Lucene search
K

225134 matches found

CVE
CVE
added 2026/05/22 4:29 a.m.34 views

CVE-2026-9018

The Easy Elements for Elementor – Addons & Website Templates WordPress plugin (≤ 1.4.5) is vulnerable to Privilege Escalation via the easyel_handle_register() flow. The wp_ajax_nopriv_eel_register handler writes attacker-supplied custom_meta to new users via update_user_meta(), with no key whitel...

8.8CVSS5.8AI score0.00541EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2026/05/22 4:29 a.m.10 views

CVE-2026-2518 FastX <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation and Activation

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

4.3CVSS5.8AI score0.0023EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/22 4:29 a.m.13 views

EUVD-2026-31412

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

4.3CVSS5.8AI score0.0023EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/22 4:29 a.m.8 views

CVE-2026-2518

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

4.3CVSS5.8AI score0.0023EPSS
Exploits0References4
CVE
CVE
added 2026/05/22 4:29 a.m.20 views

CVE-2026-2518

The CVE-2026-2518 entry concerns the WordPress FastX theme. The vulnerability is due to missing capability checks in two callbacks, ultp_install_callback and ultp_activate_callback, affecting all versions up to and including 1.0.2. This allows authenticated attackers with Subscriber-level access ...

4.3CVSS5.8AI score0.0023EPSS
Exploits0References3
CVE
CVE
added 2026/05/22 4:29 a.m.21 views

CVE-2026-3481

The CVE-2026-3481 entry concerns the WP Blockade WordPress plugin (versions

6.1CVSS6AI score0.00249EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/22 4:29 a.m.11 views

EUVD-2026-31407

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

6.1CVSS6AI score0.00249EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/22 4:29 a.m.14 views

CVE-2026-3481 WP Blockade <= 0.9.14 - Reflected Cross-Site Scripting via 'shortcode' Parameter

The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the rendershortcodepreview function. The function receives user inpu...

6.1CVSS6AI score0.00249EPSS
Exploits0References5
NVD
NVD
added 2026/05/22 4:16 a.m.15 views

CVE-2026-4834

The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'searchkey' parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible fo...

7.5CVSS0.00273EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/22 3:39 a.m.8 views

CVE-2026-7249 Location Weather <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splwupdateblockoptions and lwpcleanweathertransients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00248EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/22 3:39 a.m.15 views

EUVD-2026-31404

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splwupdateblockoptions and lwpcleanweathertransients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00248EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/22 3:39 a.m.5 views

CVE-2026-7249

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splwupdateblockoptions and lwpcleanweathertransients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00248EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/22 3:39 a.m.38 views

CVE-2026-7249 Location Weather <= 3.0.2 - Missing Authorization to Authenticated (Contributor+) Block Settings Modification and Cache Purging

The Location Weather plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the splwupdateblockoptions and lwpcleanweathertransients functions in all versions up to, and including, 3.0.2. This makes it possible for authenticated attackers, with...

4.3CVSS0.00248EPSS
Exploits0References6
CVE
CVE
added 2026/05/22 3:39 a.m.18 views

CVE-2026-7249

The CVE-2026-7249 entry pertains to the WordPress Location Weather plugin (versions up to 3.0.2). It lacks capability checks in splw_update_block_options() and lwp_clean_weather_transients(), allowing authenticated contributors+ to disable all weather blocks and purge weather cache transients. Th...

4.3CVSS5.8AI score0.00248EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/22 3:39 a.m.45 views

CVE-2026-7509 KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS0.00249EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/22 3:39 a.m.9 views

CVE-2026-6864

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6AI score0.00264EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/05/22 3:39 a.m.9 views

CVE-2026-7509

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS6AI score0.00249EPSS
Exploits0References8
CVE
CVE
added 2026/05/22 3:39 a.m.20 views

CVE-2026-6864

The CVE-2026-6864 concern affects the CBX 5 Star Rating & Review plugin for WordPress. It is a Reflected Cross-Site Scripting flaw via the 'page' parameter in all versions up to 1.0.7, caused by insufficient input sanitization and output escaping. This enables unauthenticated attackers to inject ...

6.1CVSS6AI score0.00264EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/22 3:39 a.m.11 views

EUVD-2026-31406

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

6.4CVSS6AI score0.00249EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/22 3:39 a.m.36 views

CVE-2026-6864 CBX 5 Star Rating & Review <= 1.0.7 - Reflected Cross-Site Scripting via 'page' Parameter

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS0.00264EPSS
Exploits0References5
Rows per page
Query Builder