CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/06/18 6:4 a.m.•8 views

EUVD-2026-37853

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the administration configuration handler. In system/admin/admin.config.php, the configuration update action 'a=update' processes POST data via cotconfigupdateoptions without calling cotcheckxg to validate...

8.8CVSS5.5AI score0.00176EPSS

Exploits0References2

RedhatCVE•added 2026/05/26 8:14 p.m.•12 views

CVE-2026-6897

The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'WishListMember\Features\TeamAccounts::savesettings' function in all versions up to, and including, 3.30.1. This makes it possible for authenticated attackers, with...

8.8CVSS5.8AI score0.00244EPSS

ATTACKERKB•added 2026/05/10 12:12 p.m.•10 views

CVE-2022-50945

WordPress 3dady Real-Time Web Stats plugin 1.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript by exploiting unsanitized input fields. Attackers can insert JavaScript payloads in the dadyinputtext or dady2inputtext fields via...

6.4CVSS6AI score0.00217EPSS

Exploits0References3Affected Software1

CVE•added 2026/05/09 12:29 p.m.•18 views

CVE-2026-8198

CVE-2026-8198 affects the WordPress Logtivity plugin (Activity Logs, User Activity Tracking, Multisite Activity Log). Up to and including version 3.3.6, a logic flaw in verifyAuthorization causes requests without an Authorization header to skip Bearer token validation and fall through to an uncon...

5.3CVSS5.7AI score0.00449EPSS

Exploits0References6

Cvelist•added 2026/04/17 6:44 a.m.•64 views

CVE-2026-6441 Canto <= 3.1.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Setting Modification

The Canto plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 3.1.1. This is due to the absence of any capability check or nonce verification in the updateOptions function, which is exposed via two AJAX hooks: wpajaxupdateOptions class-canto.php line 231 an...

4.3CVSS0.00282EPSS

Exploits0References7

NVD•added 2026/04/07 3:17 p.m.•4 views

CVE-2026-35463

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMINONLYOPTIONS protection mechanism restricts security-critical configuration values reconnect scripts, SSL certs, proxy credentials to admin-only access. However, this protection is only...

8.8CVSS0.00815EPSS

Exploits1References2

RedhatCVE•added 2026/03/26 3:10 p.m.•3 views

CVE-2026-1378

The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the cptpluginoptions function. This makes it possible for unauthenticated attackers to update the plugin settings including...

EUVD•added 2026/03/21 6:30 a.m.•3 views

EUVD-2026-14006

NVD•added 2026/03/21 4:16 a.m.•1 views

CVE-2026-1378

4.3CVSS0.0014EPSS

Cvelist•added 2026/03/21 3:26 a.m.•30 views

CVE-2026-1253 Group Chat & Video Chat by AtomChat <= 1.1.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Options Update

The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchatupdateauthajax' and 'atomchatupdatelayoutajax' functions in all versions up to, and including, 1.1.7. This makes it possible for...

4.3CVSS0.00285EPSS

ATTACKERKB•added 2026/03/21 3:26 a.m.•2 views

CVE-2026-1378

Vulnrichment•added 2026/03/21 3:26 a.m.•2 views

CVE-2026-1378 WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update

Positive Technologies•added 2026/03/21 12:0 a.m.•5 views

PT-2026-26806

The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the cpt plugin options function. This makes it possible for unauthenticated attackers to update the plugin settings includin...

ATTACKERKB•added 2026/03/20 11:25 p.m.•8 views

CVE-2026-3567

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the...

5.3CVSS5.9AI score0.00236EPSS

Exploits0References7

EUVD•added 2026/03/13 9:31 p.m.•5 views

EUVD-2026-11748

wpDiscuz before 7.6.47 contains an information disclosure vulnerability that allows administrators to inadvertently expose OAuth secrets by exporting plugin options as JSON. Attackers can obtain exported files containing plaintext API secrets like fbAppSecret, googleClientSecret, twitterAppSecret...

6.9CVSS5.8AI score0.00274EPSS

NVD•added 2026/03/13 7:54 p.m.•4 views

CVE-2026-22203

6.9CVSS0.00274EPSS

ATTACKERKB•added 2026/03/13 1:18 a.m.•7 views

CVE-2026-22203

6.9CVSS5.8AI score0.00274EPSS

CNVD•added 2026/03/02 12:0 a.m.•3 views

WordPress Plugin Web Accessibility by accessiBe Information Disclosure Vulnerability

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin Web Accessibility by...

5.3CVSS5.6AI score0.00282EPSS