Lucene search
+L

3881 matches found

nuclei
nuclei
added yesterday18 views

WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection

CBX Bookmark & Favorite WordPress plugin = 2.0.4 contains a SQL injection caused by insufficient escaping of the 'orderby' parameter, letting authenticated attackers with Subscriber-level access extract sensitive database information id: CVE-2025-13652 info: name: WordPress CBX Bookmark & Favorit...

6.5CVSS6.1AI score0.01077EPSS
Exploits0References3
nvd
nvd
added yesterday6 views

CVE-2026-15350

The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS0.00222EPSS
Exploits0References6
nvd
nvd
added yesterday8 views

CVE-2026-15407

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS0.00288EPSS
Exploits0References10
nvd
nvd
added yesterday7 views

CVE-2026-15610

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00232EPSS
Exploits0References8
cvelist
cvelist
added yesterday20 views

CVE-2026-15021 wpForo Forum <= 3.1.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'location' Profile Field

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS0.00206EPSS
Exploits0References8
euvd
euvd
added yesterday7 views

EUVD-2026-44899

The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'location' Profile Field in all versions up to, and including, 3.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access...

6.4CVSS6.2AI score0.00206EPSS
Exploits0References8
cvelist
cvelist
added yesterday16 views

CVE-2026-15610 WPBot <= 8.5.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary RAG Document Re-Sync via ajax_rag_manual_sync() Function

The WPBot – AI ChatBot for Live Support, Lead Generation, AI Services plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 8.5.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS0.00232EPSS
Exploits0References8
cve
cve
added yesterday8 views

CVE-2026-15610

The WPBot – AI ChatBot for WordPress plugin (WordPress WPBot) up to version 8.5.6 is affected by an authorization bypass via the ajax_rag_manual_sync() function. The root cause is improper verification of a user’s authorization, enabling authenticated attackers with subscriber-level access or hig...

4.3CVSS6.1AI score0.00232EPSS
Exploits0References8
euvd
euvd
added yesterday6 views

EUVD-2026-44891

The Themify Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 7.7.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.2AI score0.00288EPSS
Exploits0References10
cve
cve
added yesterday8 views

CVE-2026-15407

The CVE-2026-15407 entry describes an authorization bypass in Themify Builder for WordPress up to version 7.7.7. The underlying issue is insufficient verification of a user’s authorization for actions performed via the tb_generate_on_fly AJAX action, enabling authenticated users with subscriber-l...

4.3CVSS6.2AI score0.00288EPSS
Exploits0References10
euvd
euvd
added yesterday6 views

EUVD-2026-44884

The The Cache Purger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.3.20. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level...

4.3CVSS6.1AI score0.00222EPSS
Exploits0References6
cve
cve
added yesterday8 views

CVE-2026-15350

CVE-2026-15350 affects the WordPress plugin The Cache Purger (up to version 2.3.20). The vulnerability is an authorization bypass that allows authenticated users with subscriber-level access or higher to permanently truncate the plugin’s cache-purge audit log (wp-content/purge.log), destroying th...

4.3CVSS6.1AI score0.00222EPSS
Exploits0References6
nvd
nvd
added yesterday6 views

CVE-2026-12510

The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions...

5.9CVSS0.00132EPSS
Exploits0References1
cvelist
cvelist
added yesterday18 views

CVE-2026-12510 AI Engine < 3.5.5 - Subscriber+Chatbot Discussion Disclosure and Takeover via IDOR

The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions...

0.00132EPSS
Exploits0References1
euvd
euvd
added yesterday6 views

EUVD-2026-44874

The AI Engine WordPress plugin before 3.5.5 does not verify that a user owns the chatbot conversation referenced by a client-supplied identifier, allowing users with subscriber-level access to read other users' private conversations and take over their conversation records when the discussions...

5.9CVSS6.1AI score0.00132EPSS
Exploits0References1
cve
cve
added yesterday7 views

CVE-2026-12510

The CVE concerns the AI Engine WordPress plugin prior to version 3.5.5. It does not verify ownership of a chatbot conversation when a client-supplied identifier is used, enabling users with subscriber-level access to read other users’ private conversations and take over their conversation records...

5.9CVSS6.1AI score0.00132EPSS
Exploits0References1
nvd
nvd
added yesterday8 views

CVE-2026-15336

The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catchthemesdemoimportactivateplugin function, hooked on admininit when the activateplugin GET parameter is present, calling PluginUpgrader::install to...

4.3CVSS0.0025EPSS
Exploits0References10
cve
cve
added yesterday8 views

CVE-2026-15336

The CVE describes a vulnerability in the Catch Themes Demo Import plugin for WordPress (versions up to and including 3.3). The root cause is in catch_themes_demo_import_activate_plugin(), which is hooked on admin_init when the activate_plugin parameter is present and calls Plugin_Upgrader::instal...

4.3CVSS6.1AI score0.0025EPSS
Exploits0References10
cve
cve
added 3 days ago8 views

CVE-2026-9341

CVE-2026-9341 affects The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution (WordPress) up to version 3.8.0. The root cause is an insecure direct object reference due to missing validation on a user-controlled key, exploitable via the AJAX handlers save_lesson_note , get_lesson_n...

4.3CVSS6.2AI score0.00255EPSS
Exploits0References6
euvd
euvd
added 4 days ago8 views

EUVD-2026-43288

The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...

4.3CVSS6.2AI score0.0017EPSS
Exploits0References2
Rows per page
Query Builder