Lucene search
K

225131 matches found

NVD
NVD
added 2026/05/22 5:16 a.m.12 views

CVE-2026-9104

The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to...

6.4CVSS0.0022EPSS
Exploits0References7
NVD
NVD
added 2026/05/22 5:16 a.m.16 views

CVE-2026-9018

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyelhandleregister function. This is due to the wpajaxnopriveelregister AJAX handler iterating the attacker-controlled...

8.8CVSS0.00541EPSS
Exploits1References5
NVD
NVD
added 2026/05/22 5:16 a.m.19 views

CVE-2026-7509

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS0.00249EPSS
Exploits0References7
NVD
NVD
added 2026/05/22 5:16 a.m.16 views

CVE-2026-6864

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS0.00264EPSS
Exploits0References5
NVD
NVD
added 2026/05/22 5:16 a.m.12 views

CVE-2026-4070

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfiemanage function which handles feed deletion via the 'delete' GET parameter. This makes it possible for...

4.3CVSS0.00164EPSS
Exploits0References5
NVD
NVD
added 2026/05/22 5:16 a.m.14 views

CVE-2026-7249

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splwupdateblockoptions and lwpcleanweathertransients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with...

4.3CVSS0.00248EPSS
Exploits0References6
NVD
NVD
added 2026/05/22 5:16 a.m.15 views

CVE-2026-3481

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

6.1CVSS0.00249EPSS
Exploits0References5
NVD
NVD
added 2026/05/22 5:16 a.m.20 views

CVE-2026-2518

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

4.3CVSS0.0023EPSS
Exploits0References3
CVE
CVE
added 2026/05/22 4:29 a.m.20 views

CVE-2026-4070

The CVE-2026-4070 entry concerns the Alfie – Feed Plugin for WordPress (versions up to 1.2.1). It is a Cross-Site Request Forgery (CSRF) vulnerability caused by missing nonce validation in the alfie_manage() function, which handles feed deletion via the GET parameter ‘delete’. This allows an unau...

4.3CVSS5.9AI score0.00164EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/22 4:29 a.m.46 views

CVE-2026-9018 Easy Elements for Elementor – Addons & Website Templates <= 1.4.5 - Unauthenticated Privilege Escalation via 'custom_meta' Parameter

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyelhandleregister function. This is due to the wpajaxnopriveelregister AJAX handler iterating the attacker-controlled...

8.8CVSS0.00541EPSS
Exploits1References5
ATTACKERKB
ATTACKERKB
added 2026/05/22 4:29 a.m.13 views

CVE-2026-4070

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfiemanage function which handles feed deletion via the 'delete' GET parameter. This makes it possible for...

4.3CVSS5.9AI score0.00164EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/22 4:29 a.m.10 views

EUVD-2026-31411

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfiemanage function which handles feed deletion via the 'delete' GET parameter. This makes it possible for...

4.3CVSS5.9AI score0.00164EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/22 4:29 a.m.41 views

CVE-2026-4070 Alfie <= 1.2.1 - Cross-Site Request Forgery to Feed Deletion via 'delete' Parameter

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfiemanage function which handles feed deletion via the 'delete' GET parameter. This makes it possible for...

4.3CVSS0.00164EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/22 4:29 a.m.8 views

CVE-2026-9018

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyelhandleregister function. This is due to the wpajaxnopriveelregister AJAX handler iterating the attacker-controlled...

8.8CVSS5.8AI score0.00541EPSS
Exploits1References6
EUVD
EUVD
added 2026/05/22 4:29 a.m.13 views

EUVD-2026-31410

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyelhandleregister function. This is due to the wpajaxnopriveelregister AJAX handler iterating the attacker-controlled...

8.8CVSS5.8AI score0.00541EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/05/22 4:29 a.m.8 views

CVE-2026-4070 Alfie <= 1.2.1 - Cross-Site Request Forgery to Feed Deletion via 'delete' Parameter

The Alfie – Feed Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfiemanage function which handles feed deletion via the 'delete' GET parameter. This makes it possible for...

4.3CVSS5.9AI score0.00164EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/22 4:29 a.m.9 views

CVE-2026-9018 Easy Elements for Elementor – Addons & Website Templates <= 1.4.5 - Unauthenticated Privilege Escalation via 'custom_meta' Parameter

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the easyelhandleregister function. This is due to the wpajaxnopriveelregister AJAX handler iterating the attacker-controlled...

8.8CVSS5.8AI score0.00541EPSS
Exploits1References5
CVE
CVE
added 2026/05/22 4:29 a.m.34 views

CVE-2026-9018

The Easy Elements for Elementor – Addons & Website Templates WordPress plugin (≤ 1.4.5) is vulnerable to Privilege Escalation via the easyel_handle_register() flow. The wp_ajax_nopriv_eel_register handler writes attacker-supplied custom_meta to new users via update_user_meta(), with no key whitel...

8.8CVSS5.8AI score0.00541EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/05/22 4:29 a.m.10 views

CVE-2026-2518 FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

4.3CVSS5.8AI score0.0023EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/22 4:29 a.m.13 views

EUVD-2026-31412

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

4.3CVSS5.8AI score0.0023EPSS
Exploits0References3
Rows per page
Query Builder