Lucene search
K

436 matches found

NVD
NVD
added yesterday10 views

CVE-2026-10089

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys meta key names in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the themeta function: while the custom field VALUE is sanitized with wpksespost...

6.4CVSS0.00217EPSS
Exploits0References8
EUVD
EUVD
added yesterday6 views

EUVD-2026-41252

The yootheme WordPress theme before 5.0.35 does not prevent its bundled front-end framework from treating certain HTML attributes, which are permitted by wpksespost, as markup, allowing users with the Author role to perform Stored Cross-Site Scripting attacks that execute in the browser of any us...

6.8CVSS5.8AI score0.00152EPSS
Exploits0References1
EUVD
EUVD
added yesterday7 views

EUVD-2026-41249

The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys meta key names in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the themeta function: while the custom field VALUE is sanitized with wpksespost...

6.4CVSS5.9AI score0.00217EPSS
Exploits0References8
CVE
CVE
added yesterday15 views

CVE-2026-5821

The CVE-2026-5821 entry details a vulnerability in the WordPress Image Optimizer plugin (versions up to 1.7.4). The root cause is insufficient path validation in Image_Backup::remove(), where backup file paths stored in the image_optimizer_metadata post meta are used directly for deletion without...

8.1CVSS5.9AI score0.00354EPSS
Exploits0References8
EUVD
EUVD
added yesterday6 views

EUVD-2026-41247

The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the ImageBackup::remove function where backup file paths stored in post meta are used directly in file deletion operations withou...

8.1CVSS5.9AI score0.00354EPSS
Exploits0References8
NVD
NVD
added 2 days ago7 views

CVE-2026-10096

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS0.00196EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40936

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
CVE
CVE
added 2 days ago8 views

CVE-2026-10096

The Qi Blocks WordPress plugin is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.4.9 via the page_id parameter. Authenticated users with author-level access can modify stored Qi Blocks styles on arbitrary posts, templates, or widgets, including site-wide surf...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago3 views

EUVD-2026-40909

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animationeffect setting before it is rendered inside a...

6.4CVSS5.9AI score0.00156EPSS
Exploits0References2
EUVD
EUVD
added 2 days ago6 views

EUVD-2026-40888

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockid' and other shortcode attributes of the 'givewpcampaigncomments' shortcode in versions up to, and including, 4.16.0. This is due to insufficient input sanitizati...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References12
CVE
CVE
added 2026/06/26 6:0 a.m.23 views

CVE-2026-8380

The CVE-2026-8380 issue affects the Frontend File Manager (nmedia-user-file-uploader) WordPress plugin

6.5CVSS5.9AI score0.00342EPSS
Exploits1References1
NVD
NVD
added 2026/06/24 7:16 a.m.8 views

CVE-2026-9620

The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field and loop functions, which extract the raw src attribute value...

6.4CVSS0.00207EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/24 5:33 a.m.6 views

EUVD-2026-38684

The WP Latest Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted image src attributes in post content in versions up to, and including, 5.0.11. This is due to insufficient output escaping in the field and loop functions, which extract the raw src attribute value...

6.4CVSS6AI score0.00207EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/24 12:0 a.m.14 views

PT-2026-51649

Name of the Vulnerable Software and Affected Versions Xpro Addons — 140+ Widgets for Elementor versions prior to 1.7.3 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. Authenticated attackers with author-level access and above can inject...

6.4CVSS6AI score0.00256EPSS
Exploits0References23
NVD
NVD
added 2026/06/19 6:17 a.m.14 views

CVE-2026-1856

The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00193EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/19 4:31 a.m.27 views

CVE-2026-4328 Advanced Import: One-Click Demo Import for WordPress <= 1.4.6 - Authenticated (Author+) Server-Side Request Forgery via 'demo_file' Parameter

The Advanced Import plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.6. This is due to the plugin using wpremoteget to fetch a user-supplied URL without validating that the URL does not point to internal or private network resources in th...

6.4CVSS0.00208EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.12 views

PT-2026-50840

Name of the Vulnerable Software and Affected Versions Appointment Booking Calendar versions prior to 1.4.5 Description The Appointment Booking Calendar plugin for WordPress contains a Stored Cross-Site Scripting issue caused by insufficient input sanitization and output escaping in custom booking...

6.4CVSS6AI score0.00193EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/06/18 6:50 a.m.23 views

CVE-2026-12098 PowerPress Podcasting plugin by Blubrry <= 11.16.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'embed' Episode Meta Field

The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'embed' Episode Meta Field in all versions up to, and including, 11.16.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...

6.4CVSS0.00202EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/06/18 5:34 a.m.30 views

CVE-2026-11784 Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization <= 4.2.6 - Cross-Site Request Forgery via 'optml_replace_file' AJAX Action

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

4.3CVSS0.00157EPSS
Exploits1References6
Cvelist
Cvelist
added 2026/06/18 4:31 a.m.24 views

CVE-2026-9860 Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...

8.8CVSS0.00577EPSS
Exploits0References6
Rows per page
Query Builder