933 matches found
CVE-2026-57815
CVE-2026-57815 documents a path traversal vulnerability in the WordPress plugin Forminator (WPMU DEV Your All-in-One WordPress Platform Forminator) affecting version range up to and including 1.55.0.2. The issue is described as Improper Limitation of a Pathname to a Restricted Directory, enabling...
CVE-2026-61968 WordPress myCred plugin <= 3.1.2 - Broken Access Control vulnerability
Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects myCred: from n/a through = 3.1.2...
CVE-2026-57365 WordPress reCAPTCHA (v2 & v3) for Asgaros Forum plugin <= 1.1.0 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Hitesh Chandwani reCAPTCHA v2 & v3 for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA v2 & v3 for Asgaros Forum: from n/a through = 1.1.0...
CVE-2026-2354 Swiss Toolkit For WP <= 1.4.6 - Authenticated (Author+) Arbitrary File Upload via upload_extension_files()
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the uploadextensionfiles function in all versions up to, and including, 1.4.6. The uploadextensionfiles function hooks into WordPress's wpcheckfiletypeandext filter...
CVE-2026-12918 Mail Mint <= 1.24.1 - Authenticated (Administrator+) SQL Injection via 'recipients' Parameter
The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of...
CVE-2026-6802
The CVE-2026-6802 entry concerns the WordPress plugin Easy Upload Files During Checkout, affected up to version 3.0.1. The vulnerability stems from missing authorization checks in the ufdc_custom_init() function, which processes the eufdc-delete parameter without nonce verification, capability ch...
WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability
SQL Injection vulnerability discovered by VanTastic in WordPress Plugin AIWU versions = 1.5.4...
CVE-2026-14372
The Bit Form WordPress plugin (Bit Form – Contact Form, Payment Forms, Multi Step Forms, Calculator & Custom Form Builder) is affected up to version 3.1.1 due to insufficient file path validation in deleteFiles, enabling authenticated users with subscriber+ to delete arbitrary server files (poten...
CVE-2026-14482
The CVE-2026-14482 entry covers the WordPress plugin “多说社会化评论框” (
CVE-2026-14651 connorskees grass visitor denial of service
A vulnerability has been found in connorskees grass up to 0.13.4. The impacted element is the function grasscompiler::selector::extend/grasscompiler::evaluate::visitor. The manipulation leads to denial of service. The attack must be carried out locally. The exploit has been disclosed to the publi...
PT-2026-55731
Name of the Vulnerable Software and Affected Versions connorskees grass versions prior to 0.13.5 Description A local manipulation of the grass compiler::selector::extend/grass compiler::evaluate::visitor function can lead to a denial of service. This occurs because the @extend algorithm is...
CVE-2026-11778
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value...
CVE-2026-8892
The CM Business Directory – Optimise and showcase local business plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Business Address Meta Fields in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-57747 WordPress Booked plugin <= 3.0.0 - Cross Site Request Forgery (CSRF) vulnerability
Unauthenticated Cross Site Request Forgery CSRF in Booked = 3.0.0 versions...
CVE-2026-57682
The CVE-2026-57682 entry affects the WordPress plugin “Simple Link Directory” version ≤ 15.0.5, with an unauthenticated Cross Site Scripting (XSS) vulnerability. The connected records confirm the vulnerability type (XSS) and affected version, but do not provide concrete root-cause details, exploi...
CVE-2026-42382 WordPress Audrey theme <= 1.5 - Local File Inclusion vulnerability
Unauthenticated Local File Inclusion in Audrey = 1.5 versions...
CVE-2026-10104 Product Video Gallery for Woocommerce <= 1.5.1.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via custom_thumbnail Parameter
The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via customthumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...
PT-2026-54975
Name of the Vulnerable Software and Affected Versions Pearl - Corporate Business versions prior to 3.4.11 Description An unauthenticated Local File Inclusion LFI issue exists, which allows an attacker to read files from the local file system without requiring authentication. Recommendations Updat...
CVE-2026-57332
The CVE affects the WordPress Wallet System for WooCommerce plugin, specifically versions
PT-2026-53292
Name of the Vulnerable Software and Affected Versions Paid Videochat Turnkey Site versions 7.4.8 and earlier Description An issue exists that allows a performer to perform arbitrary file deletion within the system. Recommendations At the moment, there is no information about a newer version that...