CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

EUVD•added 2026/01/07 9:21 a.m.•3 views

EUVD-2026-1327

The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS4.7AI score0.00235EPSS

EUVD•added 2026/01/07 9:21 a.m.•6 views

EUVD-2026-1339

The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possibl...

5.3CVSS5AI score0.0023EPSS

EUVD•added 2026/01/07 9:20 a.m.•4 views

EUVD-2026-1303

The QR Code for WooCommerce order emails, PDF invoices, packing slips plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode in all versions up to, and including, 1.9.42 due to insufficient input sanitization and output escaping on user supplied attributes...

6.4CVSS4.7AI score0.00234EPSS

EUVD•added 2026/01/07 9:20 a.m.•3 views

EUVD-2026-1292

The Post Like Dislike plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitra...

6.1CVSS5.1AI score0.00256EPSS

6.4CVSS4.7AI score0.00228EPSS

EUVD-2026-1313

The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

EUVD•added 2026/01/07 9:20 a.m.•4 views

EUVD-2026-1302

The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nhrow shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possib...

6.4CVSS4.7AI score0.00235EPSS

6.4CVSS4.7AI score0.00287EPSS

EUVD-2026-1320

The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

6.4CVSS4.6AI score0.00234EPSS

EUVD-2026-1287

The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image titles in all versions up to, and including, 1.0.4. This is due to insufficient input sanitization and output escaping on the 'attachment-title' attribute. This makes it possible for authenticated...

6.4CVSS4.6AI score0.00234EPSS

EUVD-2026-1348

The WP Recipe Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Skill Level' input field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated...

6.4CVSS4.6AI score0.00279EPSS

EUVD-2026-1307

The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

6.4CVSS4.7AI score0.00234EPSS

EUVD-2026-1318

The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with...

EUVD•added 2026/01/07 8:21 a.m.•2 views

EUVD-2026-1282

The Optional Email plugin for WordPress is vulnerable to Privilege Escalation via Account Takeover in all versions up to, and including, 1.3.11. This is due to the plugin not restricting its 'randompassword' filter to registration contexts, allowing the filter to affect password reset key...

9.8CVSS5.7AI score0.003EPSS

8.8CVSS6.9AI score0.00433EPSS

EUVD-2026-1268

The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpsefileandextwebp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload...

7.5CVSS5.4AI score0.00283EPSS

EUVD-2026-1340

The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rndhandleformsubmit function hooked to both adminpostmysimpleform and...

Exploits0References5

EUVD•added 2026/01/07 8:21 a.m.•3 views

EUVD-2026-1273

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin...

4.3CVSS4.9AI score0.00102EPSS

5.3CVSS4.9AI score0.00227EPSS

EUVD-2026-1334

The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unifyplugindowngrad...