Lucene search
K

225322 matches found

NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-8624

The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS0.00266EPSS
Exploits0References3
NVD
NVD
added 2026/05/20 2:16 a.m.17 views

CVE-2026-8626

The SponsorMe plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

6.1CVSS0.00266EPSS
Exploits0References3
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-7284

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyelhandleregister' function not restricting what user roles a user can register with...

9.8CVSS0.00494EPSS
Exploits0References3
NVD
NVD
added 2026/05/20 2:16 a.m.26 views

CVE-2026-8038

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS0.00246EPSS
Exploits0References3
NVD
NVD
added 2026/05/20 2:16 a.m.17 views

CVE-2026-8419

The Amazon Scraper plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scrip...

4.3CVSS0.00191EPSS
Exploits0References9
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-8418

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS0.00163EPSS
Exploits0References7
NVD
NVD
added 2026/05/20 2:16 a.m.16 views

CVE-2026-7462

The VatanSMS WP SMS plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

6.1CVSS0.00275EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:16 a.m.13 views

CVE-2026-6400

The Child Height Predictor by Ostheimer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.3. This is due to missing nonce verification in the options function, which handles plugin settings updates. The form template does not include a...

4.3CVSS0.00163EPSS
Exploits0References5
NVD
NVD
added 2026/05/20 2:16 a.m.17 views

CVE-2026-6401

The Bottom Bar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.1.7. This is due to missing nonce verification on the plugin's settings update forms handled in bottom-bar-admin.php. None of the three settings forms main settings, sharing...

4.3CVSS0.00187EPSS
Exploits0References5
NVD
NVD
added 2026/05/20 2:16 a.m.20 views

CVE-2026-6452

The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgamessyndicatesubmenu function. This makes it possible for unauthenticated attackers to reset...

4.3CVSS0.00158EPSS
Exploits0References5
NVD
NVD
added 2026/05/20 2:16 a.m.14 views

CVE-2026-6549

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

6.4CVSS0.00245EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-6555

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...

9.8CVSS0.00978EPSS
Exploits0References10
NVD
NVD
added 2026/05/20 2:16 a.m.20 views

CVE-2026-6456

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison != instead of !== for secret validation at app/RestAPI.php:111, combined with no validation that...

8.8CVSS0.00385EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:16 a.m.9 views

CVE-2026-6397

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

6.4CVSS0.00245EPSS
Exploits0References5
NVD
NVD
added 2026/05/20 2:16 a.m.18 views

CVE-2026-6072

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS0.00475EPSS
Exploits0References11
NVD
NVD
added 2026/05/20 2:16 a.m.17 views

CVE-2026-6394

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...

5.4CVSS0.00316EPSS
Exploits0References7
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-5293

The 診断ジェネレータ作成プラグイン Diagnosis Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc function. The function is hooke...

6.4CVSS0.00308EPSS
Exploits0References9
NVD
NVD
added 2026/05/20 2:16 a.m.13 views

CVE-2026-3985

The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkoutuuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

7.5CVSS0.00391EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.7 views

CVE-2026-8038

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS6AI score0.00246EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.7 views

CVE-2026-6395

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References8
Rows per page
Query Builder