Lucene search
K

3123 matches found

Cvelist
Cvelist
added 2 days ago33 views

CVE-2025-6784 Code Engine <= 0.3.5 - Authenticated (Contributor+) Remote Code Execution

The Code Engine plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 0.3.5 via the 'code-engine' shortcode. This is due to the plugin not restricting access to the code injecting functionality of the plugin. This makes it possible for authenticated...

8.8CVSS0.00483EPSS
Exploits0References2
CVE
CVE
added 2 days ago15 views

CVE-2025-6784

CVE-2025-6784 affects the WordPress Code Engine plugin (versions up to 0.3.5). It allows Remote Code Execution via the 'code-engine' shortcode because access to the plugin’s code-injecting functionality is not restricted. Authenticated users with Contributor-level access and above can execute cod...

8.8CVSS6.3AI score0.00483EPSS
Exploits0References2
Nuclei
Nuclei
added 2 days ago95 views

WordPress Core <6.5.2 - Cross-Site Scripting

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...

7.2CVSS6.9AI score0.70822EPSS
Exploits4References2
ATTACKERKB
ATTACKERKB
added 3 days ago7 views

CVE-2026-13010

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based SQL Injection via 'event' Shortcode Attribute in all versions up to, and including, 5.7.9 due to insufficient escaping on the user supplied parameter and lack of sufficient...

6.5CVSS6.1AI score0.00254EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 3 days ago6 views

CVE-2026-15292

The Sudoku Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'background' parameter in the 'sudoku-sc' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6.1AI score0.00243EPSS
Exploits0References6
CVE
CVE
added 4 days ago9 views

CVE-2026-13771

The Customer Reviews for WooCommerce plugin for WordPress is affected by a Stored Cross-Site Scripting vulnerability via the color shortcode attribute in all versions up to 5.113.0, caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access at contri...

6.4CVSS6.1AI score0.00241EPSS
Exploits0References10
CVE
CVE
added 4 days ago7 views

CVE-2026-12170

The CVE concerns the AcyMailing WordPress plugin (all versions up to 10.10.2) vulnerability to Stored Cross-Site Scripting via the alignment attribute, caused by insufficient input sanitization and output escaping. Exploitation requires authenticated access at contributor level or higher, enablin...

6.4CVSS6.1AI score0.00256EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago31 views

CVE-2026-14343 Download Manager <= 3.3.61 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'note_before' and 'note_after' Shortcode Attributes

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'notebefore' and 'noteafter' Shortcode Attributes in all versions up to, and including, 3.3.61 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

6.4CVSS0.00201EPSS
Exploits0References6
Cvelist
Cvelist
added 4 days ago27 views

CVE-2026-13253 Post Grid Gutenberg Blocks for News, Magazines, Blog Websites <= 5.0.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'moreResultsText' Block Attribute

The Ultimate Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'moreResultsText' block attribute of the ultimate-post/advanced-search block in versions up to and including 5.0.31. This is due to insufficient input sanitization and output escaping in the...

6.4CVSS0.00206EPSS
Exploits0References8
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-6742 Advanced iFrame <= 2026.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutenberg Block 'additional' Attribute

The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in all versions up to, and including, 2026.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS0.00156EPSS
Exploits0References2
CVE
CVE
added 2026/07/03 7:53 a.m.16 views

CVE-2026-4804

The Zakra WordPress theme (

6.4CVSS6.1AI score0.00187EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.13 views

PT-2026-55522

Name of the Vulnerable Software and Affected Versions RTMKit versions prior to 2.0.8 Description The RTMKit rometheme-for-elementor plugin for WordPress contains a Local File Inclusion flaw. This occurs because the render templates AJAX endpoint does not properly validate the template parameter...

4.3CVSS6.2AI score0.00266EPSS
Exploits0References10
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.15 views

PT-2026-55442

Name of the Vulnerable Software and Affected Versions weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot versions prior to 2.3.1 Description Insufficient input sanitization and output escaping allow authenticated attackers with contributor-level access and above to perform...

6.4CVSS6.1AI score0.00206EPSS
Exploits0References8
CVE
CVE
added 2026/07/01 7:53 a.m.18 views

CVE-2026-13733

The CVE-2026-13733 entry affects the WordPress Download Manager plugin (versions up to 3.3.60). A Stored Cross-Site Scripting flaw exists in the no_data_msg shortcode attribute due to insufficient input sanitization and output escaping. This allows authenticated attackers with contributor-level a...

6.4CVSS5.9AI score0.00206EPSS
Exploits0References8
Cvelist
Cvelist
added 2026/07/01 7:53 a.m.40 views

CVE-2026-12408 Slim SEO <= 4.9.8 - Authenticated (Contributor+) Insufficient Authorization to Private Content Disclosure via 'object.ID' Parameter

The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the /wp-json/slim-seo/meta-tags/ai REST API endpoint. This is due to the endpoint's permissioncallback performin...

4.3CVSS0.00257EPSS
Exploits0References8
CVE
CVE
added 2026/06/27 6:50 a.m.18 views

CVE-2026-13295

The CVE-2026-13295 entry concerns the Page Builder by SiteOrigin WordPress plugin. A stored XSS vulnerability affects all versions up to 2.34.3, caused by insufficient input sanitization and output escaping of the panels_data parameter. Authenticated users with Contributor-level access and above ...

6.4CVSS6AI score0.00241EPSS
Exploits0References10
CVE
CVE
added 2026/06/24 5:33 a.m.31 views

CVE-2026-11370

CVE-2026-11370 : In the WordPress WP Meta SEO plugin (versions up to 4.5.18), there is a Server-Side Request Forgery (SSRF) via the new_link parameter. Exploitation requires an authenticated user with at leastContributor+ access. The vulnerability allows outbound web requests originating from the...

6.4CVSS6AI score0.00242EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/19 4:31 a.m.14 views

EUVD-2026-37986

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Arbitrary File Read in versions 1.7.1058 through 1.7.1059. This is due to the wprgetcsvhandle helper introduced in version 1.7.1058 as part of the patch for CVE-2026-6229 falling back to...

7.2CVSS5.9AI score0.00379EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/19 4:31 a.m.11 views

EUVD-2026-37983

The Bogo plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.1 via the bogorestcreateposttranslation. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract the raw title, content, excerpt,...

4.3CVSS5.8AI score0.00254EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/06/18 6:50 a.m.24 views

CVE-2026-12136 SysBasics Customize My Account for WooCommerce <= 4.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Customize My Account For Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sysbasicsuseravatar' shortcode in versions up to, and including, 4.3.6. This is due to insufficient input sanitization and output escaping on user supplied attributes minheight,...

6.4CVSS0.00193EPSS
Exploits0References5
Rows per page
Query Builder