120 matches found
EUVD-2026-42537
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an...
CVE-2026-57667
Sales Representative SQL Injection in Groundhogg = 4.5 versions...
EUVD-2026-39763
Contributor Broken Access Control in Nelio Content = 4.3.4 versions...
PT-2026-52431
Name of the Vulnerable Software and Affected Versions Post Snippets versions prior to 4.0.20 Description Remote attackers with contributor-level permissions can execute arbitrary code on the server. Recommendations Update Post Snippets to version 4.0.20 or later...
CVE-2026-22330
Unauthenticated Local File Inclusion in Right Way = 4.0 versions...
CVE-2026-3018
The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriberid’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...
CVE-2026-11448
A weakness has been identified in GL.iNet GL-MT3000 up to 4.4.5. The affected element is the function realpath of the file /rpc of the component Minidlna Service. This manipulation of the argument kube. set causes command injection. The attack is possible to be carried out remotely. Upgrading to...
CVE-2026-42669
Missing Authorization vulnerability in EventPrime allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through 4.3.2.0...
WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme SeaFood Company versions = 1.4...
CVE-2026-6962 Cost of Goods: Product Cost & Profit Calculator for WooCommerce <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...
CVE-2026-8262 Devs Palace ERP Online chart-save cross site scripting
A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /accounts/chart-save. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was...
CVE-2026-8254 Devs Palace ERP Online sales_save cross site scripting
A security flaw has been discovered in Devs Palace ERP Online up to 4.0.0. Affected by this issue is some unknown functionality of the file /inventory/salessave. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the...
GHSA-MQ9Q-25HM-G4GP AstrBot Makes Use of Hard-coded Password
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.16.0. This issue affects some unknown processing of the file astrbot/dashboard/routes/auth.py of the component Dashboard. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The...
WordPress ProfilePress plugin <= 4.16.12 - Missing Authorization to Authenticated (Subscriber+) Inactive Membership Plan Subscription vulnerability
Missing Authorization to Authenticated Subscriber+ Inactive Membership Plan Subscription vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin ProfilePress versions = 4.16.12...
CVE-2026-39671 WordPress Extra Fees Plugin for WooCommerce plugin <= 4.3.3 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Dotstore Extra Fees Plugin for WooCommerce woo-conditional-product-fees-for-checkout allows Cross Site Request Forgery.This issue affects Extra Fees Plugin for WooCommerce: from n/a through = 4.3.3...
CVE-2026-25002
Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPress LearnPress – Sepay Payment learnpress-sepay-payment allows Authentication Abuse.This issue affects LearnPress – Sepay Payment: from n/a through = 4.0.0...
CVE-2026-24362
Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through = 4.0.21...
CVE-2026-32488
Incorrect Privilege Assignment vulnerability in wpeverest User Registration user-registration allows Privilege Escalation.This issue affects User Registration: from n/a through = 4.4.9...
PT-2026-27880
Name of the Vulnerable Software and Affected Versions LearnPress – Sepay Payment versions n/a through 4.0.0 Description An authentication bypass issue exists in ThimPress LearnPress – Sepay Payment learnpress-sepay-payment, allowing for authentication abuse through the use of an alternate path or...
CVE-2026-2579
The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4.4.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...