CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 2026/06/09 2:59 p.m.•7 views

CVE-2026-3011

The Recipe Card Blocks Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the recipe block's 'summary' and 'notes' attributes in all versions up to, and including, 3.4.13. This is due to the 'WPZOOMHelpers::deserializeblockattributes' method converting unicode-encoded...

6.4CVSS5.7AI score0.00201EPSS

OSV•added 2026/06/09 10:16 a.m.•6 views

ALPINE-CVE-2025-10263

Arm C1-Ultra, C1-Premium, Neoverse V3 & V3AE, Neoverse V2, Neoverse V1, Neoverse-N2, Neoverse-N1, Cortex-X925, Cortex-X4, Cortex-X3, Cortex-X2, Cortex-X1 & X1C, Cortex-A710, Cortex-A78, A78AE & A78C, Cortex-A77, Cortex-A76 & A76A may allow writes to resources owned by a higher exception level...

9.1CVSS5.4AI score0.0039EPSS

NVD•added 2026/06/09 10:16 a.m.•9 views

CVE-2025-10263

9.1CVSS0.0039EPSS

CVE•added 2026/06/09 9:23 a.m.•32 views

CVE-2025-10263

CVE-2025-10263 affects Arm architectures (C1-Ultra, C1-Premium; Neoverse V3/V3AE/V2/V1/N2/N1; Cortex-X9/25/4/3/2/1/1C; Cortex-A710/A78/A78AE/A78C/A77/A76/A76A) where a write to a resource may occur under a lower EL than the owner. Impact described as potential privilege escalation to the hypervis...

9.1CVSS5.5AI score0.0039EPSS

Cvelist•added 2026/06/09 9:23 a.m.•37 views

CVE-2025-10263

0.0039EPSS

Vulnrichment•added 2026/06/09 9:23 a.m.•7 views

CVE-2025-10263

5.4AI score0.0039EPSS

EUVD•added 2026/06/09 9:23 a.m.•7 views

EUVD-2025-210084

9.1CVSS5.5AI score0.0039EPSS

Debian CVE•added 2026/06/09 9:23 a.m.•5 views

CVE-2025-10263

9.1CVSS5.4AI score0.0039EPSS

Exploits0

NVD•added 2026/06/09 9:16 a.m.•10 views

CVE-2026-11616

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajaxayiaction handler only applying striptagsescsql — with no allow-list — to the attacker-controlled $POST'type' and $POST'postid' values...

8.8CVSS0.00304EPSS

EUVD•added 2026/06/09 7:49 a.m.•9 views

EUVD-2026-35377

The MailerPress – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Campaign HTML Content Field in all versions up to, and including, 2.0.4 due to insufficient input sanitization and output escaping. This makes...

6.4CVSS5.7AI score0.00252EPSS

Exploits0References11

Vulnrichment•added 2026/06/09 7:49 a.m.•6 views

CVE-2026-11616 Events Calendar for GeoDirectory <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation

8.8CVSS5.5AI score0.00304EPSS

NVD•added 2026/06/09 5:16 a.m.•12 views

CVE-2026-8977

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninjagdprajaxactions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls function, combined with insufficient input...

6.4CVSS0.00193EPSS

Exploits0References5

NVD•added 2026/06/09 5:16 a.m.•11 views

CVE-2026-7662

The ePaperFlip Publisher plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'publicationid' attribute of the epaperflipembed shortcode in all versions up to, and including, 1. This is due to insufficient input sanitization and output escaping on the shortcode attribute whic...

6.4CVSS0.00198EPSS

Cvelist•added 2026/06/09 3:41 a.m.•28 views

CVE-2026-8882 WP ApplicantStack Jobs Display <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WP ApplicantStack Jobs Display plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00187EPSS

CVE•added 2026/06/09 3:41 a.m.•14 views

CVE-2026-8907

CVE-2026-8907 affects the WordPress plugin WP-Ultimate-Map (versions ≤ 1.1). The root cause is missing nonce validation on the process_init() handler (hooked to admin_init), which saves settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) based solely on a save-setting POST paramet...

6.1CVSS5.5AI score0.00119EPSS

CVE•added 2026/06/09 3:41 a.m.•11 views

CVE-2026-8880

The RomanCart Ecommerce WordPress plugin (

6.4CVSS5.7AI score0.00198EPSS

Cvelist•added 2026/06/09 3:41 a.m.•31 views

CVE-2026-8907 WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the processinit function hooked to admininit, which saves plugin settings zoom-level, focus-lat, focus-lng, selplaces, selroutes v...

6.1CVSS0.00119EPSS

Vulnrichment•added 2026/06/09 3:41 a.m.•7 views

CVE-2026-8907 WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

6.1CVSS5.5AI score0.00119EPSS

Cvelist•added 2026/06/09 3:41 a.m.•29 views

CVE-2026-8841 Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

6.4CVSS0.00187EPSS