CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

6829 matches found

CVE-2026-12119

The Simple File List plugin for WordPress is vulnerable to unauthorized file operations due to a missing authorization check on the 'frontmanage' shortcode attribute in all versions up to, and including, 6.3.7. This makes it possible for authenticated attackers, with contributor-level access and...

6.5CVSS

Exploits0References6

CVE•added 3 days ago•17 views

CVE-2026-12119

The CVE concerns the Simple File List WordPress plugin (≤6.3.7). A missing authorization check on the frontmanage shortcode attribute allows authenticated users with contributor-level access or higher to perform arbitrary file operations (delete, move, folder creation, download). The vulnerabilit...

6.5CVSS6AI score

Exploits0References6

Cvelist•added 3 days ago•30 views

CVE-2026-12119 Simple File List <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute

6.5CVSS

Exploits0References6

NVD•added 5 days ago•8 views

CVE-2026-8039

The Fancy Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' shortcode attribute in the 'testimonial' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS0.00255EPSS

Exploits0References3

NVD•added 5 days ago•9 views

CVE-2026-2021

The Slideshow Gallery LITE plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alwaysauto' shortcode attribute in all versions up to, and including, 1.8.5. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible...

6.4CVSS0.00274EPSS

Exploits0References6

ATTACKERKB•added 5 days ago•6 views

CVE-2026-2021

6.4CVSS5.5AI score0.00274EPSS

Exploits0References7

NVD•added 5 days ago•8 views

CVE-2026-12136

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

6.4CVSS0.00193EPSS

Exploits0References5

NVD•added 5 days ago•8 views

CVE-2026-12111

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

4.3CVSS0.00285EPSS

Exploits0References10

EUVD•added 5 days ago•6 views

EUVD-2026-37867

6.4CVSS5.6AI score0.00255EPSS

Exploits0References3

Cvelist•added 5 days ago•31 views

CVE-2026-12111 Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter

4.3CVSS0.00285EPSS

Exploits0References10

EUVD•added 5 days ago•7 views

EUVD-2026-37864

4.3CVSS5.4AI score0.00285EPSS

Exploits0References10

EUVD•added 5 days ago•8 views

EUVD-2026-37859

6.4CVSS5.5AI score0.00193EPSS

Exploits0References5

NVD•added 5 days ago•9 views

CVE-2026-11402

The Services Section Block – Showcase Service Details in Grid or Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'link' Block Attribute in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00212EPSS

Exploits0References4

NVD•added 5 days ago•9 views

CVE-2026-11357

The Kadence Blocks — Page Builder Toolkit for Gutenberg Editor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.7.5 via the editorassetsvariables. This makes it possible for authenticated attackers, with contributor-level access and abov...

4.3CVSS0.00243EPSS

Exploits0References8

EUVD•added 5 days ago•11 views

EUVD-2026-37849

6.4CVSS5.5AI score0.00212EPSS

Exploits0References4

EUVD•added 5 days ago•8 views

EUVD-2026-37843

4.3CVSS5.2AI score0.00243EPSS

Exploits0References8

NVD•added 6 days ago•6 views

CVE-2026-8607

The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping...

6.4CVSS0.00269EPSS

Exploits0References8

NVD•added 2026/06/16 6:16 a.m.•8 views

CVE-2026-10780

The Static Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2. This is due to the staticblockcontent shortcode handler retrieving a post via getpost using an attacker-supplied 'id' attribute and outputting its postcontent without...

4.3CVSS0.00211EPSS

Exploits0References4

NVD•added 2026/06/16 6:16 a.m.•10 views

CVE-2026-5149

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS0.00238EPSS

Exploits0References5

Cvelist•added 2026/06/16 5:33 a.m.•27 views

CVE-2026-5149 RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

6.5CVSS0.00238EPSS

Exploits0References5

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by