Lucene search
K

555 matches found

EUVD
EUVD
added yesterday7 views

EUVD-2026-43128

The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideoenqueuesettingsscript. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data...

4.3CVSS6.1AI score0.00237EPSS
Exploits0References6
EUVD
EUVD
added yesterday7 views

EUVD-2026-43129

The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for installaddon,...

8.8CVSS6.3AI score0.00383EPSS
Exploits0References6
CVE
CVE
added yesterday11 views

CVE-2026-7544

Summary (CVE-2026-7544) : The Mux Video Uploader WordPress plugin (≤ v1.1.4) is vulnerable to Sensitive Information Exposure via muxvideo_enqueue_settings_script. Authenticated users with subscriber-level access or higher can extract sensitive data, including Mux API credentials. The CVE notes th...

4.3CVSS6.1AI score0.00237EPSS
Exploits0References6
EUVD
EUVD
added yesterday9 views

EUVD-2026-43117

The UnderConstructionPage PRO plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.76. This is due to the plugin accepting arbitrary local file paths in the templatethumbnail parameter and copying their contents into a publicly accessible uploads file...

6.5CVSS6.2AI score0.00308EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-42828

The All-in-One Video Gallery plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.8.5 via the 'vdl' parameter. This makes it possible for authenticated attackers, with subscriber-level access and above, to make web requests to arbitrary locatio...

6.4CVSS6.2AI score0.00246EPSS
Exploits0References12
NVD
NVD
added 2 days ago6 views

CVE-2026-5069

The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...

5.4CVSS0.00176EPSS
Exploits0References2
Patchstack
Patchstack
added 3 days ago5 views

WordPress Invoice123 plugin <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Setting Modification vulnerability discovered by Benedictus Jovan aillesiM in WordPress Plugin Invoice123 versions = 1.7.0...

4.3CVSS6.1AI score0.00288EPSS
Exploits0References1Affected Software1
NVD
NVD
added 3 days ago6 views

CVE-2026-13492

The UsersWP plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 1.2.65. This is due to insufficient validation of file-field values in the UsersWPValidation::validatefields function which falls through to sanitizetextfield for fields of type 'file',...

8.8CVSS0.00525EPSS
Exploits0References8
Cvelist
Cvelist
added 3 days ago32 views

CVE-2026-9237 Employee, Leave and Recruitment Management System <= 1.2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Job Deletion via crewhrm_singleJobAction AJAX Action

The Employee, Leave and Recruitment Management System – Crew HRM plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00227EPSS
Exploits0References7
NVD
NVD
added 3 days ago9 views

CVE-2026-8996

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the downloadrecentdecryptedfilewptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

6.5CVSS0.0027EPSS
Exploits0References8
EUVD
EUVD
added 3 days ago7 views

EUVD-2026-42527

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the downloadrecentdecryptedfilewptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References8
Cvelist
Cvelist
added 3 days ago33 views

CVE-2026-8996 Backup and Staging by WP Time Capsule <= 1.22.26 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via download_recent_decrypted_file_wptc Function

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the downloadrecentdecryptedfilewptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

6.5CVSS0.0027EPSS
Exploits0References8
CVE
CVE
added 3 days ago8 views

CVE-2026-4653

The vulnerability CVE-2026-4653 affects the BuddyPress Block, Suspend, Report feature for WordPress. It is a Stored Cross-Site Scripting flaw via the 'link' parameter in BuddyPress versions up to 3.6.4 due to insufficient input sanitization and output escaping. Authenticated users with subscriber...

6.4CVSS6AI score0.00201EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago35 views

CVE-2026-14158 Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv[cod-tag]' Parameter

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widgetlogicvisualcheckvisibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...

8.8CVSS0.00516EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/03 4:30 a.m.39 views

CVE-2026-8489 Ultimate Member <= 2.11.4 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Non-HTML Custom Textarea Profile Field

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aboutme' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and...

6.4CVSS0.00241EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/07/03 1:28 a.m.38 views

CVE-2026-12729 weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot <= 2.3.0 - Missing Authorization to Authenticated (Subscriber+) Data Migration via wedocs_migrate_betterdocs_to_wedocs AJAX Action

The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 2.3.0. This is due to a missing capability check on the domigration function registered as the wedocsmigratebetterdocstowedocs...

4.3CVSS0.00213EPSS
Exploits0References6
NVD
NVD
added 2026/07/01 5:16 a.m.8 views

CVE-2026-12090

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppmprojfilter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficie...

6.5CVSS0.00319EPSS
Exploits0References9
CVE
CVE
added 2026/07/01 3:43 a.m.25 views

CVE-2026-12110

CVE-2026-12110 relates to the WordPress plugin Taskbuilder – Project Management & Task Management Tool With Kanban Board. All versions up to 5.0.8 are affected by a generic SQL Injection in the task_search parameter caused by insufficient escaping and lack of proper query preparation. This allows...

6.5CVSS5.8AI score0.00328EPSS
Exploits0References11
Patchstack
Patchstack
added 2026/06/30 7:4 p.m.6 views

WordPress Motors – Car Dealership & Classified Listings Plugin plugin <= 1.4.111 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Meta Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Post Meta Modification vulnerability discovered by Michael Perla vizen5 - clixhouse in WordPress Plugin Motors versions = 1.4.111...

4.3CVSS5.8AI score0.00232EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 2026/06/30 6:52 a.m.10 views

EUVD-2026-40260

The Export User Data plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the unserialize function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with subscriber-level access and above, to delet...

8CVSS6.5AI score0.00341EPSS
Exploits0References2
Rows per page
Query Builder