CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added yesterday•11 views

WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection

CBX Bookmark & Favorite WordPress plugin = 2.0.4 contains a SQL injection caused by insufficient escaping of the 'orderby' parameter, letting authenticated attackers with Subscriber-level access extract sensitive database information id: CVE-2025-13652 info: name: WordPress CBX Bookmark & Favorit...

6.5CVSS5.6AI score0.03032EPSS

Exploits0References3

Amazon•added yesterday•1 views

Important: postgresql18

Issue Overview: Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use searchpath to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions...

8.8CVSS0.00076EPSS

Exploits0

Amazon•added yesterday•1 views

Important: postgresql17

8.8CVSS0.00076EPSS

Exploits0

RedhatCVE•added 2 days ago•8 views

CVE-2026-8611

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.6AI score0.00031EPSS

RedhatCVE•added 2 days ago•7 views

CVE-2026-7523

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

RedhatCVE•added 2 days ago•6 views

CVE-2026-10038

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar...

4.3CVSS5.6AI score0.0004EPSS

CVE•added 3 days ago•15 views

CVE-2026-8611

The Klamra Paycal for Aspaclaria WordPress plugin is vulnerable to Insecure Direct Object Reference through the invoice_id parameter in versions up to 1.1.4, caused by missing validation on a user-controlled key. Authenticated users with subscriber-level access and higher can enumerate post IDs t...

4.3CVSS5.6AI score0.00031EPSS

EUVD•added 3 days ago•7 views

EUVD-2026-34923

EUVD•added 3 days ago•6 views

Exploits0References9

EUVD-2026-34927

4.3CVSS5.6AI score0.0004EPSS

Exploits0References13

Positive Technologies•added 3 days ago•11 views

PT-2026-47141

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.6AI score0.00031EPSS

Exploits0References9

CVE•added 4 days ago•12 views

CVE-2026-10038

The Charitable – Donation Plugin for WordPress (Charitable) up to version 1.8.11.1 is affected by an Insecure Direct Object Reference/Authorization Bypass that enables Arbitrary Attachment Deletion via the profile avatar update flow. The issue stems from save_avatar() calling wp_delete_attachment...

4.3CVSS5.6AI score0.0004EPSS

Exploits0References12

ATTACKERKB•added 4 days ago•5 views

CVE-2026-7523

Cvelist•added 4 days ago•27 views

Exploits0References9

CVE-2026-7523 Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter

4.3CVSS0.00039EPSS

Vulnrichment•added 4 days ago•5 views

CVE-2026-7523 Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter

CVE•added 4 days ago•14 views

CVE-2026-7523

The CVE-2026-7523 entry concerns the Alba Board WordPress plugin (

RedhatCVE•added 4 days ago•4 views

CVE-2026-3155

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

3.1CVSS5.6AI score0.00011EPSS

RedhatCVE•added 4 days ago•5 views

CVE-2025-15470

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

6.5CVSS5.6AI score0.0006EPSS

RedhatCVE•added 4 days ago•7 views

CVE-2025-9988

The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the createadvertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create...

4.3CVSS5.5AI score0.00035EPSS

RedhatCVE•added 4 days ago•6 views

CVE-2026-7651

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...

5.3CVSS5.6AI score0.0004EPSS