Lucene search
K

18 matches found

NVD
NVD
added 2026/07/01 7:16 a.m.12 views

CVE-2026-11794

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the use...

8.1CVSS0.00236EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/01 6:0 a.m.42 views

CVE-2026-11794 Advanced Form Integration < 2.1.1 - Unauthenticated Privilege Escalation via Breakdance Form Role Mapping

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the use...

0.00236EPSS
Exploits0References1
NVD
NVD
added 2026/06/18 8:16 a.m.11 views

CVE-2026-11395

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...

7.2CVSS0.00231EPSS
Exploits0References5
CVE
CVE
added 2026/06/18 6:50 a.m.26 views

CVE-2026-11395

CVE-2026-11395 : The CF7 to Webhook plugin for WordPress is vulnerable to unauthenticated Server-Side Request Forgery through the pull_the_trigger path, affecting all versions up to and including 5.0.0. Exploitation requires the admin-configured webhook URL to contain a Contact Form 7 field place...

7.2CVSS5.5AI score0.00231EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/18 6:50 a.m.27 views

CVE-2026-11395 CF7 to Webhook <= 5.0.0 - Unauthenticated Server-Side Request Forgery via CF7 Field Placeholder in Webhook URL Host

The CF7 to Webhook plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.0 via the pullthetrigger. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be...

7.2CVSS0.00231EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/05 12:0 a.m.16 views

PT-2026-47085

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description The shared form-view submit handler in packages/nc-gui/composables/useSharedFormViewStore.ts fails to validate the URL scheme when writing the redirect url to window.location.href. While a same-ho...

8.4CVSS5.9AI score0.00234EPSS
Exploits0References9
EUVD
EUVD
added 2026/05/15 6:24 p.m.9 views

EUVD-2026-30587

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a databaseid without verifying that the requesting user was a collaborator on that...

5.3CVSS5.8AI score0.00278EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/15 12:0 a.m.14 views

PT-2026-41352

Mathesar is a web application that makes working with PostgreSQL databases both simple and powerful. From 0.2.0 to before 0.10.0, collaborators.list, tables.metadata.list, explorations.list, and forms.list accept a database id without verifying that the requesting user was a collaborator on that...

5.3CVSS5.8AI score0.00278EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/11 3:31 a.m.6 views

EUVD-2026-11032

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the mc4wpaction POST parameter without validation, allowing unauthenticated attackers to force the form to process...

6.5CVSS5.8AI score0.00265EPSS
Exploits0References8
EUVD
EUVD
added 2026/03/11 1:22 a.m.4 views

EUVD-2026-11031

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the mc4wpaction POST parameter without validation, allowing unauthenticated attackers to force the form to process...

6.5CVSS5.8AI score0.00265EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/03/11 1:22 a.m.32 views

CVE-2026-1781 MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the mc4wpaction POST parameter without validation, allowing unauthenticated attackers to force the form to process...

6.5CVSS0.00265EPSS
Exploits0References7
OSV
OSV
added 2026/03/11 1:22 a.m.3 views

CVE-2026-1781 MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the mc4wpaction POST parameter without validation, allowing unauthenticated attackers to force the form to process...

6.5CVSS6AI score0.00265EPSS
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/03/06 7:52 a.m.5 views

CVE-2026-2365

The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the fluentformstepformsavedata AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce...

7.2CVSS5.9AI score0.00263EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/02/28 6:27 a.m.7 views

CVE-2026-2471

The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. This is due to the BaseModel class constructor calling maybeunserialize on all properties retrieved...

7.5CVSS6.2AI score0.00384EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/01/07 12:0 a.m.7 views

PT-2026-1634

Name of the Vulnerable Software and Affected Versions The Awesome Hotel Booking plugin for WordPress versions prior to 1.1 Description The plugin has a flaw allowing unauthorized data modification. This is due to insufficient authorization checks in the room-single.php shortcode handler,...

5.3CVSS6.6AI score0.00236EPSS
Exploits0References5
OSV
OSV
added 2025/03/08 10:15 a.m.3 views

CVE-2025-1324

The WP-Recall – Registration, Profile, Commerce & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'public-form' shortcode in all versions up to, and including, 16.26.10 due to insufficient input sanitization and output escaping on user supplied attributes...

5.4CVSS7.4AI score0.00235EPSS
Exploits0References2
OSV
OSV
added 2023/02/28 8:15 p.m.4 views

DEBIAN-CVE-2023-27372

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1...

9.8CVSS8.7AI score0.99637EPSS
Exploits23References1
OSV
OSV
added 2023/02/28 8:15 p.m.3 views

UBUNTU-CVE-2023-27372

SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1...

9.8CVSS7.4AI score0.99637EPSS
Exploits23References10
Rows per page
Query Builder