CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Nuclei•added 10 hours ago•11 views

WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection

CBX Bookmark & Favorite WordPress plugin = 2.0.4 contains a SQL injection caused by insufficient escaping of the 'orderby' parameter, letting authenticated attackers with Subscriber-level access extract sensitive database information id: CVE-2025-13652 info: name: WordPress CBX Bookmark & Favorit...

6.5CVSS5.6AI score0.03032EPSS

Exploits0References3

RedhatCVE•added 12 hours ago•6 views

CVE-2026-7523

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

RedhatCVE•added 12 hours ago•5 views

CVE-2026-10038

The Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Insecure Direct Object Reference / Authorization Bypass leading to Arbitrary Attachment Deletion in versions up to, and including, 1.8.11.1 via the profile avatar...

4.3CVSS5.6AI score0.0004EPSS

CVE•added yesterday•13 views

CVE-2026-8611

The Klamra Paycal for Aspaclaria WordPress plugin is vulnerable to Insecure Direct Object Reference through the invoice_id parameter in versions up to 1.1.4, caused by missing validation on a user-controlled key. Authenticated users with subscriber-level access and higher can enumerate post IDs t...

4.3CVSS5.6AI score0.00031EPSS

EUVD•added yesterday•6 views

EUVD-2026-34923

EUVD•added yesterday•6 views

Exploits0References9

EUVD-2026-34927

4.3CVSS5.6AI score0.0004EPSS

Exploits0References13

Positive Technologies•added yesterday•10 views

PT-2026-47141

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoice id' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.6AI score0.00031EPSS

Exploits0References9

CVE•added 2 days ago•11 views

CVE-2026-10038

The Charitable – Donation Plugin for WordPress (Charitable) up to version 1.8.11.1 is affected by an Insecure Direct Object Reference/Authorization Bypass that enables Arbitrary Attachment Deletion via the profile avatar update flow. The issue stems from save_avatar() calling wp_delete_attachment...

4.3CVSS5.6AI score0.0004EPSS

Exploits0References12

Cvelist•added 2 days ago•25 views

CVE-2026-7523 Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter

4.3CVSS0.00039EPSS

ATTACKERKB•added 2 days ago•5 views

CVE-2026-7523

Vulnrichment•added 2 days ago•5 views

Exploits0References9

CVE-2026-7523 Alba Board <= 2.1.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'card_id' Parameter

CVE•added 2 days ago•13 views

CVE-2026-7523

The CVE-2026-7523 entry concerns the Alba Board WordPress plugin (

RedhatCVE•added 2 days ago•4 views

CVE-2026-3155

The OneSignal – Web Push Notifications plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 3.8.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

3.1CVSS5.6AI score0.00011EPSS

RedhatCVE•added 2 days ago•5 views

CVE-2025-15470

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

6.5CVSS5.6AI score0.0006EPSS

RedhatCVE•added 2 days ago•7 views

CVE-2025-9988

The Broadstreet plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the createadvertiser AJAX action in all versions up to, and including, 1.53.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create...

4.3CVSS5.5AI score0.00035EPSS

RedhatCVE•added 2 days ago•6 views

CVE-2026-7651

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.5. This is due to missing...

5.3CVSS5.6AI score0.0004EPSS

RedhatCVE•added 2 days ago•4 views

CVE-2026-7621

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

4.3CVSS5.5AI score0.00046EPSS

RedhatCVE•added 2 days ago•3 views

CVE-2026-7636

The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the mapmetacap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extra...

4.3CVSS5.4AI score0.00037EPSS

RedhatCVE•added 2 days ago•6 views

CVE-2026-3477

The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfmuserrequestactioncallback function, registered via the wpajaxpzfmuserrequestaction action hook, lacks both capability checks and nonce verification. This function...

5.3CVSS5.6AI score0.00011EPSS