Lucene search
K

283 matches found

Nuclei
Nuclei
added yesterday31 views

WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload

The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Stored Cross-Site Scripting via arbitrary URL injection in versions up to and including 6.1 and 1.0 respectively. Authenticated users with author-level permissions can inject arbitrary remote URLs for SVG map files. When a user...

8.3CVSS6.1AI score0.01133EPSS
Exploits1References4
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-41418

The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteconvertedimagesize function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with...

8.1CVSS6.5AI score0.0067EPSS
Exploits0References6
CVE
CVE
added 6 days ago17 views

CVE-2026-5821

The CVE-2026-5821 entry details a vulnerability in the WordPress Image Optimizer plugin (versions up to 1.7.4). The root cause is insufficient path validation in Image_Backup::remove(), where backup file paths stored in the image_optimizer_metadata post meta are used directly for deletion without...

8.1CVSS5.9AI score0.00354EPSS
Exploits0References8
Cvelist
Cvelist
added last week36 views

CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS0.00196EPSS
Exploits0References5
NVD
NVD
added last week6 views

CVE-2026-13443

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00206EPSS
Exploits0References8
NVD
NVD
added last week9 views

CVE-2026-11380

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animationeffect setting before it is rendered inside a...

6.4CVSS0.00156EPSS
Exploits0References2
EUVD
EUVD
added 2026/07/01 3:43 a.m.7 views

EUVD-2026-40893

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 3:43 a.m.11 views

CVE-2026-13443

The CVE-2026-13443 entry concerns the WordPress plugin Tutor LMS (eLearning and online course solution). Affected: all versions up to and including 3.9.13. Issue: Stored Cross-Site Scripting via the Lesson Attachment Title due to insufficient input sanitization and output escaping. Impact: authen...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/06/30 7:7 p.m.5 views

WordPress Qi Blocks plugin <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Style Modification vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Qi Blocks versions = 1.4.9...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/30 6:16 a.m.14 views

CVE-2026-11367

The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the moveimageonserver function. This makes it possible for authenticated attackers, with author-level access and above, to write files with...

6.5CVSS0.00541EPSS
Exploits0References4
NVD
NVD
added 2026/06/24 4:17 a.m.10 views

CVE-2026-11614

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customattributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00256EPSS
Exploits0References19
CVE
CVE
added 2026/06/24 2:29 a.m.21 views

CVE-2026-11614

Technical details (affected versions, root cause, exploit specifics) are not publicly available in the provided documents. Monitor for updates.

6.4CVSS6AI score0.00256EPSS
Exploits0References19
NVD
NVD
added 2026/06/19 6:17 a.m.13 views

CVE-2026-4328

The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wpremoteget to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in th...

6.4CVSS0.00208EPSS
Exploits0References6
CVE
CVE
added 2026/06/19 4:31 a.m.19 views

CVE-2026-4328

The WordPress Advanced Import plugin (versions ≤ 1.4.6) is vulnerable to Server-Side Request Forgery (SSRF). In demo_download_and_unzip(), the plugin passes the user-supplied demo_file from $_POST through sanitize_text_field() and then invokes wp_remote_get() when demo_file_type is 'url', without...

6.4CVSS6AI score0.00208EPSS
Exploits0References6
CVE
CVE
added 2026/06/19 4:31 a.m.22 views

CVE-2026-1856

Summary: CVE-2026-1856 affects the WordPress plugin “Appointment Booking Calendar” (Creavi Booking Service)

6.4CVSS5.5AI score0.00193EPSS
Exploits0References4
NVD
NVD
added 2026/06/17 9:16 p.m.9 views

CVE-2026-49133

Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile with an empty folder...

7.1CVSS0.00343EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/17 8:39 p.m.8 views

EUVD-2026-37797

Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile with an empty folder...

7.1CVSS5.4AI score0.00343EPSS
Exploits0References3
CVE
CVE
added 2026/06/17 8:39 p.m.17 views

CVE-2026-49133

Typemill before 2.24.0 has a path traversal vulnerability in Storage::getFile() that lets authenticated users with Author privileges read files outside the content directory by passing traversal sequences in the path query parameter with an empty folder argument. This can bypass traversal-prevent...

7.1CVSS5.4AI score0.00343EPSS
Exploits0References3
CVE
CVE
added 2026/06/10 6:48 a.m.32 views

CVE-2026-9019

CVE-2026-9019 affects the WordPress plugin Easy Image Collage (versions up to and including 1.13.6). The issue is a Stored Cross-Site Scripting (Stored XSS) vulnerability arising from insufficient input sanitization and output escaping in the parameters grid[properties][borderColor] and grid[imag...

6.4CVSS5.6AI score0.00195EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/06/10 6:48 a.m.43 views

CVE-2026-9019 Easy Image Collage <= 1.13.6 - Authenticated (Author+) Stored Cross-Site Scripting via 'grid[properties][borderColor]' and 'grid[images][N][attachment_url]' Parameters

The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gridpropertiesborderColor' and 'gridimagesNattachmenturl' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00195EPSS
Exploits0References6
Rows per page
Query Builder