Lucene search
K

32 matches found

Nuclei
Nuclei
added 13 hours ago30 views

GiveWP Donation Plugin <= 3.16.1 - Unauthenticated PHP Object Injection

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1. This is due to insufficient input validation on user-supplied data. An unauthenticated attacker can inject a serialized PHP object, which...

10CVSS7.3AI score0.28931EPSS
Exploits3References4
Cvelist
Cvelist
added 2026/06/24 6:0 a.m.37 views

CVE-2026-10735 ShapedPlugin Multiple Pro Plugins - Backdoor via Compromised Vendor Update Server

Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Produ...

0.00387EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2026/05/21 10:12 a.m.122 views

Exploit for CVE-2026-5118

🔥 CVE-2026-5118 Divi Form Builder --- 🎯 Ring...

5.8AI score0.00487EPSS
Exploits5
OSV
OSV
added 2026/05/13 3:29 p.m.6 views

GHSA-J274-39QW-32C9 Grav: Twig sandbox allows editor-role users to exfiltrate all plugin secrets via Config::toArray()

Summary The Twig sandbox allow-list permits any user with the admin.pages role to call config.toArray from within a page body, dumping the entire merged site configuration — including all plugin secrets SMTP passwords, AWS keys, OAuth client secrets, API tokens — into the rendered HTML. No...

7.7CVSS5.8AI score0.00276EPSS
Exploits1References4
NVD
NVD
added 2026/05/12 9:16 p.m.10 views

CVE-2026-44224

Wiki.js is an open source wiki app built on Node.js. Prior to 2.5.313, the users.update GraphQL mutation accepts an arbitrary groups array and applies it directly to the database with no validation of the group IDs supplied. The resolver passes the caller's arguments straight to the model without...

8.8CVSS0.00379EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.13 views

PT-2026-35519

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute method of the connect-customer-to-wp-user ability, which only requires...

8.8CVSS5.2AI score0.00293EPSS
Exploits1References9
GithubExploit
GithubExploit
added 2026/04/18 9:39 a.m.105 views

Exploit for CVE-2025-14364

CVE-2025-14364 Demo Importer Plus = 2.0.8 - Missing Author...

8.8CVSS5.9AI score0.00302EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.6 views

PT-2026-20726

Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through = 1.0.6...

5.5AI score0.00185EPSS
Exploits0References1
NVD
NVD
added 2026/02/12 3:16 p.m.5 views

CVE-2026-1104

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...

8.8CVSS0.00266EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/02/12 2:25 p.m.2 views

CVE-2026-1104

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.5AI score0.00266EPSS
Exploits0References4
CVE
CVE
added 2026/02/12 2:25 p.m.17 views

CVE-2026-1104

CVE-2026-1104 affects the FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress. The vulnerability is due to a missing capability check on REST API endpoints across all versions up to and including 2.7.1, enabling authenticated attackers with Contributor-level access and above t...

8.8CVSS5.5AI score0.00266EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/02/12 2:25 p.m.31 views

CVE-2026-1104 FastDup – Fastest WordPress Migration & Duplicator <= 2.7.1 - Missing Authorization to Authenticated (Contributor+) Backup Creation and Download

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...

8.8CVSS0.00266EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/12 12:0 a.m.8 views

PT-2026-7851

The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.5AI score0.00266EPSS
Exploits0References4
CVE
CVE
added 2025/12/18 4:50 p.m.11 views

CVE-2025-62961

CVE-2025-62961 describes a Missing Authorization / Broken Access Control vulnerability in the WordPress theme Sparkle FSE, affecting Sparkle FSE versions from n/a through 1.0.9. The connected sources consistently reference Sparkle FSE

5.4CVSS5.9AI score0.00173EPSS
Exploits0References1
NVD
NVD
added 2025/12/18 10:16 a.m.7 views

CVE-2025-14364

The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handlerequest function in all versions up to, and including, 2.0.8. This makes it possible for authenticated...

8.8CVSS0.00302EPSS
Exploits1References2
OSV
OSV
added 2025/11/07 5:16 a.m.5 views

CVE-2025-4519

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonatedonorpassword function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level...

8.8CVSS5.7AI score0.00332EPSS
Exploits0References4
NVD
NVD
added 2025/10/27 3:15 p.m.15 views

CVE-2025-34292

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize: the POST parameter formkitmemoryrecovery in \RoxPostHandler::getCallbackAction and the 'memory cookie' read by...

9.4CVSS0.0053EPSS
Exploits0References4
Cvelist
Cvelist
added 2025/10/27 2:36 p.m.13 views

CVE-2025-34292 BeWelcome/Rox PHP Object Injection RCE

Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize: the POST parameter formkitmemoryrecovery in \RoxPostHandler::getCallbackAction and the 'memory cookie' read by...

9.4CVSS0.0053EPSS
Exploits0References4
CVE
CVE
added 2025/10/27 2:36 p.m.16 views

CVE-2025-34292

The CVE-2025-34292 issue affects Rox (BeWelcome) where unsafely deserializing untrusted data enables PHP object injection. User input flows into unserialize() via the POST parameter formkit_memory_recovery in RoxPostHandler::getCallbackAction and via the bwRemember memory cookie used by RoxModelB...

9.4CVSS8AI score0.0053EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/06/02 7:44 a.m.9 views

CVE-2025-4607

The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customerregistration function. This is due to the use of a weak, low-entropy OTP mechanism in the forget function. This makes it possible for...

9.8CVSS7AI score0.00484EPSS
Exploits0References1
Rows per page
Query Builder