CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

849 matches found

EUVD•added 2026/03/21 6:30 a.m.•2 views

EUVD-2026-14004

The Redirect countdown plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the countdownsettingscontent function. This makes it possible for unauthenticated attackers to update the plugin settings...

4.3CVSS5.7AI score0.0014EPSS

Exploits0References4

EUVD•added 2026/03/21 6:30 a.m.•3 views

EUVD-2026-14007

The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to...

4.3CVSS5.7AI score0.0014EPSS

Exploits0References4

Vulnrichment•added 2026/03/21 3:26 a.m.•1 views

CVE-2026-3332 Xhanch - My Advanced Settings <= 1.1.2 - Cross-Site Request Forgery to Settings Update

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the xmssetting function on the settings update handler. This makes it possible for unauthenticated attackers t...

4.3CVSS5.7AI score0.0014EPSS

Exploits0References3

Vulnrichment•added 2026/03/21 3:26 a.m.•1 views

CVE-2026-2294 UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.09 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uipsaveglobalsettings' function in all versions up to, and including, 3.5.09. This makes it possible for...

4.3CVSS5.9AI score0.00192EPSS

Exploits0References2

CVE•added 2026/03/21 3:26 a.m.•6 views

CVE-2026-2294

CVE-2026-2294 affects the UiPress lite WordPress plugin. The vulnerability is caused by a missing capability check in the uip_save_global_settings function across all versions up to 3.5.09, allowing authenticated attackers with Subscriber-level access and above to modify arbitrary plugin settings...

4.3CVSS5.9AI score0.00192EPSS

Exploits0References2

Vulnrichment•added 2026/03/21 3:26 a.m.•3 views

CVE-2026-1247 Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above,...

4.4CVSS5.9AI score0.00245EPSS

Exploits0References5

Cvelist•added 2026/03/21 3:26 a.m.•26 views

CVE-2026-1247 Survey <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

4.4CVSS0.00245EPSS

Exploits0References5

Cvelist•added 2026/03/21 3:26 a.m.•25 views

CVE-2026-1378 WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update

The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the cptpluginoptions function. This makes it possible for unauthenticated attackers to update the plugin settings including...

4.3CVSS0.0014EPSS

Exploits0References3

ATTACKERKB•added 2026/03/21 3:26 a.m.•1 views

CVE-2026-1378

4.3CVSS5.7AI score0.0014EPSS

Exploits0References4

Vulnrichment•added 2026/03/21 3:26 a.m.•2 views

CVE-2026-3570 Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter

The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for...

5.3CVSS5.8AI score0.00302EPSS

Exploits0References3

Cvelist•added 2026/03/21 3:26 a.m.•27 views

CVE-2026-3570 Smarter Analytics <= 2.0 - Missing Authorization to Unauthenticated Plugin Settings Reset via 'reset' Parameter

5.3CVSS0.00302EPSS

Exploits0References3

CVE•added 2026/03/21 3:26 a.m.•7 views

CVE-2026-3570

The CVE-2026-3570 entry concerns the Smarter Analytics plugin for WordPress. Affected: all versions up to and including 2.0. Root cause: missing authentication and capability checks on the configuration reset function in smarter-analytics.php, in the global scope. Impact: unauthenticated attacker...

5.3CVSS5.8AI score0.00302EPSS

Exploits0References3

Vulnrichment•added 2026/03/07 7:22 a.m.•3 views

CVE-2026-2420 LotekMedia Popup Form <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The LotekMedia Popup Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level...

4.4CVSS5.7AI score0.00193EPSS

Exploits0References3

CVE•added 2026/03/07 7:22 a.m.•7 views

CVE-2026-2420

CVE-2026-2420 (LotekMedia Popup Form, WordPress) : Stored XSS in plugin settings affecting all versions up to 1.0.6. Exploitation requires Administrator+ privileges; payload executes on frontend pages displaying the popup. Connected docs confirm the issue and affected version range; no explicit f...

4.4CVSS5.7AI score0.00193EPSS

Exploits0References3

Patchstack•added 2026/03/07 2:32 a.m.•4 views

WordPress LotekMedia Popup Form plugin <= 1.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by Hieus in WordPress Plugin LotekMedia Popup Form versions = 1.0.6...

4.4CVSS5.8AI score0.00193EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/03/07 2:23 a.m.•5 views

WordPress Carta Online plugin <= 2.13.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via Plugin Settings vulnerability discovered by 0x34rth in WordPress Plugin Carta Online versions = 2.13.0...

4.4CVSS5.8AI score0.00193EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/03/07 12:10 a.m.•5 views

WordPress Winston AI plugin <= 0.0.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin HUMN-1 AI Website Scanner & Human Certification by Winston AI versions = 0.0.3...

4.3CVSS5.8AI score0.00283EPSS

Exploits0References1Affected Software1

Patchstack•added 2026/02/24 11:18 p.m.•7 views

WordPress Disable Admin Notices - Hide Dashboard Notifications plugin <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

WordPress Disable Admin Notices - Hide Dashboard Notifications plugin = 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by lucsob in WordPress Plugin Disable Admin Notices individually versions = 1.4.2...

4.3CVSS5.4AI score0.00131EPSS

Exploits0References1Affected Software1

RedhatCVE•added 2026/02/19 1:29 p.m.•5 views

CVE-2025-14799

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison == instead of strict comparison === when validating the installation ID in the...

6.5CVSS5.5AI score0.00463EPSS

Exploits0References1

RedhatCVE•added 2026/02/19 7:28 a.m.•3 views

CVE-2026-1072

The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification...

4.3CVSS5.3AI score0.00156EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by