Lucene search
+L

2380 matches found

CVE
CVE
added 2 days ago11 views

CVE-2026-12978

The CVE-2026-12978 entry affects the FunnelKit WordPress plugin prior to version 3.15.0.6. Affected component: page-builder AJAX action used when the Divi builder is active. Root cause: user-supplied parameter is not escaped before being reflected into the HTML response, enabling a Reflected XSS ...

7.1CVSS6.1AI score0.00164EPSS
Exploits0References1
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-43625

The SureForms WordPress plugin before 2.11.1 does not properly validate the payment amount on forms that use a dynamically-sourced variable/hidden payment amount, allowing unauthenticated users to underpay for the configured product or subscription. Forms using a fixed configured price are not...

5.9CVSS6.1AI score0.00181EPSS
Exploits0References1
NVD
NVD
added 4 days ago6 views

CVE-2026-11802

The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wpajaxnoprivregistrationaction AJAX action, lacks any nonce verification or capability check, and...

5.3CVSS0.00311EPSS
Exploits0References8
Cvelist
Cvelist
added 4 days ago33 views

CVE-2026-11802 FoodBook Lite <= 1.5.6 - Missing Authorization to Unauthenticated User Registration via 'registration_action' AJAX Action

The FoodBook Lite - Online Food Ordering System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5.6. The registration function, accessible via the wpajaxnoprivregistrationaction AJAX action, lacks any nonce verification or capability check, and...

5.3CVSS0.00311EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2026/07/10 1:19 p.m.9 views

CVE-2026-7492

A flaw was found in GitLab. Under certain conditions, an unauthenticated user could determine the existence of a private project. This information disclosure is possible due to improper authorization controls on cross-project reference pages. This vulnerability allows an attacker to gain sensitiv...

5.3CVSS6AI score0.00254EPSS
Exploits0References6
NVD
NVD
added 2026/07/10 10:16 a.m.8 views

CVE-2026-11990

The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS0.00342EPSS
Exploits0References12
EUVD
EUVD
added 2026/07/10 3:31 a.m.8 views

EUVD-2026-42786

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS6.1AI score0.00254EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/10 3:31 a.m.38 views

CVE-2026-11392 WP Hotel Booking <= 2.3.1 - Reflected Cross-Site Scripting via 'check_in_date' and 'check_out_date' Parameters

The WP Hotel Booking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'checkindate' and 'checkoutdate' parameters in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker...

6.1CVSS0.00254EPSS
Exploits0References9
CVE
CVE
added 2026/07/08 11:30 a.m.13 views

CVE-2026-14250

The CVE-2026-14250 issue affects the Themehunk Login Registration plugin for WordPress up to version 1.0.2. The root cause is in handle_frontend_register() at the unauthenticated /thlogin/v1/register REST endpoint, which accepts a user-controlled role parameter and validates it only against get_e...

6.3CVSS5.8AI score0.00209EPSS
Exploits0References6
NVD
NVD
added 2026/07/08 6:16 a.m.10 views

CVE-2026-12153

The WP Learn Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.1.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to install and activat...

9.8CVSS0.00364EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/07 6:0 a.m.38 views

CVE-2026-12277 Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Deletion via Saved File Metadata Path Traversal

The Frontend File Manager Plugin WordPress plugin through 23.6 does not validate a file path derived from user input before deleting the referenced file, allowing unauthenticated users to delete arbitrary files on the server such as wp-config.php when guest upload mode is enabled. Deleting...

0.00231EPSS
Exploits1References1
EUVD
EUVD
added 2026/07/02 6:0 a.m.8 views

EUVD-2026-41255

The User Registration & Membership WordPress plugin before 5.2.0 does not enforce payment completion before activating a paid membership subscription, allowing unauthenticated users after self-registering an account through the open registration flow to obtain an active subscription on any paid...

6.5CVSS5.8AI score0.00164EPSS
Exploits0References1
NVD
NVD
added 2026/07/01 7:16 a.m.15 views

CVE-2026-11794

The Advanced Form Integration — Connect Forms to 200+ Apps WordPress plugin before 2.1.1 does not restrict the WordPress role assigned when it creates a user from a public form submission, allowing unauthenticated visitors to create an administrator account when an active integration maps the use...

8.1CVSS0.00236EPSS
Exploits0References1
CVE
CVE
added 2026/07/01 6:0 a.m.22 views

CVE-2026-11794

The CVE-2026-11794 entry concerns the WordPress plugin “Advanced Form Integration — Connect Forms to 200+ Apps” up to version 2.1.1. Affected behavior: when creating a user from a public form submission, the plugin does not enforce the WordPress role, which can allow unauthenticated visitors to c...

8.1CVSS5.8AI score0.00236EPSS
Exploits0References1
EUVD
EUVD
added 2026/07/01 3:43 a.m.8 views

EUVD-2026-40892

The Visualizer – Tables & Charts Manager with Built-in AI Generator plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

7.5CVSS5.6AI score0.00367EPSS
Exploits0References8
EUVD
EUVD
added 2026/06/30 6:32 p.m.7 views

EUVD-2026-40376

The Webmention plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 5.8.0 via parser-derived 'avatar' and 'url' author metadata. This is due to insufficient input sanitization and output escaping on user-supplied MF2 author properties processed by the...

7.2CVSS5.9AI score0.00236EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/30 6:0 a.m.8 views

CVE-2026-11589

The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploaded files, allowing unauthenticated users to upload files containing malicious JavaScript such as HTML or SVG to a publicly accessible location, leading to Stored Cross-Site Scripting attac...

5.6AI score0.00276EPSS
Exploits0References1
OSV
OSV
added 2026/06/29 11:50 a.m.8 views

PYSEC-2026-317 Codechecker has an authentication bypass for certain API calls

Summary Authentication bypass occurs when the URL ends with Authentication with certain function calls. This bypass allows assigning arbitrary permissions to any existing user in CodeChecker. Details The following functions are affected under the Authentication endpoint: getAuthorisedNames,...

10CVSS6AI score0.00447EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/26 10:40 p.m.8 views

CVE-2026-28701

Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths...

9.8CVSS6AI score0.00702EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/26 8:44 p.m.9 views

CVE-2026-54350

Budibase is an open-source low-code platform. Prior to 3.39.12, an unauthenticated visitor of any published Budibase app reads every document of the backing MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collection and, where the builder has published a PUBLIC write...

10CVSS5.8AI score0.00538EPSS
Exploits2References2Affected Software1
Rows per page
Query Builder