Lucene search
K

124115 matches found

NVD
NVD
added 2 hours ago4 views

CVE-2026-9028

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...

5.3CVSS
Exploits0References8
CVE
CVE
added 3 hours ago8 views

CVE-2026-56291

Balbooa Forms (Joomla extension) is affected by CVE-2026-56291 due to an unauthenticated arbitrary file upload that can lead to full RCE. Affected product/version: Balbooa Forms extension for Joomla, versions

10CVSS6AI score
Exploits0References2
CVE
CVE
added 3 hours ago5 views

CVE-2026-9021

The CVE concerns the WordPress plugin Easy Invoice (WordPress plugin) with vulnerability in versions up to 2.1.19. The root cause is Missing Authorization via AJAX actions easy_invoice_accept_quote and easy_invoice_decline_quote , registered with wp_ajax_nopriv_ hooks and relying on a quote-scope...

5.3CVSS6AI score
Exploits0References10
CVE
CVE
added 3 hours ago4 views

CVE-2026-9027

Summary of the CVE-2026-9027 issue : The CorvusPay WooCommerce Gateway for WordPress (versions up to 2.7.4) is vulnerable to a payment bypass via improper verification of the cryptographic signature. The REST endpoint POST /wp-json/corvuspay/success/ is registered with a permissive permission cal...

5.3CVSS6.2AI score
Exploits0References8
CVE
CVE
added 3 hours ago4 views

CVE-2026-9028

Technical details are not publicly available in the provided documents. Monitor for updates.

5.3CVSS6AI score
Exploits0References8
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-9028 CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authorization to Unauthenticated Arbitrary Order Cancellation via 'order_number' Parameter

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...

5.3CVSS
Exploits0References8
Cvelist
Cvelist
added 3 hours ago3 views

CVE-2026-13441 EventPrime <= 4.3.4.2 - Unauthenticated Stored Cross-Site Scripting via 'new_event_type_background_color' Parameter

The EventPrime – Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'neweventtypebackgroundcolor' parameter in all versions up to, and including, 4.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible...

7.2CVSS
Exploits0References8
CVE
CVE
added 4 hours ago6 views

CVE-2026-15158

Blocksy Companion

9.8CVSS6.6AI score
Exploits0References3
EUVD
EUVD
added 5 hours ago4 views

EUVD-2026-42543

The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authentication Bypass leading to Administrator Account Takeover in all versions up to, and including, 5.5.1. This is due to the umresetpasswordprocesshook function performing no server-side...

9.8CVSS6AI score
Exploits0References10
EUVD
EUVD
added 5 hours ago4 views

EUVD-2026-42542

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.7 via the 'wpuffilesdata' parameter due to missing validation on a user controll...

5.3CVSS6AI score
Exploits0References8
CVE
CVE
added 5 hours ago6 views

CVE-2026-12418

CVE-2026-12418 describes a vulnerability in the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” (versions up to 4.3.7). An insecure direct object reference exists via the wpuf_files_data parameter due to missing validation on ...

5.3CVSS6AI score
Exploits0References8
CVE
CVE
added 5 hours ago8 views

CVE-2026-13450

The CVE describes a vulnerability in the GamiPress WordPress plugin (versions up to 7.9.4) where Insecure Direct Object Reference is triggered via the access parameter due to missing validation on a user-controlled key. This allows unauthenticated attackers to view private GamiPress activity log ...

5.3CVSS5.9AI score
Exploits0References14
EUVD
EUVD
added 5 hours ago5 views

EUVD-2026-42540

The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...

5.3CVSS5.9AI score
Exploits0References14
EUVD
EUVD
added 5 hours ago5 views

EUVD-2026-42538

The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'stag' parameter in all versions up to, and including, 2.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

6.1CVSS6.1AI score
Exploits0References6
CVE
CVE
added 5 hours ago6 views

CVE-2026-12406

The CVE concerns the WordPress plugin “User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration” (WPUF). All versions up to 4.3.7 are affected by an authorization bypass that allows unauthenticated attackers to delete arbitrary media attachments with pos...

5.3CVSS5.9AI score
Exploits0References10
EUVD
EUVD
added 5 hours ago3 views

EUVD-2026-42537

The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an...

5.3CVSS5.9AI score
Exploits0References10
EUVD
EUVD
added 6 hours ago4 views

EUVD-2026-42534

A denial-of-service vulnerability caused by unbounded resource allocation was discovered in the audit logging functionality, due to a missing size limit on input recorded into audit entries. An unauthenticated attacker can submit requests containing excessively large input that is recorded into...

8.7CVSS6AI score
Exploits0References1
CVE
CVE
added 6 hours ago4 views

CVE-2026-31984

CVE-2026-31984 affects Guardian/CMC prior to version 26.2.0, where unbounded resource allocation in the audit logging path allows an unauthenticated attacker to submit oversized input, potentially exhausting disk space and causing DoS. Root cause: missing input size limit in audit entries. Impact...

8.7CVSS6AI score
Exploits0References1
EUVD
EUVD
added 6 hours ago4 views

EUVD-2026-42533

A Missing Authentication vulnerability was discovered in the SSH keys synchronization endpoint. An unauthenticated attacker can send a request to the SSH keys synchronization endpoint and obtain the list of users that have uploaded their public SSH keys, their groups, and the uploaded public SSH...

6.9CVSS6AI score
Exploits0References1
CVE
CVE
added 6 hours ago8 views

CVE-2026-31983

CVE-2026-31983 describes a missing authentication vulnerability in the SSH keys synchronization endpoint. An unauthenticated attacker can query the SSH keys sync endpoint and obtain the list of users who uploaded public SSH keys, their groups, and the uploaded keys. Reported impacts include expos...

6.9CVSS6AI score
Exploits0References1
Rows per page
Query Builder