CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

3.1CVSS5.6AI score0.00011EPSS

CVE-2026-3155

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

Circl•added 3 days ago•4 views

CVE-2026-45750

creationtimestamp| type| source ---|---|--- 2026-06-05 19:46:33+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnkvpixkry26 2026-06-05 20:01:51+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnkwktpurz2b 2026-06-07 02:09:27+00:00| seen|...

9CVSS5.3AI score0.00038EPSS

Exploits0References3

RedhatCVE•added 3 days ago•6 views

CVE-2026-4338

The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts...

7.5CVSS5.4AI score0.00023EPSS

4.3CVSS5.4AI score0.00032EPSS

CVE-2025-14481

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

6.9CVSS5.5AI score0.00062EPSS

CVE-2026-7059

A vulnerability was found in 666ghj MiroFish up to 0.1.2. This affects the function getsimulationposts of the file backend/app/api/simulation.py of the component Query Parameter Handler. Performing a manipulation of the argument Platform results in path traversal. The attack can be initiated...

5.4CVSS5.6AI score0.00056EPSS

CVE-2026-7051

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 8.9.0. This is due to a missing ownership verification in the B2SPostTools::deleteUserPublishPost and B2SPostTools::deleteUserSchedPost functions,...

4.3CVSS5.4AI score0.00014EPSS

CVE-2026-7614

The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPHoptions function. This makes it possible for unauthenticated attackers to update the plugin's...

6.4CVSS5.7AI score0.00037EPSS

CVE-2026-3005

The List category posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'catlist' shortcode in all versions up to, and including, 0.94.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

6.9CVSS5.4AI score0.00036EPSS

CVE-2026-41243

OpenLearn is open-source educational forum software. Prior to commit 844b2a40a69d0c4911580fe501923f0b391313ab, when safeMode is enabled, unapproved forum posts are hidden from the public list, but the direct post-read procedure still returns the full post to anyone with the post UUID. Commit...

Exploits1References1

6.4CVSS5.7AI score0.00042EPSS

CVE-2026-5711

The Post Blocks & Tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sliderStyle' block attribute in the Posts Slider block in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes ...

4.3CVSS5.5AI score0.00035EPSS

CVE-2026-9228

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the actiongeteventdata due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

RedhatCVE•added 3 days ago•7 views

CVE-2026-6236

The Posts map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' shortcode attribute in all versions up to, and including, 0.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers...

6.4CVSS5.7AI score0.00013EPSS

RedhatCVE•added 3 days ago•6 views

CVE-2026-6246

The Simple Random Posts Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'containerrightwidth' attribute of the 'simplerandomposts' shortcode in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS5.7AI score0.00012EPSS

5.3CVSS5.5AI score0.00048EPSS

CVE-2026-6206

The MW WP Form plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 5.1.2 via the getpostpropertyfromquerystring function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract da...

5.3CVSS5.4AI score0.00025EPSS

CVE-2026-4812

The Advanced Custom Fields ACF plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions witho...

4.3CVSS5.5AI score0.00019EPSS

CVE-2026-4330

The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to authorization bypass through user-controlled key in all versions up to, and including, 8.8.3. This is due to the plugin's AJAX handlers failing to validate that the user-supplied 'b2sid' parameter belongs to...