Lucene search
K

241 matches found

CVE
CVE
added 4 days ago12 views

CVE-2026-12399

The Gutenverse WordPress plugin (Blocks, Page Builder & Site Editor) is affected by a Stored Cross-Site Scripting vulnerability up to version 3.8.0. The issue arises from insufficient input sanitization and output escaping in admin settings, allowing authenticated users with editor-level permissi...

4.4CVSS5.9AI score0.00246EPSS
Exploits0References12
NVD
NVD
added 2026/06/24 7:16 a.m.7 views

CVE-2026-10753

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access such as Editors to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0...

2.7CVSS0.00168EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/24 6:0 a.m.35 views

CVE-2026-10753 Site Kit by Google < 1.176.0 - Editor+ Email Reporting Settings Update

The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access such as Editors to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0...

0.00168EPSS
Exploits0References1
NVD
NVD
added 2026/06/23 5:17 p.m.8 views

CVE-2026-54307

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to...

9.6CVSS0.00315EPSS
Exploits0References1
CVE
CVE
added 2026/06/23 3:47 p.m.19 views

CVE-2026-54307

Summary: CVE-2026-54307 affects n8n prior to versions 1.123.55, 2.25.7, and 2.26.2, where a member-level editor of a shared workflow could reference credentials they do not own due to partial credential ownership checks, enabling cross-user credential access via public API endpoints. The issue is...

9.6CVSS5.8AI score0.00315EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/06/23 3:47 p.m.34 views

CVE-2026-54307 n8n: Credential Exfiltration via Permission Bypass

n8n is an open source workflow automation platform. Prior to 1.123.55, 2.25.7, and 2.26.2, a member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to...

8.5CVSS0.00315EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/23 6:0 a.m.8 views

EUVD-2026-38416

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...

6.8CVSS5.9AI score0.00231EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/23 6:0 a.m.7 views

CVE-2026-7842

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...

6.8CVSS5.9AI score0.00231EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/18 6:50 a.m.6 views

CVE-2026-12102

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

2.7CVSS5.4AI score0.0028EPSS
Exploits0References13
Cvelist
Cvelist
added 2026/06/18 6:50 a.m.23 views

CVE-2026-12102 UsersWP <= 1.2.63 - Insecure Direct Object Reference to Authenticated (Editor+) Arbitrary User Avatar/Banner Reset via 'user_id' Parameter

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

2.7CVSS0.0028EPSS
Exploits0References12
CVE
CVE
added 2026/06/18 6:50 a.m.15 views

CVE-2026-12102

Affected software: WordPress plugin UsersWP (Front-end login, registration, profile, members directory) up to version 1.2.63. Vulnerability: Insecure Direct Object Reference via the user_id parameter due to missing validation on a user-controlled key in uwp_usermeta, enabling an authenticated att...

2.7CVSS5.5AI score0.0028EPSS
Exploits0References12
EUVD
EUVD
added 2026/06/18 6:50 a.m.9 views

EUVD-2026-37860

The UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.2.63 via the 'userid' parameter due to missing validation on a user controlled key...

2.7CVSS5.4AI score0.0028EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2026/06/17 2:6 p.m.11 views

NocoDB: Server-Side Request Forgery via Spreadsheet Fetch URL

Summary The spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16, allowing the cloud-metadata endpoint to be reached with a crafted URL...

5.1CVSS5.3AI score0.00282EPSS
Exploits0References2Affected Software1
Github Security Blog
Github Security Blog
added 2026/06/16 11:2 p.m.10 views

n8n: Credential Exfiltration via Permission Bypass

Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances where workflow sharing i...

9.6CVSS5.4AI score0.00315EPSS
Exploits0References2Affected Software1
NVD
NVD
added 2026/06/15 9:16 p.m.8 views

CVE-2026-27407

Editor Privilege Escalation in AI Engine = 3.4.9 versions...

7.2CVSS0.00393EPSS
Exploits0References1
NVD
NVD
added 2026/06/15 8:16 a.m.10 views

CVE-2026-9278

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.4CVSS0.00159EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/15 6:0 a.m.9 views

EUVD-2026-36700

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.4CVSS5.2AI score0.00159EPSS
Exploits0References1
CVE
CVE
added 2026/06/15 6:0 a.m.13 views

CVE-2026-9278

The CVE-2026-9278 entry concerns the Form Builder CP WordPress plugin prior to 1.2.47. Affected component: form_structure value handling in the plugin’s form configuration. Root cause: improper sanitization before storing and using the value in a client-side script, enabling Stored XSS. Impact: a...

5.4CVSS5.3AI score0.00159EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/15 6:0 a.m.8 views

CVE-2026-9278 Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.2AI score0.00159EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/15 6:0 a.m.37 views

CVE-2026-9278 Form Builder CP < 1.2.47 - Editor+ Stored XSS via form_structure

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

0.00159EPSS
Exploits0References1
Rows per page
Query Builder