Lucene search
K

105362 matches found

Cvelist
Cvelist
added 2026/05/05 7:42 a.m.42 views

CVE-2026-3359 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

7.5CVSS0.00358EPSS
Exploits1References2
CVE
CVE
added 2026/05/05 7:42 a.m.20 views

CVE-2026-3359

The CVE-2026-3359 entry concerns the WordPress plugin Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder. Affected component: the inputs parameter used in SQL queries. Root cause: insufficient escaping and lack of adequate query preparation, allowing unauthenticated attackers ...

7.5CVSS5.9AI score0.00358EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/05 7:42 a.m.6 views

CVE-2026-3359 Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder <= 1.15.42 - Unauthenticated SQL Injection via 'inputs'

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter in versions up to, and including, 1.15.42 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

7.5CVSS5.9AI score0.00358EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/05 6:31 a.m.8 views

EUVD-2026-27175

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

7.5CVSS5.9AI score0.00278EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/05 6:31 a.m.40 views

EUVD-2026-27185

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS6AI score0.00359EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/05 4:30 a.m.9 views

CVE-2026-7822

A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /printpdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used...

6.5CVSS6.5AI score0.00196EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/05/05 4:16 a.m.45 views

CVE-2026-4803

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS0.00359EPSS
Exploits0References6
NVD
NVD
added 2026/05/05 4:16 a.m.11 views

CVE-2026-3456

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

7.5CVSS0.00278EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/05 3:37 a.m.59 views

CVE-2026-4803 Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS0.00359EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/05 3:37 a.m.6 views

CVE-2026-4803 Royal Addons for Elementor <= 1.7.1056 - Unauthenticated Stored Cross-Site Scripting via 'status' Parameter in wpr_update_form_action_meta

The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wprupdateformactionmeta AJAX action in all versions up to, and including, 1.7.1056. This is due to insufficient input sanitization and output escaping, combined with a...

7.2CVSS6AI score0.00359EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/05/05 3:37 a.m.8 views

CVE-2026-5957 EmailKit <= 1.6.5 - Authenticated (Author+) Arbitrary File Read via 'emailkit-editor-template' REST Parameter

The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the createtemplate method of the CheckForm class, where realpath is called on the allowed base directory...

6.5CVSS5.9AI score0.0057EPSS
Exploits0References10
CVE
CVE
added 2026/05/05 3:37 a.m.16 views

CVE-2026-5957

The CVE concerns the WordPress EmailKit plugin (versions up to and including 1.6.5). A path traversal flaw in CheckForm.php::create_template() uses realpath() on the allowed base directory (wp-content/uploads/emailkit/templates/), which may not exist, causing realpath() to return false. In PHP 8....

6.5CVSS5.9AI score0.0057EPSS
Exploits0References10
CVE
CVE
added 2026/05/05 3:37 a.m.17 views

CVE-2026-3456

The CVE concerns the WordPress plugin GeekyBot – Generate AI Content Without Prompt, Chatbot and Lead Generation (versions up to 1.2.0). It is vulnerable to SQL Injection via the attributekey parameter due to insufficient escaping and lack of proper query parameterization, allowing unauthenticate...

7.5CVSS5.9AI score0.00278EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/05 3:37 a.m.8 views

CVE-2026-3456 GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

7.5CVSS5.9AI score0.00278EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/05 3:37 a.m.40 views

CVE-2026-3456 GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation <= 1.2.0 - Unauthenticated SQL Injection via 'attributekey'

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

7.5CVSS0.00278EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/05 3:31 a.m.11 views

EUVD-2026-27209

The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

6.1CVSS6AI score0.00211EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/05 3:31 a.m.5 views

EUVD-2026-27188

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

7.5CVSS5.9AI score0.00413EPSS
Exploits0References20
EUVD
EUVD
added 2026/05/05 3:31 a.m.5 views

EUVD-2026-27201

The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...

6.1CVSS6AI score0.00219EPSS
Exploits0References7
NVD
NVD
added 2026/05/05 3:16 a.m.24 views

CVE-2026-6704

The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

6.1CVSS0.00211EPSS
Exploits0References4
NVD
NVD
added 2026/05/05 3:16 a.m.11 views

CVE-2026-6696

The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...

6.1CVSS0.00219EPSS
Exploits0References6
Rows per page
Query Builder