Lucene search
+L

15628 matches found

EUVD
EUVD
added yesterday7 views

EUVD-2026-45152

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wplocalizescript / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with...

4.3CVSS5.3AI score0.00158EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added yesterday5 views

CVE-2026-9656

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wplocalizescript / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with...

4.3CVSS5.3AI score0.00158EPSS
Exploits0References7
Cvelist
Cvelist
added yesterday24 views

CVE-2026-9656 HubSpot All-In-One Marketing <= 11.3.62 - Authenticated (Contributor+) Sensitive Information Exposure via Block Editor Localized Script

The HubSpot All-In-One Marketing – Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.62 via the wplocalizescript / window.leadinConfig JavaScript object. This makes it possible for authenticated attackers, with...

4.3CVSS0.00158EPSS
Exploits0References6
EUVD
EUVD
added yesterday8 views

EUVD-2026-45135

The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escapin...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References7
CVE
CVE
added yesterday13 views

CVE-2026-15759

Summary: CVE-2026-15759 affects the WordPress plugin “ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form.” The vulnerability is a Stored Cross-Site Scripting (XSS) via the 'number' and 'group' Shortcode Attributes in all versions up to and including 3.5.1 due to insuf...

6.4CVSS6.2AI score0.00201EPSS
Exploits0References7
Nuclei
Nuclei
added 2 days ago97 views

WordPress Core <6.5.2 - Cross-Site Scripting

WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. id: CVE-2024-4439 info: name: WordPress Core 6.5.2 - Cross-Site Scripting author: nqdung2002 severity: hi...

7.2CVSS6.9AI score0.70822EPSS
Exploits4References2
NVD
NVD
added 2 days ago10 views

CVE-2026-15099

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrapdirectiontext function, which interpolates the...

6.4CVSS0.00193EPSS
Exploits0References5
NVD
NVD
added 2 days ago8 views

CVE-2026-13755

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00225EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-44894

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'pricewrapper' Shortcode Attribute in all versions up to, and including, 3.6.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6.3AI score0.00225EPSS
Exploits0References5
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-44883

The Delicious Recipes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'steps' block attribute in versions up to, and including, 1.10.2. This is due to insufficient input sanitization and output escaping in the wrapdirectiontext function, which interpolates the...

6.4CVSS6.2AI score0.00193EPSS
Exploits0References5
NVD
NVD
added 2 days ago7 views

CVE-2026-12906

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed pos...

2.7CVSS0.00179EPSS
Exploits0References1
NVD
NVD
added 2 days ago8 views

CVE-2026-12869

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...

6.1CVSS0.00149EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago8 views

EUVD-2026-44878

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...

6.1CVSS6.1AI score0.00149EPSS
Exploits0References1
CVE
CVE
added 2 days ago9 views

CVE-2026-12906

The CVE-2026-12906 entry concerns RTMKit Addons for Elementor for WordPress. It affects the plugin prior to version 2.0.9, where an AJAX action does not perform a necessary capability check and returns a post identifier supplied in the request. This allows users with at least the Contributor role...

2.7CVSS6.1AI score0.00179EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago39 views

CVE-2026-12906 RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed pos...

0.00179EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago34 views

CVE-2026-12869 Header Footer Builder for Elementor < 1.2.1 - Contributor+ Stored XSS via Template Import

The Header Footer Builder for Elementor WordPress plugin before 1.2.1 does not require an administrative capability for its dashboard template-import action it allows any editposts user, so a Contributor can import a template containing an Elementor HTML widget configured to display site-wide,...

0.00149EPSS
Exploits0References1
CVE
CVE
added 2 days ago14 views

CVE-2026-12869

The CVE-2026-12869 entry concerns the WordPress plugin Header Footer Builder for Elementor, fixed in version 1.2.1. The vulnerability arises because dashboard template-import does not require an administrative capability, allowing any user with edit_posts to import a template. An attacker with Co...

6.1CVSS6.1AI score0.00149EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago7 views

EUVD-2026-44879

The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed pos...

2.7CVSS6.1AI score0.00179EPSS
Exploits0References1
NVD
NVD
added 2 days ago10 views

CVE-2026-15652

The Easy Accordion – AI-Powered FAQ & Accordion Blocks, Product FAQ plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'align' Block Attribute in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00197EPSS
Exploits0References5
NVD
NVD
added 2 days ago11 views

CVE-2026-12434

The List category posts plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 0.95.0 via the sanitizestatus. This makes it possible for authenticated attackers, with contributor-level access and above, to extract titles, full content, excerpts,...

4.3CVSS0.00239EPSS
Exploits0References6
Rows per page
Query Builder