Lucene search
K

750 matches found

Nuclei
Nuclei
added yesterday35 views

WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload

The Mapplic and Mapplic Lite plugins for WordPress are vulnerable to Stored Cross-Site Scripting via arbitrary URL injection in versions up to and including 6.1 and 1.0 respectively. Authenticated users with author-level permissions can inject arbitrary remote URLs for SVG map files. When a user...

8.3CVSS6.2AI score0.01133EPSS
Exploits1References4
CVE
CVE
added 3 days ago7 views

CVE-2026-2354

CVE-2026-2354 affects the Swiss Toolkit For WP WordPress plugin up to version 1.4.6. A flawed file type validation bypass in upload_extension_files() hooks into wp_check_filetype_and_ext and uses strpos() on the filename to validate extensions instead of checking the actual file type. This enable...

8.8CVSS6.5AI score0.00553EPSS
Exploits0References5
CVE
CVE
added 3 days ago9 views

CVE-2026-5743

The CVE concerns the SimpLy Gallery Block & Lightbox WordPress plugin. A stored XSS vulnerability exists through the sliderMaxHeight block attribute in all versions up to and including 3.3.3.2, caused by insufficient input sanitization and output escaping in pgc_sgb_render_callback(). The root ca...

6.4CVSS6.2AI score0.00259EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 3 days ago7 views

PT-2026-57395

Name of the Vulnerable Software and Affected Versions Swiss Toolkit For WP versions prior to 1.4.7 Description An arbitrary file upload issue exists due to flawed file type validation in the upload extension files function. The function uses strpos to check if a filename contains a configured...

8.8CVSS6.3AI score0.00553EPSS
Exploits0References9
CVE
CVE
added 4 days ago6 views

CVE-2026-11992

The CVE-2026-11992 entry concerns the WordPress plugin Easy Appointments (versions up to 3.12.27). The root cause is an authorization bypass: the plugin does not properly verify a user’s permission for actions, enabling authenticated users with author-level access or higher to cancel all upcoming...

4.3CVSS6.1AI score0.0028EPSS
Exploits0References9
Cvelist
Cvelist
added 6 days ago31 views

CVE-2026-6459 Essential Addons for Elementor <= 6.6.2 - Authenticated (Author+) Stored Cross-Site Scripting via Event Calendar Widget Popup

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Event Calendar widget in all versions up to, and including, 6.6.2 due to insufficient input sanitization and output escaping on event titles sourced...

6.4CVSS0.00187EPSS
Exploits0References3
Cvelist
Cvelist
added 6 days ago34 views

CVE-2026-10570 Sympl Repeater for ACF and Elementor <= 2.3 - Authenticated (Author+) Stored Cross-Site Scripting via ACF Repeater Field Values

The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symparfereplacecontent function, which uses...

6.4CVSS0.00187EPSS
Exploits0References3
EUVD
EUVD
added 2026/07/02 6:32 p.m.7 views

EUVD-2026-41418

The TinyPNG – JPEG, PNG & WebP image compression plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deleteconvertedimagesize function in all versions up to, and including, 3.6.13. This makes it possible for authenticated attackers, with...

8.1CVSS6.5AI score0.0067EPSS
Exploits0References6
CVE
CVE
added 2026/07/02 5:35 a.m.20 views

CVE-2026-5821

The CVE-2026-5821 entry details a vulnerability in the WordPress Image Optimizer plugin (versions up to 1.7.4). The root cause is insufficient path validation in Image_Backup::remove(), where backup file paths stored in the image_optimizer_metadata post meta are used directly for deletion without...

8.1CVSS5.9AI score0.00354EPSS
Exploits0References8
NVD
NVD
added 2026/07/02 12:16 a.m.7 views

CVE-2026-50279

Craft CMS is a content management system CMS. IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author...

7.6CVSS0.00245EPSS
Exploits0References2
OSV
OSV
added 2026/07/01 4:16 p.m.5 views

UBUNTU-CVE-2026-58033

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/InfoAction.Php. This issue affects MediaWiki: from before 1.46.0, 1.45.4, 1.44.6, 1.43.9...

6.5CVSS6.1AI score0.00413EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/07/01 2:54 p.m.7 views

CVE-2026-58033 "Total number of distinct authors" statistic at action=info does not exclude revisions where the author name was deleted

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/InfoAction.Php. This issue affects MediaWiki: from before 1.46.0, 1.45.4, 1.44.6, 1.43.9...

5.3CVSS5.8AI score0.00413EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/07/01 2:54 p.m.5 views

CVE-2026-58033

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Actions/InfoAction.Php. This issue affects MediaWiki: from before 1.46.0, 1.45.4, 1.44.6, 1.43.9...

6.5CVSS5.8AI score0.00413EPSS
Exploits0
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.41 views

CVE-2026-10096 Qi Blocks <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification via 'page_id' Parameter

The Qi Blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.4.9 via the 'pageid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with author-level access and above, t...

4.3CVSS0.00196EPSS
Exploits0References5
NVD
NVD
added 2026/07/01 5:16 a.m.7 views

CVE-2026-13443

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00206EPSS
Exploits0References8
NVD
NVD
added 2026/07/01 5:16 a.m.9 views

CVE-2026-11380

The JetWidgets For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.0.21. This is due to insufficient output escaping and missing server-side validation of the Animated Box widget's animationeffect setting before it is rendered inside a...

6.4CVSS0.00156EPSS
Exploits0References2
CVE
CVE
added 2026/07/01 3:43 a.m.13 views

CVE-2026-13443

The CVE-2026-13443 entry concerns the WordPress plugin Tutor LMS (eLearning and online course solution). Affected: all versions up to and including 3.9.13. Issue: Stored Cross-Site Scripting via the Lesson Attachment Title due to insufficient input sanitization and output escaping. Impact: authen...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
EUVD
EUVD
added 2026/07/01 3:43 a.m.9 views

EUVD-2026-40893

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Lesson Attachment Title in all versions up to, and including, 3.9.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
Patchstack
Patchstack
added 2026/06/30 7:7 p.m.6 views

WordPress Qi Blocks plugin <= 1.4.9 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Style Modification vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Style Modification vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Qi Blocks versions = 1.4.9...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/30 6:16 a.m.15 views

CVE-2026-11367

The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the moveimageonserver function. This makes it possible for authenticated attackers, with author-level access and above, to write files with...

6.5CVSS0.00541EPSS
Exploits0References4
Rows per page
Query Builder