Lucene search
+L

5748 matches found

NVD
NVD
added 11 hours ago8 views

CVE-2026-13352

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowedmimetypes function. This is due to the unconditional...

8.8CVSS
Exploits0References8
Nuclei
Nuclei
added 12 hours ago20 views

WCAPF WooCommerce Ajax Product Filter - SQL Injection

WCAPF WooCommerce Ajax Product Filter = 4.2.3 contains a time-based SQL injection caused by insufficient escaping of the 'post-author' parameter, letting unauthenticated attackers extract sensitive database information remotely. id: CVE-2026-3396 info: name: WCAPF WooCommerce Ajax Product Filter ...

7.5CVSS5.6AI score0.01473EPSS
Exploits0References2
Nuclei
Nuclei
added 12 hours ago58 views

AeroCMS 0.1.1 - SQL Injection

AeroCMS 0.1.1 contains a SQL injection caused by unsanitized author parameter, letting attackers execute arbitrary SQL commands, exploit requires crafted author input. id: CVE-2022-38812 info: name: AeroCMS 0.1.1 - SQL Injection author: shivampand3y severity: medium description: | AeroCMS 0.1.1...

6.5CVSS7AI score0.02181EPSS
Exploits1References4
Cvelist
Cvelist
added 13 hours ago11 views

CVE-2026-13352 Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content <= 4.16.18 - Authenticated (Author+) Limited Unsafe File Upload via upload_mimes Filter Expansion

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowedmimetypes function. This is due to the unconditional...

8.8CVSS
Exploits0References8
EUVD
EUVD
added 13 hours ago7 views

EUVD-2026-45134

The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 4.16.18 via the allowedmimetypes function. This is due to the unconditional...

8.8CVSS6.5AI score
Exploits0References8
NVD
NVD
added 14 hours ago5 views

CVE-2026-2594

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with...

6.4CVSS
Exploits0References3
EUVD
EUVD
added 15 hours ago5 views

EUVD-2026-45122

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with...

6.4CVSS6.2AI score
Exploits0References3
EUVD
EUVD
added yesterday5 views

EUVD-2026-44986

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks fileexists and calls include View::getView$template, allowing an...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-46687

Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks fileexists and calls include View::getView$template, allowing an...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References2Affected Software1
CVE
CVE
added yesterday5 views

CVE-2026-46687

CVE-2026-46687 affects Emlog prior to or including 2.6.13. The flaw stems from an unvalidated path-traversal template parameter used by api_controller.php and a subsequent include in View::getView($template) after a file_exists check in log_controller.php. This enables an authenticated author to ...

7.7CVSS6.2AI score0.00177EPSS
Exploits0References1
NVD
NVD
added yesterday7 views

CVE-2026-13767

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsmajaxsavepages AJAX handler sanitizetextfield only and lack o...

6.5CVSS0.00249EPSS
Exploits0References5
Cvelist
Cvelist
added yesterday30 views

CVE-2026-13767 Quiz and Survey Master (QSM) <= 11.2.0 - Authenticated (Custom+) SQL Injection via 'pages' Parameter

The Quiz Master Next plugin for WordPress is vulnerable to SQL Injection via stored quiz page data in versions up to, and including, 11.2.0. This is due to insufficient escaping on the user-supplied 'pages' parameter persisted by the qsmajaxsavepages AJAX handler sanitizetextfield only and lack o...

6.5CVSS0.00249EPSS
Exploits0References5
NVD
NVD
added yesterday10 views

CVE-2026-12907

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, whic...

2.7CVSS0.00132EPSS
Exploits0References1
CVE
CVE
added yesterday13 views

CVE-2026-12907

CVE-2026-12907 affects the RTMKit WordPress plugin prior to 2.0.9. The root cause is a missing capability check on a -builder AJAX action, allowing users with at least the Author role to create and activate a site-wide template that can override header, footer, or other global areas served to all...

2.7CVSS6.1AI score0.00132EPSS
Exploits0References1
EUVD
EUVD
added yesterday6 views

EUVD-2026-44880

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, whic...

2.7CVSS6.1AI score0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added yesterday31 views

CVE-2026-12907 RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation

The RTMKit WordPress plugin before 2.0.9 does not perform a proper capability check on one of its -builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, whic...

0.00132EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago29 views

CVE-2026-41580 Stirling-PDF: Reflected XSS through crafted PDF metadata fields (Title and Author)

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF's /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute...

6.1CVSS0.00188EPSS
Exploits0References2
CVE
CVE
added 2 days ago7 views

CVE-2026-41580

Stirling-PDF (local web app) exposes a Reflected XSS via crafted PDF metadata in the /get-info-on-pdf endpoint. Prior to version 2.0.0, Title and Author metadata were rendered without proper HTML encoding/sanitization, allowing attacker-controlled JavaScript to execute in a user’s browser when vi...

6.1CVSS6.2AI score0.00188EPSS
Exploits0References2
OSV
OSV
added 2 days ago3 views

CVE-2026-41580 Stirling-PDF: Reflected XSS through crafted PDF metadata fields (Title and Author)

Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF's /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute...

6.1CVSS6.2AI score0.00188EPSS
Exploits0References4
CVE
CVE
added 3 days ago8 views

CVE-2026-11390

Vulnerability summary (CVE-2026-11390): News Kit Addons For Elementor (WordPress) versions up to 1.4.6 are affected by a stored cross-site scripting (XSS) flaw in the Site Logo Title and Single Author Box widgets. The root cause is insufficient input sanitization and output escaping. Exploitation...

6.4CVSS6.2AI score0.00252EPSS
Exploits0References9
Rows per page
Query Builder