Lucene search
K

225358 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.8 views

CVE-2026-8685

The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...

6.5CVSS5.9AI score0.00359EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/20 1:25 a.m.11 views

EUVD-2026-31020

The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...

6.5CVSS5.9AI score0.00359EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.40 views

CVE-2026-8685 Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter

The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...

6.5CVSS0.00359EPSS
Exploits0References5
CVE
CVE
added 2026/05/20 1:25 a.m.17 views

CVE-2026-6397

The WordPress Sticky plugin is affected up to version 2.5.6. In cvmh_sticky_front_render(), the readmoretext attribute from the cvmh-sticky shortcode is passed through apply_filters() and directly concatenated into HTML without escaping, enabling Stored Cross-Site Scripting. Exploitation requires...

6.4CVSS6AI score0.00245EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.5 views

CVE-2026-6397 Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

6.4CVSS6AI score0.00245EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.10 views

CVE-2026-8685 Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter

The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the...

6.5CVSS5.9AI score0.00359EPSS
Exploits0References5
CVE
CVE
added 2026/05/20 1:25 a.m.13 views

CVE-2026-8685

The CVE-2026-8685 entry concerns the Infility Global plugin for WordPress. It exposes an SQL Injection vulnerability via the 'orderby' and 'order' parameters in all versions up to 2.15.16. The root cause is insufficient escaping of user-supplied parameters and lack of proper preparation in the sh...

6.5CVSS5.9AI score0.00359EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.6 views

CVE-2026-6397

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

6.4CVSS6AI score0.00245EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/20 1:25 a.m.10 views

EUVD-2026-31017

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

6.4CVSS6AI score0.00245EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/20 1:25 a.m.11 views

EUVD-2026-31016

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...

9.8CVSS6.4AI score0.00978EPSS
Exploits0References9
EUVD
EUVD
added 2026/05/20 1:25 a.m.11 views

EUVD-2026-31015

The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6AI score0.00266EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.7 views

CVE-2026-8624

The LJ comments import: reloaded plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF Parameter in all versions up to, and including, 0.97.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

6.1CVSS6AI score0.00266EPSS
Exploits0References4
CVE
CVE
added 2026/05/20 1:25 a.m.19 views

CVE-2026-6555

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to 2.0.0 due to an array validation mismatch: only the first file in the upload array is validated for extension/MIME type, while all files are saved to a web-accessible directory. This allows una...

9.8CVSS6.4AI score0.00978EPSS
Exploits0References10
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.6 views

CVE-2026-6555

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...

9.8CVSS6.4AI score0.00978EPSS
Exploits0References10
CVE
CVE
added 2026/05/20 1:25 a.m.17 views

CVE-2026-8624

The CVE-2026-8624 entry concerns the WordPress plugin “LJ comments import: reloaded” up to version 0.97.1. It is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF parameter due to insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject arbitra...

6.1CVSS6AI score0.00266EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/20 1:25 a.m.40 views

CVE-2026-6555 ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...

9.8CVSS0.00978EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.13 views

CVE-2026-6555 ProSolution WP Client <= 2.0.0 - Unauthenticated Arbitrary File Upload via 'files'

The ProSolution WP Client plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 2.0.0. This is due to an array validation mismatch where only the first file in the upload array undergoes extension and MIME type validation, while all files are processed and...

9.8CVSS6.4AI score0.00978EPSS
Exploits0References10
EUVD
EUVD
added 2026/05/20 1:25 a.m.12 views

EUVD-2026-31014

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS5.9AI score0.00163EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/20 1:25 a.m.8 views

CVE-2026-8418 Games Catalog <= 1.2.0 - Cross-Site Request Forgery to Arbitrary Game/Post Deletion

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS5.9AI score0.00163EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/05/20 1:25 a.m.6 views

CVE-2026-8418

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

4.3CVSS5.9AI score0.00163EPSS
Exploits0References8
Rows per page
Query Builder