CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

CVE•added 2026/04/08 8:30 a.m.•5 views

CVE-2026-39612

CVE-2026-39612 affects the WordPress theme KuteShop (KuteShop theme) ≤ 4.2.9. Root cause: missing authorization / incorrectly configured access control that enables unauthorized actions. Impact: arbitrary shortcode execution within the affected site. Exploitation details are not provided in the c...

5.3CVSS5.9AI score0.0019EPSS

Cvelist•added 2026/04/08 8:30 a.m.•24 views

CVE-2026-39612 WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability

Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through = 4.2.9...

5.3CVSS0.0019EPSS

Vulnrichment•added 2026/04/08 8:30 a.m.•6 views

CVE-2026-39612 WordPress KuteShop theme <= 4.2.9 - Arbitrary Shortcode Execution vulnerability

Missing Authorization vulnerability in kutethemes KuteShop kuteshop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KuteShop: from n/a through = 4.2.9...

5.3CVSS5.8AI score0.0019EPSS

CVE•added 2026/04/08 8:23 a.m.•4 views

CVE-2026-1396

The CVE-2026-1396 entry affects the WordPress plugin Magic Conversation For Gravity Forms. It reports a Stored Cross-Site Scripting vulnerability in the magic-conversation shortcode, caused by insufficient input sanitization and output escaping on user-supplied attributes. Affected versions are a...

6.4CVSS6.1AI score0.00236EPSS

Exploits0References4

ATTACKERKB•added 2026/04/08 8:23 a.m.•3 views

CVE-2026-1396

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

6.4CVSS6.1AI score0.00236EPSS

Vulnrichment•added 2026/04/08 8:23 a.m.•1 views

CVE-2026-1396 Magic Conversation For Gravity Forms <= 3.0.97 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS5.9AI score0.00236EPSS

Exploits0References4

Patchstack•added 2026/04/08 7:53 a.m.•4 views

WordPress WP Blockade plugin <= 0.9.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'shortcode' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Shortcode Execution via 'shortcode' Parameter vulnerability discovered by theviper17y in WordPress Plugin WP Blockade versions = 0.9.14...

6.5CVSS5.9AI score0.00342EPSS

Exploits0References1Affected Software1

NVD•added 2026/04/08 7:16 a.m.•2 views

CVE-2026-5506

The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wave shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attacker...

6.4CVSS0.00188EPSS

NVD•added 2026/04/08 7:16 a.m.•1 views

CVE-2026-5508

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wowpress shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS0.00234EPSS

NVD•added 2026/04/08 7:16 a.m.•4 views

CVE-2026-4871

The Sports Club Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' attributes of the scmmemberdata shortcode in all versions up to, and including, 1.12.9 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.00181EPSS

NVD•added 2026/04/08 7:16 a.m.•4 views

CVE-2026-3618

The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the printclmns shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The...

6.4CVSS0.00302EPSS

Cvelist•added 2026/04/08 6:43 a.m.•21 views

CVE-2026-5506 Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00188EPSS

Vulnrichment•added 2026/04/08 6:43 a.m.•0 views

CVE-2026-5506 Wavr <= 0.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS6.1AI score0.00188EPSS

CVE•added 2026/04/08 6:43 a.m.•11 views

CVE-2026-5506

The CVE-2026-5506 entry concerns the WordPress Wavr plugin (versions up to 0.2.6). The vulnerability is a Stored Cross-Site Scripting flaw via the plugin’s wave shortcode attributes stemming from insufficient input sanitization and output escaping. The impact allows authenticated attackers with c...

6.4CVSS6.1AI score0.00188EPSS

CVE•added 2026/04/08 6:43 a.m.•8 views

CVE-2026-3618

The CVE concerns the WordPress plugin Columns by BestWebSoft (

6.4CVSS6AI score0.00302EPSS

Cvelist•added 2026/04/08 6:43 a.m.•20 views

CVE-2026-3618 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute

6.4CVSS0.00302EPSS

Vulnrichment•added 2026/04/08 6:43 a.m.•0 views

CVE-2026-3618 Columns by BestWebSoft <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'columns' Shortcode 'id' Attribute

6.4CVSS6AI score0.00302EPSS

CVE•added 2026/04/08 6:43 a.m.•5 views

CVE-2026-5508

The CVE-2026-5508 entry concerns the WowPress WordPress plugin (versions up to and including 1.0.0). The root cause is insufficient input sanitization and output escaping on attributes in the wowpress shortcode, enabling stored cross-site scripting. Impact: authenticated attackers with contributo...

6.4CVSS6.1AI score0.00234EPSS

Cvelist•added 2026/04/08 6:43 a.m.•19 views

CVE-2026-5508 WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00234EPSS