Lucene search
K

5730 matches found

Nuclei
Nuclei
added 11 hours ago37 views

WordPress Title Experiments Free <9.0.1 - SQL Injection

WordPress Title Experiments Free plugin before 9.0.1 contains a SQL injection vulnerability. The plugin does not sanitize and escape the id parameter before using it in a SQL statement via the wpextitles AJAX action, available to unauthenticated users. An attacker can possibly obtain sensitive...

9.8CVSS7.1AI score0.10079EPSS
Exploits2References5
Nuclei
Nuclei
added 11 hours ago78 views

Spotweb <= 1.5.1 - Cross Site Scripting

Cross-site scripting XSS vulnerability in templates/installer/step-004.inc.php in spotweb 1.5.1 and below allow remote attackers to inject arbitrary web script or HTML via the lastname parameter. id: CVE-2021-40973 info: name: Spotweb = 1.5.1 - Cross Site Scripting author: theamanrawat severity:...

6.1CVSS6.5AI score0.02214EPSS
Exploits1References4
Cvelist
Cvelist
added 17 hours ago6 views

CVE-2026-11390 News Kit Addons For Elementor <= 1.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets

The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS
Exploits0References9
CVE
CVE
added 17 hours ago8 views

CVE-2026-11390

Vulnerability summary (CVE-2026-11390): News Kit Addons For Elementor (WordPress) versions up to 1.4.6 are affected by a stored cross-site scripting (XSS) flaw in the Site Logo Title and Single Author Box widgets. The root cause is insufficient input sanitization and output escaping. Exploitation...

6.4CVSS6.2AI score
Exploits0References9
EUVD
EUVD
added 17 hours ago5 views

EUVD-2026-43611

The News Kit Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Site Logo Title and Single Author Box Widgets in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS6.2AI score
Exploits0References9
NVD
NVD
added yesterday5 views

CVE-2026-12536

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS
Exploits0References2
CVE
CVE
added yesterday5 views

CVE-2026-12536

CVE-2026-12536 : A Stored Cross-Site Scripting flaw in the Avada (Fusion) Builder plugin for WordPress affects all versions up to 3.15.5. It arises from insufficient input sanitization and output escaping in the Module Title parameter. An authenticated attacker with Contributor-level access or hi...

6.4CVSS6.2AI score
Exploits0References2
Cvelist
Cvelist
added yesterday22 views

CVE-2026-12536 Avada Builder <= 3.15.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Module Title

The Avada Fusion Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Module Title’ parameter in all versions up to, and including, 3.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS
Exploits0References2
NVD
NVD
added 3 days ago7 views

CVE-2026-12126

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.0021EPSS
Exploits0References8
EUVD
EUVD
added 3 days ago8 views

EUVD-2026-43158

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score0.0021EPSS
Exploits0References8
CVE
CVE
added 3 days ago16 views

CVE-2026-12126

CVE-2026-12126 affects the WCFM Marketplace plugin for WordPress (versions

6.4CVSS6.2AI score0.0021EPSS
Exploits0References8
Cvelist
Cvelist
added 3 days ago39 views

CVE-2026-12126 WCFM Marketplace <= 3.7.3 - Authenticated (Vendor+) Stored Cross-Site Scripting via Attachment 'post_title'

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS0.0021EPSS
Exploits0References8
CVE
CVE
added 4 days ago8 views

CVE-2026-57214

This CVE affects RabbitMQ’s management UI prior to version 4.2.5. The vulnerability arises when the management UI renders the x-internal-purpose queue or exchange argument into an HTML title attribute without proper escaping on the Queues and Exchanges pages, enabling stored cross-site scripting ...

7.1CVSS6.2AI score0.00304EPSS
Exploits0References6Affected Software1
NVD
NVD
added 4 days ago7 views

CVE-2026-57994

phpMyFAQ before 4.1.5 applies inconsistent active=yes and publication-date filtering across its public FAQ API endpoints, allowing unauthenticated attackers to retrieve inactive draft or review-only FAQ content. Specifically, GET /api/v3.1/faq/categoryId/faqId returns the inactive FAQ title and...

6.9CVSS0.00214EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago30 views

CVE-2026-49274 Kirby: `pages.access` permission is not checked in the pages picker for parent pages

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page...

5.3CVSS0.00275EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 5 days ago7 views

CVE-2026-49274

Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites using the pages field with roles that have the pages.access permission disabled allowed authenticated users to provide an inaccessible parent page or site to the page picker backend and confirm arbitrary page...

5.3CVSS5.9AI score0.00275EPSS
Exploits0References8Affected Software1
CVE
CVE
added 5 days ago9 views

CVE-2026-58459

CVE-2026-58459 affects gpsd (through release-3.27.5) with a command injection in the gpsprof workflow. The subtype value of the GPS device (sourced from a DEVICES JSON log entry or NMEA PGRMT sentence) is written into a generated gnuplot program via a set title statement that escapes only double ...

9.6CVSS6.3AI score0.00726EPSS
Exploits1References5Affected Software1
NVD
NVD
added 5 days ago5 views

CVE-2026-12418

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuffilesdata' parameter due to missing validation on a user controll...

5.3CVSS0.00243EPSS
Exploits0References8
Cvelist
Cvelist
added 5 days ago32 views

CVE-2026-12418 User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.7 - Insecure Direct Object Reference to Unauthenticated Arbitrary Post Modification via 'wpuf_files_data' Parameter

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuffilesdata' parameter due to missing validation on a user controll...

5.3CVSS0.00243EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 6 days ago5 views

CVE-2026-59711

A flaw was found in showdown. This cross-site scripting XSS vulnerability occurs in the metadata title handling when the completeHTMLDocument option is enabled. An attacker can exploit this by injecting unescaped less-than and greater-than characters into markdown frontmatter metadata. This allow...

6.1CVSS6.5AI score0.00187EPSS
Exploits0References6
Rows per page
Query Builder