Lucene search
K

8947 matches found

CVE
CVE
added yesterday7 views

CVE-2026-12385

CVE-2026-12385 affects the Smart Slider 3 WordPress plugin up to version 3.5.1.37. The issue is a Sensitive Information Exposure via the keyword parameter, enabling authenticated attackers with contributor-level access and above to extract titles and full content excerpts from private, draft, pen...

4.3CVSS6.1AI score
Exploits0References7
Nuclei
Nuclei
added yesterday10 views

W3 Total Cache < 2.8.2 - Log File Exposure

The plugin is vulnerable to Information Exposure through the publicly exposed debug log file. This makes it possible for unauthenticated attackers to view potentially sensitive information in the exposed log file. For example, the log file may contain nonce values that can be used in further CSRF...

7.5CVSS7AI score0.02169EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday6 views

WPBot <= 8.4.9 - Cross-Site Scripting

WPBot = 8.4.9 is vulnerable to stored cross-site scripting via the conversation parameter in the qcldwbchatbotconversationsave AJAX action. The AJAX nonce qcsecretbotnonceval123qc is publicly emitted on every frontend page via wplocalizescript under the ajaxnonce key, making it freely obtainable ...

7.2CVSS6.1AI score0.00524EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday32 views

Video Conferencing with Zoom API < 4.6.6 - Unauthenticated SDK Signature Generation

Zoom WordPress plugin 4.6.6 contains a broken authentication caused by disabled nonce verification in an AJAX handler, letting unauthenticated attackers generate valid Zoom SDK signatures and retrieve the Zoom SDK key. id: CVE-2026-1368 info: name: Video Conferencing with Zoom API 4.6.6 -...

7.5CVSS6.1AI score0.01211EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday21 views

Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control

The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...

9.8CVSS6.1AI score0.02904EPSS
Exploits0References3
Nuclei
Nuclei
added yesterday14 views

HT Mega < 3.0.7 - Sensitive Information Disclosure

The HT Mega plugin for WordPress is vulnerable to Sensitive Information Exposure via AJAX actions. This template dynamically extracts the security nonce before exploitation. id: CVE-2026-4106 info: name: HT Mega 3.0.7 - Sensitive Information Disclosure author: EFETR severity: high description: |...

5.3CVSS6.1AI score0.00742EPSS
Exploits1References2
Nuclei
Nuclei
added yesterday73 views

ARMember < 3.4.8 - Unauthenticated Admin Account Takeover

The ARMember WordPress plugin before 3.4.8 is vulnerable to account takeover even the administrator due to missing nonce and authorization checks in an AJAX action available to unauthenticated users, allowing them to change the password of arbitrary users by knowing their username. id:...

8.1CVSS7.1AI score0.0852EPSS
Exploits1References5
Nuclei
Nuclei
added yesterday73 views

WordPress Contact Form 7 <2.3.4 - Arbitrary Nonce Generation

WordPress Contact Form 7 before version 2.3.4 allows unauthenticated users to use the wpcf7rgetnonce AJAX action to retrieve a valid nonce for any WordPress action/function. id: CVE-2021-24278 info: name: WordPress Contact Form 7 2.3.4 - Arbitrary Nonce Generation author: 2rs3c severity: high...

7.5CVSS7AI score0.07359EPSS
Exploits2References5
NVD
NVD
added 3 days ago7 views

CVE-2026-6803

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...

5.3CVSS0.00297EPSS
Exploits0References12
NVD
NVD
added 3 days ago7 views

CVE-2026-3552

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajaximport410 function in all versions up to 2.6.0. This is due to a missing capability check currentusercan and missing nonce verification...

4.3CVSS0.00213EPSS
Exploits0References8
NVD
NVD
added 3 days ago6 views

CVE-2026-13250

The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all...

5.3CVSS0.00273EPSS
Exploits0References8
NVD
NVD
added 3 days ago6 views

CVE-2026-13262

The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

6.5CVSS0.00352EPSS
Exploits0References10
NVD
NVD
added 3 days ago7 views

CVE-2026-10628

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS0.00349EPSS
Exploits0References12
EUVD
EUVD
added 3 days ago5 views

EUVD-2026-43140

The Affilia – Affiliate Program & Referral Tracking for WordPress plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.3.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS6.1AI score0.00304EPSS
Exploits0References12
CVE
CVE
added 3 days ago10 views

CVE-2026-7559

Technical details beyond what is in the Initial Description are not publicly provided in the connected documents. Monitor for updates to affected versions, remediation status, and exploit information.

4.3CVSS6.1AI score0.00304EPSS
Exploits0References12
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43135

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajaximport410 function in all versions up to 2.6.0. This is due to a missing capability check currentusercan and missing nonce verification...

4.3CVSS6.1AI score0.00213EPSS
Exploits0References8
CVE
CVE
added 3 days ago9 views

CVE-2026-3552

SurfLink

4.3CVSS6.1AI score0.00213EPSS
Exploits0References8
Cvelist
Cvelist
added 3 days ago31 views

CVE-2026-3552 SurfLink < 2.6.0 - Missing Authorization to Authenticated (Subscriber+) 410 Gone URL Import via 'surfl_import_410' AJAX Action

The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajaximport410 function in all versions up to 2.6.0. This is due to a missing capability check currentusercan and missing nonce verification...

4.3CVSS0.00213EPSS
Exploits0References8
CVE
CVE
added 3 days ago9 views

CVE-2026-13353

CVE-2026-13353 affects the WP Ultimate CSV Importer (WordPress plugin) up to version 8.0.1. The root cause is missing capability checks on AJAX handlers (install_addon, saveMappedFields, StartImport) and exposure of the plugin nonce to any authenticated admin page, which enables a Subscriber+ to ...

8.8CVSS6.3AI score0.00606EPSS
Exploits0References6
EUVD
EUVD
added 3 days ago6 views

EUVD-2026-43123

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS6.2AI score0.00349EPSS
Exploits0References12
Rows per page
Query Builder