Lucene search
K

84449 matches found

CVE
CVE
added 9 hours ago9 views

CVE-2026-1359

CVE-2026-1359 affects the Genolve WordPress plugin and describes a missing capability check in genolve_setOpt() across all versions up to 5.0.5. This allows authenticated attackers with Contributor-level access (or higher) to modify arbitrary WordPress options, including enabling user registratio...

8.8CVSS6.2AI score
Exploits0References2
CVE
CVE
added 10 hours ago5 views

CVE-2026-9282

The connected documents confirm a directory traversal vulnerability in the W3 Total Cache WordPress plugin, affecting all versions up to and including 2.9.4. The issue arises through the setupSources function, enabling unauthenticated attackers to read arbitrary server files that may contain sens...

7.5CVSS6.2AI score
Exploits0References6
CVE
CVE
added 10 hours ago10 views

CVE-2026-15010

The CVE-2026-15010 entry concerns the bbp Style Pack plugin for WordPress, vulnerable to Stored Cross-Site Scripting (XSS) in versions up to and including 6.4.5 via the Topic Form Additional Fields feature. Root causes are insufficient input sanitization in bsp_topic_fields_form_save(), which wri...

6.4CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added 10 hours ago5 views

EUVD-2026-43165

The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsptopicfieldsformsave which writes $POST'bsptopicfieldslabeln' directly to...

6.4CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added 10 hours ago7 views

EUVD-2026-43164

The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive...

7.5CVSS6.2AI score
Exploits0References6
CVE
CVE
added 10 hours ago9 views

CVE-2026-9017

The CVE describes an authorization bypass in the NEX-Forms – Ultimate Forms Plugin for WordPress (vulnerable up to and including 9.2.2). The underlying issue is that the plugin does not properly verify that a user is authorized to perform an action, enabling unauthenticated attackers to overwrite...

5.3CVSS6.1AI score
Exploits0References8
EUVD
EUVD
added 10 hours ago7 views

EUVD-2026-43163

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 9.2.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS6.1AI score
Exploits0References8
EUVD
EUVD
added 11 hours ago6 views

EUVD-2026-43161

The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'approvalcode' parameter in all versions up to, and including, 2.7.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

7.2CVSS6.2AI score
Exploits0References11
EUVD
EUVD
added 11 hours ago7 views

EUVD-2026-43160

The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Authenticated Account Takeover via Email Header Injection in all versions up to, and including, 6.6.10 This is due to insufficient server-side validation of a Login/Register widget...

8.8CVSS6.1AI score
Exploits0References9
CVE
CVE
added 11 hours ago7 views

CVE-2026-4661

The CVE-2026-4661 entry concerns the WordPress plugin WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales (versions up to 2.2.2). The flaw is a time-based blind SQL injection in the fildname parameter, caused by insufficient escaping of user-supplied column names in ajaxCheck() and an inco...

7.5CVSS6.1AI score
Exploits0References5
EUVD
EUVD
added 11 hours ago6 views

EUVD-2026-43158

The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'posttitle' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for...

6.4CVSS6.2AI score
Exploits0References8
EUVD
EUVD
added 11 hours ago6 views

EUVD-2026-43157

The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck method...

7.5CVSS6.1AI score
Exploits0References5
CVE
CVE
added 11 hours ago10 views

CVE-2025-5017

Summary: The Catalyst Connect Zoho CRM Client Portal WordPress plugin (≤ 2.2.0) is vulnerable to time-based SQL Injection via the uid parameter. The root cause is insufficient escaping of user input and lack of proper query parameterization, enabling authenticated attackers with Administrator-lev...

4.9CVSS6.1AI score
Exploits0References3
CVE
CVE
added 11 hours ago10 views

CVE-2026-11591

CVE-2026-11591 affects the WordPress plugin Widgets for Google Reviews up to version 13.3. It is a Stored Cross‑Site Scripting (XSS) vulnerability triggered via admin settings, caused by insufficient input sanitization and output escaping in the parameters fomo-title and fomo-text . Exploitation ...

4.4CVSS6.2AI score
Exploits0References10
EUVD
EUVD
added 11 hours ago6 views

EUVD-2026-43155

The Widgets for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 13.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...

4.4CVSS6.2AI score
Exploits0References10
EUVD
EUVD
added 11 hours ago7 views

EUVD-2026-43154

The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

6.4CVSS6.2AI score
Exploits0References4
EUVD
EUVD
added 11 hours ago6 views

EUVD-2025-210456

The Catalyst Connect Zoho CRM Client Portal plugin for WordPress is vulnerable to time-based SQL Injection via the ‘uid’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

4.9CVSS6.1AI score
Exploits0References3
CVE
CVE
added 11 hours ago10 views

CVE-2026-12738

CVE-2026-12738 affects WP Easy Pay

4.3CVSS6.1AI score
Exploits0References5
CVE
CVE
added 11 hours ago12 views

CVE-2026-10865

CVE-2026-10865 affects the Cost Calculator Builder plugin for WordPress. The vulnerability exists in all versions up to 4.0.11 and arises from exposure in the template body, allowing unauthenticated attackers to read plaintext payment gateway secrets (Stripe secret key, Razorpay secret key, and P...

5.3CVSS6.1AI score
Exploits0References10
EUVD
EUVD
added 11 hours ago8 views

EUVD-2026-43152

The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...

5.3CVSS6.1AI score
Exploits0References10
Rows per page
Query Builder