Lucene search
K

3855 matches found

ATTACKERKB
ATTACKERKB
added 4 days ago6 views

CVE-2026-8996

The Backup and Staging by WP Time Capsule plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.22.26 via the downloadrecentdecryptedfilewptc. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

6.5CVSS5.8AI score0.0027EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 4 days ago9 views

CVE-2026-4653

The Block, Suspend, Report for BuddyPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in versions up to and including 3.6.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with...

6.4CVSS6AI score0.00201EPSS
Exploits0References7
NVD
NVD
added 4 days ago15 views

CVE-2026-5523

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS0.00309EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 4 days ago10 views

CVE-2026-5523

The Divi Form Builder plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.1.8. This is due to the updateuser function accepting a user ID parameter from form submissions without verifying that the authenticated user has permission to edit that specific...

8.8CVSS5.9AI score0.00309EPSS
Exploits0References3
NVD
NVD
added 6 days ago9 views

CVE-2026-10834

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their...

4.6CVSS0.00142EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago7 views

EUVD-2026-42010

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their...

6AI score0.00142EPSS
Exploits0References1
Cvelist
Cvelist
added 6 days ago36 views

CVE-2026-10834 WP Travel Engine < 6.8.1 - Subscriber+ Arbitrary Media File Move via user_profile_image

The WP Travel Engine WordPress plugin before 6.8.1 does not properly validate the source of a user-supplied profile image path before moving the file, allowing authenticated users with subscriber-level access and above to relocate arbitrary files within the WordPress uploads directory into their...

0.00142EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 6 days ago8 views

PT-2026-56146

Name of the Vulnerable Software and Affected Versions WP Travel Engine versions prior to 6.8.1 Description Authenticated users with subscriber-level access and above can relocate arbitrary files within the WordPress uploads directory into their own profile-image path. This occurs because the plug...

4.6CVSS6.2AI score0.00142EPSS
Exploits0References5
NVD
NVD
added 2026/07/06 8:16 a.m.9 views

CVE-2024-6228

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...

7.5CVSS0.00318EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 6:0 a.m.37 views

CVE-2026-11766 Ultimate Member < 2.12.0 - Subscriber+ Stored XSS via Custom Textarea Profile Fields

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, includin...

0.00247EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 6:0 a.m.34 views

CVE-2024-6228 WANotifier < 2.6 - Subscriber+ LFI

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...

0.00318EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/06 6:0 a.m.4 views

EUVD-2024-55649

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...

7.5CVSS6.2AI score0.00318EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 6:0 a.m.5 views

CVE-2024-6228

The Notifications for Forms & WordPress Actions WordPress plugin before 2.6 does not validate a user-supplied value before using it to build a server-side file inclusion path, allowing authenticated users with subscriber-level access and above to include and execute arbitrary local PHP files on t...

7.5CVSS6.2AI score0.00318EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/06 6:0 a.m.6 views

CVE-2026-11766

The Ultimate Member WordPress plugin before 2.12.0 does not properly sanitise and escape the value of custom textarea profile fields before outputting it on user profiles, allowing authenticated users with Subscriber-level access and above to store JavaScript that executes when any user, includin...

8CVSS6AI score0.00247EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 6:0 a.m.9 views

CVE-2024-6228

The CVE-2024-6228 vulnerability affects the Notifications for Forms & WordPress Actions WordPress plugin (before version 2.6). It occurs because the plugin does not validate a user-supplied value when building a server-side file inclusion path, enabling authenticated users with subscriber-level a...

7.5CVSS6.2AI score0.00318EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/07/06 12:0 a.m.8 views

PT-2026-55863

Name of the Vulnerable Software and Affected Versions Notifications for Forms & WordPress Actions versions prior to 2.6 Description Authenticated users with subscriber-level access and above can include and execute arbitrary local PHP files on the server. This occurs because the plugin fails to...

7.5CVSS6.2AI score0.00318EPSS
Exploits0References6
NVD
NVD
added 2026/07/03 6:16 a.m.7 views

CVE-2026-8489

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aboutme' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and...

6.4CVSS0.00241EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/07/03 4:30 a.m.35 views

CVE-2026-9626 JSON API User <= 4.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'content' Parameter

The JSON API User plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'content' parameter of the postcomment API endpoint in versions up to, and including, 4.1.0 This is due to insufficient input sanitization in the postcomment function, which passes the attacker-controlled...

6.4CVSS0.00228EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/03 4:30 a.m.7 views

EUVD-2026-41486

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aboutme' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References11
ATTACKERKB
ATTACKERKB
added 2026/07/03 4:30 a.m.11 views

CVE-2026-8489

The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aboutme' parameter in all versions up to, and including, 2.11.4 due to insufficient input sanitization and...

6.4CVSS5.9AI score0.00241EPSS
Exploits0References12
Rows per page
Query Builder