Lucene search
K

10000 matches found

CVE
CVE
added 14 hours ago11 views

CVE-2026-15010

The CVE-2026-15010 entry concerns the bbp Style Pack plugin for WordPress, vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 6.4.5 via the Topic Form Additional Fields feature. Root causes are insufficient input sanitization in bsp_topic_fields_form_save(), which wri...

6.4CVSS6.2AI score
Exploits0References4
CVE
CVE
added 15 hours ago8 views

CVE-2026-10041

The CVE-2026-10041 entry concerns the WCFM – Frontend Manager for WooCommerce WordPress plugin (versions

4.3CVSS6.2AI score
Exploits0References12
EUVD
EUVD
added 15 hours ago6 views

EUVD-2026-43162

The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfmproductarchive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score
Exploits0References12
CVE
CVE
added 15 hours ago10 views

CVE-2026-15155

The CVE-2026-15155 entry concerns the WordPress plugin Essential Addons for Elementor (

8.8CVSS6.1AI score
Exploits0References9
EUVD
EUVD
added 15 hours ago8 views

EUVD-2026-43160

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget...

8.8CVSS6.1AI score
Exploits0References9
CVE
CVE
added 15 hours ago12 views

CVE-2025-6784

CVE-2025-6784 affects the WordPress Code Engine plugin (versions up to 0.3.5). It allows Remote Code Execution via the 'code-engine' shortcode because access to the plugin’s code-injecting functionality is not restricted. Authenticated users with Contributor-level access and above can execute cod...

8.8CVSS6.3AI score
Exploits0References2
CVE
CVE
added 17 hours ago8 views

CVE-2026-12141

The CVE-2026-12141 entry describes a Stored Cross-Site Scripting vulnerability in the Premium Addons for Elementor – Powerful Elementor Templates & Widgets WordPress plugin. Affected component: the premium_tooltip_text parameter; impact arises from insufficient input sanitization and output escap...

4.9CVSS6.2AI score
Exploits0References5
CVE
CVE
added 17 hours ago6 views

CVE-2026-3552

SurfLink

4.3CVSS6.1AI score
Exploits0References8
EUVD
EUVD
added 17 hours ago3 views

EUVD-2026-43133

The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the uploadextensionfiles function in all versions up to, and including, 1.4.6. The uploadextensionfiles function hooks into WordPress's wpcheckfiletypeandext filter...

8.8CVSS6.5AI score
Exploits0References5
Nuclei
Nuclei
added 18 hours ago62 views

NocoBase - SQL Injection

NocoBase @nocobase/plugin-collection-sql versions prior to 2.0.39 are vulnerable to SQL injection via the sqlCollection:update endpoint. The checkSQL function, which blocks dangerous SQL keywords and ensures only SELECT statements are allowed, is not called during collection updates. id:...

7.2CVSS6.1AI score0.01833EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago13 views

Tandoor Recipes < 1.5.24 - Jinja2 SSTI RCE

Tandoor Recipes 1.5.24 has a Jinja2 SSTI vulnerability that allows command execution via recipe steps. id: CVE-2025-23211 info: name: Tandoor Recipes 1.5.24 - Jinja2 SSTI RCE author: sammiee5311 severity: critical description: | Tandoor Recipes 1.5.24 has a Jinja2 SSTI vulnerability that allows...

9.9CVSS6.2AI score0.03464EPSS
Exploits1References4
Nuclei
Nuclei
added 18 hours ago20 views

BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure

Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability caused by improper validation of the 'READ.filePath' parameter in fileread script and SendCGICMD API, letting authenticated attackers read arbitrary system files. id: CVE-2019-25246 info: name: BEWARD...

8.8CVSS6.2AI score0.17393EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago11 views

Tutor LMS <= 2.1.10 - SQL Injection

Tutor LMS – eLearning and online course solution plugin for WordPress all versions up to 2.6.1 contains a time-based SQL Injection caused by insufficient escaping on the questionid parameter in SQL queries, letting authenticated attackers with subscriber or higher access extract sensitive...

8.8CVSS7.1AI score0.03135EPSS
Exploits0References3
Nuclei
Nuclei
added 18 hours ago20 views

Responsive Pricing Table <= 5.1.12 - Cross-Site Scripting

The Responsive Pricing Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'planicons' parameter in all versions up to, and including, 5.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-lev...

6.4CVSS6.2AI score0.00598EPSS
Exploits0References3
Nuclei
Nuclei
added 18 hours ago29 views

phpMyAdmin < 5.0.3 - SQL Injection

phpMyAdmin before 4.9.6 and 5.x before 5.0.3 contains a SQL injection caused by improper processing of SQL statements in the search feature, letting attackers inject malicious SQL, exploit requires crafted search input. id: CVE-2020-26935 info: name: phpMyAdmin 5.0.3 - SQL Injection author: 0xAko...

9.8CVSS7AI score0.67081EPSS
Exploits1References3
Nuclei
Nuclei
added 18 hours ago15 views

AstrBot <= 4.22.1 - Command Injection

AstrBot versions up to and including 4.22.1 contain a command injection vulnerability in the MCP server configuration endpoint. The /api/tools/mcp/add endpoint accepts arbitrary command and args fields that are passed directly to subprocess execution during the connection test, without any...

6.5CVSS6.9AI score0.02304EPSS
Exploits0References2
Nuclei
Nuclei
added 18 hours ago14 views

Group-Office < 26.0.5 - Remote Code Execution

Group-Office before versions 6.8.150, 25.0.82, and 26.0.5 is vulnerable to remote code execution via OS command injection. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmpfile into an exec call. By injecting shell metacharacters into...

9.4CVSS6.7AI score0.18536EPSS
Exploits2References4
Nuclei
Nuclei
added 18 hours ago42 views

Frappe Framework < 16.15.0 - Arbitrary File Read via render_include Path Traversal

Frappe is a full-stack web application framework. Versions prior to 15.105.0 and 16.15.0 contain a possible Arbitrary File Read vulnerability via Path Traversal. The issue is resolved in versions 16.15.0, 15.105.0 and above. id: CVE-2026-39352 info: name: Frappe Framework 16.15.0 - Arbitrary File...

8.7CVSS6.1AI score0.01279EPSS
Exploits0References4
Nuclei
Nuclei
added 18 hours ago12 views

WP Projects Portfolio <= 3.0 - Cross-Site Scripting

WP Projects Portfolio with Client Testimonials WordPress plugin = 3.0 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13114...

6.1CVSS7AI score0.00567EPSS
Exploits1References2
Nuclei
Nuclei
added 18 hours ago17 views

Images to WebP < 1.9 - Authenticated Local File Inclusion

The Images to WebP WordPress plugin before version 1.9 did not validate or sanitize the tab parameter before using it in the include function. id: CVE-2021-24644 info: name: Images to WebP 1.9 - Authenticated Local File Inclusion author: Sourabh-Sahu severity: high description: | The Images to We...

7.5CVSS7AI score0.05028EPSS
Exploits2References2
Rows per page
Query Builder