Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

8008 matches found

Wordfence Blog
Wordfence Blogadded yesterday4 views

Attackers Actively Exploiting Critical Vulnerability in Everest Forms Pro Plugin

On March 30th, 2026, we publicly disclosed a critical Remote Code Execution vulnerability in Everest Forms Pro, a WordPress plugin with an estimated 4,000 active installations. This vulnerability can be leveraged by unauthenticated attackers to execute arbitrary PHP code on the server, leading to...

9.8CVSS6.7AI score0.00313EPSS
Exploits0
CVE
CVEadded yesterday5 views

CVE-2026-3276

The CVE concerns Python’s unicodedata.normalize() taking excessive CPU time when given specially crafted Unicode input with long runs of combining characters that have alternating Canonical Combining Class (CCC) values. Affected: the normalize() function across all normalization forms. Root cause...

6.3CVSS5.8AI score
Exploits0References4
EUVD
EUVDadded yesterday3 views

EUVD-2026-34103

unicodedata.normalize can take excessive CPU time when processing specially crafted Unicode input containing long runs of combining characters with alternating Canonical Combining Class values. This affects all normalization forms...

6.3CVSS5.8AI score
Exploits0References3
Nuclei
Nucleiadded yesterday15 views

Contact Form Plugin by Fluent Forms < 5.1.17 - Unauthenticated Limited Privilege Escalation

The plugin is vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This makes it possible for unauthenticated attackers to grant users with Fluent Form management permissions which gives them access to all of the plugin's...

9.8CVSS5.8AI score0.21837EPSS
Exploits1References3
Nuclei
Nucleiadded yesterday25 views

Infusionsoft Gravity Forms Add-on < 1.5.7 - Cross-Site Scripting

Multiple cross-site scripting vulnerabilities in tests/notAutotestContactServicepauseCampaign.php in the Infusionsoft Gravity Forms plugin before 1.5.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the 1 go, 2 contactId, or 3 campaignId parameter. id: CVE-2014-45...

6.1CVSS6.4AI score0.02649EPSS
Exploits2References5
Nuclei
Nucleiadded yesterday9 views

CRM Perks Forms <= 1.1.4 - SQL Injection

CRM Perks CRM Perks Forms affected versions 1.1.4 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction. id: CVE-2024-30498 info: name: CRM Perks Forms ...

10CVSS7.6AI score0.14998EPSS
Exploits0References3
Nuclei
Nucleiadded yesterday8 views

Caldera Forms < 1.9.7 - Reflected Cross-Site Scripting

Caldera Forms WordPress plugin 1.9.7 contains a reflected cross-site scripting caused by lack of validation and escaping of the cf-api parameter in responses, letting attackers execute arbitrary scripts in victim's browser, exploit requires attacker to craft a malicious request. id: CVE-2022-0879...

6.1CVSS6.5AI score0.00453EPSS
Exploits2References3
Nuclei
Nucleiadded yesterday11 views

Ninja Forms File Uploads <= 3.3.26 - Arbitrary File Upload

Ninja Forms File Uploads plugin for WordPress versions up to and including 3.3.26 is vulnerable to unauthenticated arbitrary file upload which could lead to remote code execution. id: CVE-2026-0740 info: name: Ninja Forms File Uploads = 3.3.26 - Arbitrary File Upload author: whattheslime severity...

9.8CVSS7.7AI score0.21968EPSS
Exploits6References2
Nuclei
Nucleiadded yesterday25 views

Ninja Forms < 3.6.22 - Cross-Site Scripting

Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to...

6.1CVSS6.9AI score0.14001EPSS
Exploits2References3
Nuclei
Nucleiadded yesterday21 views

WordPress Ninja Forms <3.3.18 - Cross-Site Scripting

WordPress Ninja Forms plugin before 3.3.18 contains a cross-site scripting vulnerability. An attacker can inject arbitrary script in includes/Admin/Menus/Submissions.php via the begindate, enddate, or formid parameters. This can allow an attacker to steal cookie-based authentication credentials a...

6.1CVSS6.4AI score0.10724EPSS
Exploits5References5
Nuclei
Nucleiadded yesterday22 views

WordPress Ninja Forms <3.4.34 - Open Redirect

WordPress Ninja Forms plugin before 3.4.34 contains an open redirect vulnerability via the wpajaxnfoauthconnect AJAX action, due to the use of a user-supplied redirect parameter and no protection in place. An attacker can redirect a user to a malicious site and possibly obtain sensitive...

6.1CVSS6.3AI score0.01173EPSS
Exploits2References5
Nuclei
Nucleiadded yesterday19 views

Ninja Forms 3.8.6-3.8.10 - Cross-Site Scripting

The Ninja Forms WordPress plugin before 3.8.11 does not escape an URL before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin id: CVE-2024-7354 info: name: Ninja Forms 3.8.6-3.8.10 - Cross-Site Scripting...

6.1CVSS5.8AI score0.01473EPSS
Exploits1References2
Nuclei
Nucleiadded yesterday5 views

WordPress < 4.8.2 - Authenticated Open Redirect

WordPress versions before 4.8.2 contain an open redirect caused by improper validation in wp-admin/edit-tag-form.php and wp-admin/user-edit.php, letting attackers redirect users to malicious sites, exploit requires access to admin interface. id: CVE-2017-14725 info: name: WordPress 4.8.2 -...

5.4CVSS6.8AI score0.04176EPSS
Exploits0References5
Nuclei
Nucleiadded yesterday5 views

WordPress Kali Forms <= 2.4.9 - Remote Code Execution

Kali Forms WordPress plugin = 2.4.9 contains a remote code execution caused by unsafe user input handling in 'formprocess' and 'preparepostdata' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication. id: CVE-2026-3584 info: name: WordPress Kal...

9.8CVSS6.5AI score0.28725EPSS
Exploits2References2
Nuclei
Nucleiadded yesterday10 views

Formidable Forms < 2.05.02 - Cross-Site Scripting

Formidable Form Builder for WordPress versions before 2.05.03 contains a stored cross-site scripting caused by insufficient input sanitization and output escaping in form parameters like 'afterhtml', letting unauthenticated attackers inject and execute arbitrary scripts in victims' browsers id:...

8.3CVSS5.9AI score0.19546EPSS
Exploits2References3
Nuclei
Nucleiadded yesterday22 views

CRM Perks Forms < 1.1.1 - Cross Site Scripting

The plugin does not sanitise and escape some parameters from a sample file before outputting them back in the page, leading to Reflected Cross-Site Scripting id: CVE-2022-38467 info: name: CRM Perks Forms 1.1.1 - Cross Site Scripting author: r3Y3r53 severity: medium description: | The plugin does...

6.1CVSS6.4AI score0.12129EPSS
Exploits0References5
RedhatCVE
RedhatCVEadded 2 days ago6 views

CVE-2026-24754

Kiteworks is a private data network PDN. Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch...

5.4CVSS6.1AI score0.00029EPSS
Exploits0References1
NVD
NVDadded 2 days ago6 views

CVE-2026-9599

The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admininit function. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

4.3CVSS0.00012EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2 days ago3 views

CVE-2026-9599 Tectite Forms <= 1.3 - Cross-Site Request Forgery to Settings Update

The Tectite Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the admininit function. This makes it possible for unauthenticated attackers to modify the plugin's settings,...

4.3CVSS5.7AI score0.00012EPSS
Exploits0References4
CVE
CVEadded 2 days ago6 views

CVE-2026-9599

The CVE-2026-9599 entry describes a CSRF vulnerability in the WordPress Tectite Forms plugin (versions up to and including 1.3) caused by missing or incorrect nonce validation in admin_init. This allows unauthenticated attackers to modify plugin settings (e.g., tectite_forms_button) through forge...

4.3CVSS5.7AI score0.00012EPSS
Exploits0References4
Rows per page
Query Builder