0.00228EPSS
Exploits4References1Affected Software1
CVE
CVE
added 2026/06/26 1:27 a.m.20 views

CVE-2026-13226

CVE-2026-13226 affects the Groundhogg WordPress plugin (CRM/Newsletters/Marketing Automation) up to version 4.5.4. It exposes a generic SQL Injection via the vulnerable 'after' parameter caused by insufficient escaping and lack of proper preparation in the existing SQL query. The issue allows aut...

6.5CVSS6AI score0.00281EPSS
Exploits0References8
CVE
CVE
added 2026/06/19 3:41 a.m.28 views

CVE-2026-10779

CVE-2026-10779 affects the WordPress Classified Listing plugin (versions

4.3CVSS6AI score0.00213EPSS
Exploits0References8
NVD
NVD
added 2026/06/18 6:16 a.m.14 views

CVE-2026-9860

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...

8.8CVSS0.00577EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/18 4:31 a.m.26 views

CVE-2026-9860 Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...

8.8CVSS0.00577EPSS
Exploits0References6
CVE
CVE
added 2026/06/18 4:31 a.m.50 views

CVE-2026-9860

The CVE-2026-9860 entry concerns the WordPress plugin “Offload, AI & Optimize with Cloudflare Images” (versions

8.8CVSS6AI score0.00577EPSS
Exploits0References6
EUVD
EUVD
added 2026/06/11 12:32 a.m.12 views

EUVD-2026-36139

Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdpactionhandling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks...

8.1CVSS5.4AI score0.00248EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 8:39 p.m.24 views

CVE-2026-53738

CVE-2026-53738 affects the WordPress plugin Copy & Delete Posts, up to version 1.5.4. The vulnerability stems from the cdp_action_handling AJAX handler, where any plugin-enabled non-admin role can invoke every operation, bypassing per-function capability checks. This enables attackers with an ena...

8.1CVSS5.4AI score0.00248EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/06/09 12:0 a.m.21 views

PT-2026-47711

Name of the Vulnerable Software and Affected Versions The Events Calendar for GeoDirectory plugin for WordPress versions prior to 2.3.29 Description Authenticated attackers with Subscriber-level access or higher can elevate their privileges to Administrator. This occurs because the ajax ayi actio...

8.8CVSS5.5AI score0.00275EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/06 4:28 a.m.24 views

EUVD-2026-34962

The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to time-based SQL Injection via 'compactalbumorderby' Shortcode Parameter in all versions up to, and including, 1.8.41 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS5.8AI score0.00325EPSS
Exploits0References12
Rows per page
Query Builder