225333 matches found
CVE-2026-6452
The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgamessyndicatesubmenu function. This makes it possible for unauthenticated attackers to reset...
CVE-2026-6549
The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...
CVE-2026-6555
The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...
CVE-2026-6456
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison != instead of !== for secret validation at app/RestAPI.php:111, combined with no validation that...
CVE-2026-6397
The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...
CVE-2026-6072
The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...
CVE-2026-6394
The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...
CVE-2026-5293
The 診断ジェネレータ作成プラグイン Diagnosis Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc function. The function is hooke...
CVE-2026-3985
The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkoutuuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...
CVE-2026-8038
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-6395
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...
CVE-2026-8038
The CVE concerns the WordPress plugin Faces of Users, vulnerable to Stored Cross-Site Scripting via the default shortcode attribute in the facesofusers shortcode, affecting all versions up to 0.0.3. Root cause: insufficient input sanitization and output escaping. Exploitation requires authenticat...
CVE-2026-8038 Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...
CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...
CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...
CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute
The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...
CVE-2026-8038 Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute
The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...
EUVD-2026-31042
The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...
EUVD-2026-31041
The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...