Lucene search
K

112 matches found

NVD
NVD
added 4 days ago5 views

CVE-2026-12761

The miniOrange Social Login and Register Discord, Google, Twitter, LinkedIn plugin for WordPress is vulnerable to authentication bypass leading to account takeover in versions up to and including 7.7.0. This is due to the Profile Completion flow accepting an arbitrary email address via the...

9.8CVSS0.00463EPSS
Exploits0References6
CVE
CVE
added 4 days ago7 views

CVE-2026-12761

Summary (CVE-2026-12761) The miniOrange Social Login and Register plugin for WordPress is vulnerable through the Profile Completion OTP flow in versions up to and including 7.7.0. The flow accepts an arbitrary email via the email_field POST parameter and does not verify that the email belongs to ...

9.8CVSS6.2AI score0.00463EPSS
Exploits0References6
CVE
CVE
added 2026/07/02 8:33 a.m.16 views

CVE-2026-12472

The CVE-2026-12472 entry concerns the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin. It states an authorization bypass in all versions up to 6.0.11, enabling unauthenticated attackers to send arbitrary HTML-injected emails via the site’s mail server, potentially phi...

5.3CVSS5.9AI score0.00283EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.39 views

CVE-2026-11387 SMS Alert <= 3.9.5 - Unauthenticated Privilege Escalation via Arbitrary Password Reset

The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updati...

9.8CVSS0.0038EPSS
Exploits1References8
NVD
NVD
added 2026/06/12 10:16 p.m.14 views

CVE-2026-53868

Capgo before 12.128.2 contains a denial of service vulnerability allowing attackers to register accounts using arbitrary email addresses without verification, then initiate deletion to lock emails in pending deletion state. Attackers can permanently lock legitimate users out of the platform for 3...

8.7CVSS0.00258EPSS
Exploits0References2
NVD
NVD
added 2026/06/02 4:17 a.m.20 views

CVE-2026-8206

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS0.0126EPSS
Exploits5References8
Vulnrichment
Vulnrichment
added 2026/06/02 3:28 a.m.33 views

CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS5.9AI score0.0126EPSS
Exploits5References8
NVD
NVD
added 2026/05/20 11:16 a.m.22 views

CVE-2026-25602

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:...

4.4CVSS0.00089EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/11 8:37 p.m.33 views

CVE-2026-43880 WWBN AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Allows Phishing from Site's Legitimate From Address

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated...

5.3CVSS0.00229EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/05 12:0 a.m.12 views

PT-2026-37296

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0 Description An issue exists in the 'objects/sendEmail.json.php' endpoint where the absence of the contactForm parameter allows unauthenticated users to send emails to arbitrary recipients. When this parameter is...

5.3CVSS5.9AI score0.00229EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/04/06 12:0 a.m.9 views

plunk 注入漏洞

Plunk is an open-source email sending and management platform developed by Plunk. Versions of Plunk prior to 0.8.0 had a vulnerability related to injection attacks. This vulnerability stemmed from the CRLF header injection in the SESService.ts file, which could allow authenticated API users to...

8.5CVSS5.9AI score0.00194EPSS
Exploits2References1
EUVD
EUVD
added 2026/03/30 7:29 p.m.4 views

EUVD-2026-16797

Fleet's user account creation via invite does not enforce invited email address...

7.1CVSS5.8AI score0.00184EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/03/30 7:29 p.m.7 views

Fleet's user account creation via invite does not enforce invited email address

Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...

7.1CVSS6AI score0.00184EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/30 7:29 p.m.3 views

GHSA-4F9R-X588-PP2H Fleet's user account creation via invite does not enforce invited email address

Summary Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address whi...

7.1CVSS6AI score0.00184EPSS
Exploits0References3
NVD
NVD
added 2026/03/27 8:16 p.m.8 views

CVE-2026-34389

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS0.00184EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/03/27 7:18 p.m.21 views

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS0.00184EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/27 7:18 p.m.1 views

CVE-2026-34389 Fleet's user account creation via invite does not enforce invited email address

Fleet is open source device management software. Prior to 4.81.0, Fleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token...

7.1CVSS6AI score0.00184EPSS
Exploits0References1
NVD
NVD
added 2026/01/13 2:15 a.m.9 views

CVE-2026-0495

SAP Fiori App Intercompany Balance Reconciliation allows an attacker with high privileges to send uploaded files to arbitrary emails which could enable effective phishing campaigns. This has low impact on confidentiality, integrity and availability of the application...

5.1CVSS0.0015EPSS
Exploits0References2
Patchstack
Patchstack
added 2025/11/18 11:28 p.m.6 views

WordPress Booking Plugin for WordPress Appointments – Time Slot plugin <= 1.4.7 - Unauthenticated Arbitrary Email Sending vulnerability

Unauthenticated Arbitrary Email Sending vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Time Slot versions = 1.4.7...

5.3CVSS7AI score0.00258EPSS
Exploits0References1Affected Software1
CVE
CVE
added 2025/11/05 9:27 a.m.10 views

CVE-2025-12469

CVE-2025-12469 affects FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce. A Missing Authorization flaw in the bwfan_test_email AJAX handler, with the nonce exposed via frontend localization, allows authenticated attackers with Subscriber+ rights to send arbitr...

4.3CVSS5.6AI score0.00235EPSS
Exploits0References5Affected Software1
Rows per page
Query Builder