263294 matches found
EUVD-2026-38416
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the importlist, urldetail, and filedetail admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level...
EUVD-2026-38420
The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly enforce its nonce check on the file download handler, allowing unauthenticated attackers to download files uploaded by any user through the Frontend File Manager Plugin WordPress plugin through 23.6 by iterating...
EUVD-2026-38418
The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors vi...
EUVD-2026-38417
The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above...
EUVD-2026-38419
The Frontend File Manager Plugin WordPress plugin through 23.6 does not sanitise nor escape a filename submitted to the frontend file-rename endpoint before storing it as post meta and rendering it back on the admin File Manager listing, leading to a Stored Cross-Site Scripting vulnerability...
CVE-2026-7842
The Infility Global WordPress plugin (before 2.15.20) is vulnerable to time-based blind SQL injection via the orderby and order parameters in admin callbacks (import_list, url_detail, file_detail) due to lack of sanitization/validation. Authenticated users with Editor+ access can exploit this whe...
CVE-2026-8379
The CVE-2026-8379 entry relates to the Frontend File Manager Plugin for WordPress (up to version 23.6). The root cause is improper enforcement of the nonce check on the file download handler, enabling unauthenticated attackers to download files uploaded by any user by iterating identifiers. This ...
WordPress Transbank Webpay plugin < 1.14.0 - Unauthenticated Stored XSS vulnerability
Unauthenticated Stored XSS vulnerability discovered by Mateo Contenla & Matías Schiappacasse in WordPress Plugin Transbank Webpay REST versions 1.14.0...
WordPress Vitepos plugin < 3.4.2 - Outlet Manager+ Privilege Escalation vulnerability
Outlet Manager+ Privilege Escalation vulnerability discovered by RealKingEngine ISAL FRAMEWORK in WordPress Plugin Vitepos versions 3.4.2...
WordPress Simple File List plugin <= 6.3.7 - Missing Authorization to Unauthenticated File Modification via simplefilelist_edit_job AJAX Action vulnerability
Missing Authorization to Unauthenticated File Modification via simplefilelisteditjob AJAX Action vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...
WordPress Simple File List plugin <= 6.3.7 - Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter vulnerability
Unauthenticated Arbitrary File Deletion via Path Traversal in 'eeSubFolder' Parameter vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...
WordPress Database for Contact Form 7, WPforms, Elementor forms plugin <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value vulnerability
Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value vulnerability discovered by daroo in WordPress Plugin Contact Form Entries versions = 1.5.1...
WordPress Branda - White Label & Branding, Free Login Page Customizer plugin <= 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover vulnerability
WordPress Branda - White Label & Branding, Free Login Page Customizer plugin = 3.4.29 - Unauthenticated Privilege Escalation via Account Takeover vulnerability discovered by thevietronin - GalaxyOne in WordPress Plugin Branda versions = 3.4.29...
WordPress Pie Register plugin < 3.8.4.10 - Unauthenticated Email Verification Bypass via Predictable Token vulnerability
Unauthenticated Email Verification Bypass via Predictable Token vulnerability discovered by Haitam Lazaar in WordPress Plugin Pie Register versions 3.8.4.10...
WordPress Simple File List plugin <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute vulnerability
Missing Authorization to Authenticated Contributor+ Arbitrary File Operations Deletion / Move / Folder Creation / Download via 'frontmanage' Shortcode Attribute vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...
CVE-2026-8157
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator...
CVE-2026-7859
The Motors WordPress plugin before 1.4.110 does not have proper authorisation and CSRF checks on one of its AJAX actions, allowing unauthenticated attackers to modify arbitrary post metadata, such as the gallery, featured image and, on WooCommerce sites, product prices...
CVE-2026-6858
The Transbank Webpay WordPress plugin before 1.14.0 does not sanitize and escape logs to be displayed, allowing unauthenticated users to perform Stored XSS attacks against logged in administrator...
CVE-2026-10530
The Pie Register WordPress plugin before 3.8.4.10 does not use sufficiently random values when generating its account verification tokens, allowing unauthenticated attackers to predict a valid token and activate an account without access to the associated email inbox...
CVE-2026-8157 Vitepos < 3.4.2 - Outlet Manager+ Privilege Escalation
The Vitepos WordPress plugin before 3.4.2 does not properly restrict the roles that can be assigned when creating new users via one of its REST API endpoints, allowing authenticated users with a custom Vitepos WordPress plugin before 3.4.2 role to escalate privileges to administrator...