Lucene search
K

225333 matches found

NVD
NVD
added 2026/05/20 2:16 a.m.20 views

CVE-2026-6452

The Bigfishgames Syndicate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the bigfishgamessyndicatesubmenu function. This makes it possible for unauthenticated attackers to reset...

4.3CVSS0.00158EPSS
Exploits0References5
NVD
NVD
added 2026/05/20 2:16 a.m.14 views

CVE-2026-6549

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

6.4CVSS0.00245EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-6555

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...

9.8CVSS0.00978EPSS
Exploits0References10
NVD
NVD
added 2026/05/20 2:16 a.m.20 views

CVE-2026-6456

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison != instead of !== for secret validation at app/RestAPI.php:111, combined with no validation that...

8.8CVSS0.00385EPSS
Exploits0References4
NVD
NVD
added 2026/05/20 2:16 a.m.9 views

CVE-2026-6397

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

6.4CVSS0.00245EPSS
Exploits0References5
NVD
NVD
added 2026/05/20 2:16 a.m.18 views

CVE-2026-6072

The Oliver POS – A WooCommerce Point of Sale POS plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.4.2.6. The plugin protects its entire /wp-json/pos-bridge/ REST API namespace through the oliverposrestauthentication...

6.5CVSS0.00475EPSS
Exploits0References11
NVD
NVD
added 2026/05/20 2:16 a.m.17 views

CVE-2026-6394

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...

5.4CVSS0.00316EPSS
Exploits0References7
NVD
NVD
added 2026/05/20 2:16 a.m.15 views

CVE-2026-5293

The 診断ジェネレータ作成プラグイン Diagnosis Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc function. The function is hooke...

6.4CVSS0.00308EPSS
Exploits0References9
NVD
NVD
added 2026/05/20 2:16 a.m.13 views

CVE-2026-3985

The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkoutuuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

7.5CVSS0.00391EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.7 views

CVE-2026-8038

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS6AI score0.00246EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.7 views

CVE-2026-6395

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References8
CVE
CVE
added 2026/05/20 1:25 a.m.13 views

CVE-2026-8038

The CVE concerns the WordPress plugin Faces of Users, vulnerable to Stored Cross-Site Scripting via the default shortcode attribute in the facesofusers shortcode, affecting all versions up to 0.0.3. Root cause: insufficient input sanitization and output escaping. Exploitation requires authenticat...

6.4CVSS6AI score0.00246EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.8 views

CVE-2026-8038 Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS6AI score0.00246EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.9 views

CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

6.4CVSS6AI score0.00245EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.8 views

CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.40 views

CVE-2026-6395 Word 2 Cash <= 0.9.2 - Cross-Site Request Forgeryto Stored Cross-Site Scripting via Settings Page

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS0.00153EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.42 views

CVE-2026-6549 Logo Manager For Enamad <= 0.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'title' Shortcode Attribute

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

6.4CVSS0.00245EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.44 views

CVE-2026-8038 Faces of Users <= 0.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'default' Shortcode Attribute

The Faces of Users plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'default' shortcode attribute in the 'facesofusers' shortcode in all versions up to, and including, 0.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

6.4CVSS0.00246EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/20 1:25 a.m.12 views

EUVD-2026-31042

The Logo Manager For Enamad plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute of the vcenamadnamad, vcenamadshamed, and vcenamadcustom shortcodes in all versions up to, and including, 0.7.4 due to insufficient input sanitization and output escaping on use...

6.4CVSS6AI score0.00245EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/20 1:25 a.m.12 views

EUVD-2026-31041

The Word 2 Cash plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in versions up to and including 0.9.2. This is due to the complete absence of nonce verification on the settings save handler in the w2cadmin function, combined with missing inp...

6.1CVSS6AI score0.00153EPSS
Exploits0References7
Rows per page
Query Builder