CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

849 matches found

RedhatCVE•added 2026/01/25 9:16 a.m.•12 views

CVE-2026-1191

The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the wpfooter action. This makes it possible...

4.4CVSS5.8AI score0.00199EPSS

Exploits0References1

Cvelist•added 2026/01/24 9:8 a.m.•30 views

CVE-2026-1191 JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4CVSS0.00199EPSS

Exploits0References4

Vulnrichment•added 2026/01/24 9:8 a.m.•3 views

CVE-2026-1191 JavaScript Notifier <= 1.2.8 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4CVSS6AI score0.00199EPSS

Exploits0References3

Vulnrichment•added 2026/01/24 9:8 a.m.•3 views

CVE-2026-1300 Responsive Header Plugin <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Settings Parameters

The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5.9AI score0.00199EPSS

Exploits0References5

Cvelist•added 2026/01/24 8:26 a.m.•34 views

CVE-2026-1266 Postalicious <= 3.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions an...

4.4CVSS0.00245EPSS

Exploits0References9

Vulnrichment•added 2026/01/24 8:26 a.m.•3 views

CVE-2025-14907 Moderate Selected Posts <= 1.4 - Cross-Site Request Forgery to Plugin Settings Update

The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the mspadminpage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forg...

4.3CVSS5.8AI score0.00107EPSS

Exploits0References2

CVE•added 2026/01/24 8:26 a.m.•8 views

CVE-2025-14907

CVE-2025-14907 – Moderate Selected Posts (WordPress) CSRF vulnerability : The WordPress plugin is vulnerable in versions up to 1.4 due to missing nonce verification in the msp_admin_page() function. This enables unauthenticated attackers to modify plugin settings through forged requests if a site...

4.3CVSS5.5AI score0.00107EPSS

Exploits0References2

Patchstack•added 2026/01/24 12:49 a.m.•7 views

WordPress WP Youtube Video Gallery plugin <= 1.0 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by afnaan - SMKN 1 Bantul in WordPress Plugin WP Youtube Video Gallery versions = 1.0...

4.3CVSS5.5AI score0.00132EPSS

Exploits0References1Affected Software1

Positive Technologies•added 2026/01/24 12:0 a.m.•5 views

PT-2026-4604

4.4CVSS5.8AI score0.00199EPSS

Exploits0References4

CNNVD•added 2026/01/21 12:0 a.m.•3 views

GetSimple Content Management System: Code Injection Vulnerability

GetSimple Content Management System is an open-source content management system developed by GetSimpleCMS. Version 1.1.2 of GetSimple Content Management System has a code injection vulnerability. This vulnerability stems from PHP code injection through plugin configuration parameters, which may...

8.6CVSS6.1AI score0.0109EPSS

Exploits1References6

CVE•added 2026/01/16 6:43 a.m.•10 views

CVE-2025-14853

CVE-2025-14853 affects the LEAV Last Email Address Validator WordPress plugin (versions

4.3CVSS5.2AI score0.00131EPSS

Exploits0References4

RedhatCVE•added 2026/01/15 7:23 a.m.•15 views

CVE-2026-0741

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS5AI score0.00207EPSS

Exploits0References1

RedhatCVE•added 2026/01/15 7:23 a.m.•7 views

CVE-2025-14846

The SocialChamp with WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.5. This is due to missing nonce validation on the wpscsettingstabmenu function. This makes it possible for unauthenticated attackers to modify plugin settings...

4.3CVSS5.8AI score0.00124EPSS

Exploits0References1

RedhatCVE•added 2026/01/15 7:23 a.m.•11 views

CVE-2026-0739

The WMF Mobile Redirector plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...

4.4CVSS5AI score0.00249EPSS

Exploits0References1

NVD•added 2026/01/14 6:15 a.m.•21 views

CVE-2025-14482

The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with...

4.3CVSS0.00256EPSS

Exploits0References4

Vulnrichment•added 2026/01/14 5:28 a.m.•2 views

CVE-2025-15021 Gotham Block Extra Light <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

4.4CVSS4.7AI score0.00189EPSS

Exploits0References3

CVE•added 2026/01/14 5:28 a.m.•14 views

CVE-2025-15021

The CVE-2025-15021 entry concerns the WordPress Gotham Block Extra Light plugin. A stored XSS vulnerability exists in admin settings for all versions up to 1.5.0, caused by insufficient input sanitization and output escaping. Authenticated attackers with administrator-level permissions (and above...

4.4CVSS4.7AI score0.00189EPSS

Exploits0References3

Patchstack•added 2026/01/13 11:5 p.m.•5 views

WordPress Perfit WooCommerce plugin <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Perfit WooCommerce versions = 1.0.1...

5.3CVSS7AI score0.00232EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/01/13 10:47 p.m.•6 views

WordPress Gotham Block Extra Light plugin <= 1.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Gotham Block Extra Light versions = 1.5.0...

4.4CVSS5.7AI score0.00189EPSS

Exploits0References1Affected Software1

RedhatCVE•added 2026/01/09 10:11 a.m.•8 views

CVE-2019-11869

The Yuzo Related Posts plugin 5.12.94 for WordPress has XSS because it mistakenly expects that isadmin verifies that the request comes from an admin user it actually only verifies that the request is for an admin page. An unauthenticated attacker can inject a payload into the plugin settings, suc...

6.1CVSS6.2AI score0.05331EPSS

Exploits1References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by