CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

5012 matches found

CVE-2026-11775

The CVE-2026-11775 entry affects the WordPress plugin User Admin Simplifier (up to version 3.0.0). It suffers from a Cross-Site Request Forgery due to missing or incorrect nonce validation on the useradminsimplifier_options_page function. This allows unauthenticated attackers to reset and permane...

4.3CVSS5.3AI score

Exploits0References5

NVD•added 5 days ago•12 views

CVE-2026-11784

The Optimole – Optimize Images | Convert WebP & AVIF | CDN & Lazy Load | Image Optimization plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.6. This is due to missing or incorrect nonce validation on the replacefile function. This makes it...

4.3CVSS0.00129EPSS

Exploits1References6

CVE•added 5 days ago•20 views

CVE-2026-11784

The CVE describes a Cross‑Site Request Forgery in the WordPress plugin Optimole – Optimize Images (

4.3CVSS5.4AI score0.00129EPSS

Exploits1References6

EUVD•added 5 days ago•9 views

EUVD-2026-37848

4.3CVSS5.3AI score0.00129EPSS

Exploits1References6

Positive Technologies•added 2026/06/16 12:0 a.m.•9 views

PT-2026-49620

The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action remove abandoned function, which is registered to both the wp ajax...

5.3CVSS5.5AI score0.00228EPSS

Exploits0References5

EUVD•added 2026/06/11 5:15 p.m.•7 views

EUVD-2026-36270

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wpajaxnoprivftfgetsiteinfo includes/SiteInfo.php that verified a nonce ftf-fediverse-embeds-nonce and then called filegethtml$siteurl on the...

5.3CVSS5.4AI score0.00236EPSS

Exploits0References2

RedhatCVE•added 2026/06/10 8:59 a.m.•9 views

CVE-2026-8940

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...

4.3CVSS5.4AI score0.00128EPSS

Exploits0References1

RedhatCVE•added 2026/06/10 8:59 a.m.•10 views

CVE-2026-8910

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web...

6.1CVSS5.4AI score0.0012EPSS

Exploits0References1

RedhatCVE•added 2026/06/10 8:59 a.m.•9 views

CVE-2026-8907

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the processinit function hooked to admininit, which saves plugin settings zoom-level, focus-lat, focus-lng, selplaces, selroutes v...

6.1CVSS5.5AI score0.00119EPSS

Exploits0References1

RedhatCVE•added 2026/06/10 8:59 a.m.•7 views

CVE-2026-9185

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

7.5CVSS5.5AI score0.00403EPSS

Exploits0References1

NVD•added 2026/06/09 5:16 a.m.•11 views

CVE-2026-8902

The AJAX Report Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.4. This is due to missing or incorrect nonce validation on the rcoptionspage function. This makes it possible for unauthenticated attackers to modify plugin settings...

4.3CVSS0.00124EPSS

Exploits0References3

NVD•added 2026/06/09 5:16 a.m.•12 views

CVE-2026-8909

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's...

4.3CVSS0.00128EPSS

Exploits0References4

EUVD•added 2026/06/09 3:41 a.m.•8 views

EUVD-2026-35314

The jQuery Hover Footnotes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the jqFootnotesoptionssubpanel function. This makes it possible for unauthenticated attackers to update th...

4.3CVSS5.5AI score0.00145EPSS

Exploits0References4

EUVD•added 2026/06/09 3:41 a.m.•7 views

EUVD-2026-35307

7.5CVSS5.5AI score0.00403EPSS

Exploits0References11

EUVD•added 2026/06/09 3:41 a.m.•9 views

EUVD-2026-35306

4.3CVSS5.5AI score0.00128EPSS

Exploits0References4

Cvelist•added 2026/06/09 3:41 a.m.•32 views

CVE-2026-8909 WpMobi <= 0.0.3 - Cross-Site Request Forgery via save_general_settings Action

4.3CVSS0.00128EPSS

Exploits0References4

Cvelist•added 2026/06/09 3:41 a.m.•32 views

CVE-2026-8907 WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

6.1CVSS0.00119EPSS

Exploits0References4

CVE•added 2026/06/09 3:41 a.m.•19 views

CVE-2026-8907

CVE-2026-8907 affects the WordPress plugin WP-Ultimate-Map (versions ≤ 1.1). The root cause is missing nonce validation on the process_init() handler (hooked to admin_init), which saves settings (zoom-level, focus-lat, focus-lng, sel_places, sel_routes) based solely on a save-setting POST paramet...

6.1CVSS5.5AI score0.00119EPSS

Exploits0References4