5017 matches found
Combo Blocks < 2.2.76 - Improper Access Control
The Post Grid, Form Maker, Popup Maker, WooCommerce Blocks, Post Blocks, Post Carousel WordPress plugin before 2.2.76 does not prevent password protected posts from being displayed in the result of some unauthenticated AJAX actions, allowing unauthenticated users to read such posts id:...
WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation
Privilege escalation vulnerability exists in the Frontend Login and Registration Blocks plugin for WordPress versions = 1.0.7. An unauthenticated attacker can exploit the AJAX endpoint flrblocksusersettingshandleajaxcallback to change the administrator's email address. Subsequently, the attacker...
Post Grid <= 2.2.50 - Information Exposure via REST API
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in PickPlugins Post Grid Combo – 36+ Gutenberg Blocks.This issue affects Post Grid Combo – 36+ Gutenberg Blocks: from n/a through 2.2.50. id: CVE-2023-40211 info: name: Post Grid = 2.2.50 - Information Exposure via REST API...
WooCommerce Blocks 2.5 to 5.5 - Unauthenticated SQL Injection
woocommerce-gutenberg-products-block is a feature plugin for WooCommerce Gutenberg Blocks. An SQL injection vulnerability impacts all WooCommerce sites running the WooCommerce Blocks feature plugin between version 2.5.0 and prior to version 2.5.16. Via a carefully crafted URL, an exploit can be...
Essential Blocks < 4.4.3 - Local File Inclusion
Wordpress Essential Blocks plugin prior to 4.4.3 was discovered to be vulnerable to a significant Local File Inclusion vulnerability that may be exploited by any attacker, regardless of whether they have an account on the site. id: CVE-2023-6623 info: name: Essential Blocks 4.4.3 - Local File...
CVE-2026-15286
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'getitemspermissioncheck' function permission callback of the...
CVE-2026-15286
The CVE-2026-15286 entry concerns the Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress. Affected component: a misconfigured capability check on the get_items_permission_check function within the process_pattern REST API endpoint, which affects all versions up to...
EUVD-2026-42795
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'getitemspermissioncheck' function permission callback of the...
CVE-2026-15286
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'getitemspermissioncheck' function permission callback of the...
CVE-2026-15286 Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication
The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to unauthorized post publication in all versions up to, and including, 3.5.32 due to a misconfigured capability check on the 'getitemspermissioncheck' function permission callback of the...
CVE-2026-12428
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...
EUVD-2026-42568
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...
CVE-2026-12428
The CVE concerns the WordPress plugin Blocks for ACF Fields (versions up to 1.6.2). A missing capability check on the REST endpoint /wp-json/acf-field-blocks/v1/values (get_all_values) allows unauthorized access to ACF field data. The permission_callback only verifies publish_posts, and the handl...
CVE-2026-6740
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible...
CVE-2026-6740 Nexter Blocks <= 4.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'commentIcon' Block Attribute
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible...
EUVD-2026-42232
The Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'commentIcon' parameter in all versions up to, and including, 4.7.4 due to insufficient input sanitization and output escaping. This makes it possible...
CVE-2026-6740
CVE-2026-6740 affects the Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder plugin for WordPress. The vulnerability is a Stored XSS via the ‘commentIcon’ block attribute, caused by insufficient input sanitization and output escaping. It affects all versions up to and including 4...
Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
A critical flaw in Google's Dialogflow CX could have let an attacker with edit rights on one Code Block-enabled agent compromise other Code Block-enabled agents in the same Google Cloud project. From there, they could read live conversations, steal the data users shared, and make the bots send...
CVE-2026-58404
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
CVE-2026-58402
Hugo (static site generator) from version 0.60.0 up to 0.163.3 is affected: its default code-block renderer writes the Markdown code-fence language/info-string into the code element wrapper (class="language-…", data-lang="…") without HTML escaping. A fence info-string containing a quote and a scr...