Lucene search
+L

1266 matches found

NVD
NVD
added 3 days ago8 views

CVE-2026-12869

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...

6.1CVSS0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 3 days ago41 views

CVE-2026-12906 RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed pos...

0.00179EPSS
Exploits0References1
EUVD
EUVD
added 3 days ago9 views

EUVD-2026-44878

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...

6.1CVSS6.1AI score0.00149EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/08 11:30 a.m.36 views

CVE-2025-14785 Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.20.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'seedprodnestedmenuwidget' Shortcode

The Website Builder by SeedProd - Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's seedprodnestedmenuwidget shortcode in all versions up to, and including, 6.20.2 due to insufficient input...

6.4CVSS0.00156EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 12:17 p.m.9 views

CVE-2026-57765

Contributor SQL Injection in WP EasyCart = 5.9.0 versions...

8.5CVSS0.0022EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/02 6:0 a.m.42 views

CVE-2026-11781 Adminify < 4.2.10 - Contributor+ Sensitive Information Disclosure via Global Search AJAX

The Adminify WordPress plugin before 4.2.10 does not perform per-user read-capability checks on the results returned by one of its administration search features, allowing users with a low-privilege role Contributor to disclose non-public content that WordPress would not otherwise expose to them,...

0.00189EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 6:0 a.m.8 views

EUVD-2026-38692

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/24 6:0 a.m.9 views

CVE-2026-10531

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

5.8AI score0.00133EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 6:0 a.m.38 views

CVE-2026-10531 AI Share & Summarize < 2.0.4 - Contributor+ Stored XSS via title_style Shortcode Attribute

The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks...

0.00133EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 6:0 a.m.17 views

CVE-2026-10531

The CVE describes Stored XSS in the WordPress plugin “AI Share & Summarize” prior to version 2.0.4. The root cause is insufficient sanitisation/escaping of shortcode attributes (notably title_style) before output, enabling users with the Contributor role or higher to inject scripts on pages. Affe...

5.4CVSS5.8AI score0.00133EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/06 6:34 p.m.37 views

CVE-2026-41934 Vvveb < 1.0.8.2 Authenticated RCE via Code Editor

Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent...

8.8CVSS0.00545EPSS
Exploits0References4
GithubExploit
GithubExploit
added 2026/04/13 2:36 p.m.127 views

Exploit for CVE-2025-66849

CVE-2025-66849 Ghost CMS Privilege Escalation PoC Summar...

5.8AI score
Exploits1
RedhatCVE
RedhatCVE
added 2026/03/26 3:17 p.m.5 views

CVE-2026-1753

The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options such as userscanregister...

6.8CVSS5.9AI score0.00197EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/26 9:30 a.m.7 views

EUVD-2025-209042

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server such as wp-config.php via a path traversal vector...

6.8CVSS5.8AI score0.0043EPSS
Exploits0References2
NVD
NVD
added 2026/03/26 7:16 a.m.4 views

CVE-2025-15433

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server such as wp-config.php via a path traversal vector...

6.8CVSS0.0043EPSS
Exploits0References1
CVE
CVE
added 2026/03/26 6:0 a.m.16 views

CVE-2025-15433

The Shared Files WordPress plugin, versions before 1.7.58, is affected by a path traversal vulnerability that allows users with a role as low as Contributor to arbitrarily download any file on the web server (e.g., wp-config.php). Root cause: improper validation in file download logic. Affected p...

6.8CVSS5.8AI score0.0043EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/26 6:0 a.m.2 views

CVE-2025-15433

The Shared Files WordPress plugin before 1.7.58 allows users with a role as low as Contributor to download any file on the web server such as wp-config.php via a path traversal vector...

6.8CVSS5.8AI score0.0043EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/03/18 6:0 a.m.3 views

CVE-2025-15363 Get Use APIs < 2.0.10 - Contributor+ Stored XSS

The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations...

5.8AI score0.0014EPSS
Exploits0References1
CVE
CVE
added 2026/02/07 6:0 a.m.18 views

CVE-2025-15491

The CVE refers to the Post Slides WordPress plugin (versions up to 1.0.1) where a flaw in shortcode attribute validation allows generation of include paths, enabling Local File Inclusion (LFI) for authenticated users (e.g., contributor or higher). Root cause: some shortcode attributes are not val...

5.5CVSS5.4AI score0.00259EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/02/02 7:57 p.m.4 views

WordPress Brizy - Page Builder plugin <= 2.4.41 - Authenticated(Contributor+) Stored Cross-Site Scripting vulnerability

WordPress Brizy - Page Builder plugin = 2.4.41 - AuthenticatedContributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Plugin Brizy versions = 2.4.41...

7.1CVSS5.2AI score0.00267EPSS
Exploits0References1Affected Software1
Rows per page
Query Builder