CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

49053 matches found

Ocean Extra <= 2.4.6 - Unauthenticated Shortcode Execution

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to supply arbitrary shortcodes in the contentrechdata parameter that is then executed. This makes it possible for...

9.8CVSS8.2AI score0.11954EPSS

Exploits0References4

Nuclei•added 16 hours ago•7 views

MyStyle Custom Product Designer <= 3.21.1 - SQL Injection

The MyStyle Custom Product Designer plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.21.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated...

9.3CVSS5.7AI score0.05014EPSS

Exploits0References1

Nuclei•added 16 hours ago•4 views

Social Auto Poster <= 5.3.14 - Stored Cross-Site Scripting

Social Auto Poster plugin for WordPress versions up to 5.3.14 contains a stored cross-site scripting caused by insufficient sanitization and escaping of 'mapTypes' parameter in the 'wpwautopostermapwordpressposttype' AJAX function, letting unauthenticated attackers inject and execute arbitrary...

7.2CVSS5.5AI score0.03942EPSS

Exploits0References3

Nuclei•added 16 hours ago•11 views

Broadstreet WordPress plugin - Reflected XSS

Broadstreet WordPress plugin 1.51.8 contains a reflected XSS caused by unsanitised and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires victim interaction. id: CVE-2025-4652 info: name: Broadstreet WordPress plugin -...

6.1CVSS5.5AI score0.00342EPSS

Exploits1References1

Nuclei•added 16 hours ago•11 views

Bulk Me Now! Plugin <= 2.0 - Cross-Site Scripting

Bulk Me Now! WordPress plugin = 2.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS7.6AI score0.02218EPSS

Exploits1References2

Nuclei•added 16 hours ago•3 views

WordPress Google Map Professional - Cross-Site Scripting

WordPress Google Map Professional Map In Your Language plugin through 1.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such ...

6.1CVSS7.6AI score0.01546EPSS

Exploits1References2

Nuclei•added yesterday•5 views

LatePoint <= 5.0.12 - Authentication Bypass

LatePoint plugin for WordPress versions up to 5.0.12 contains an authentication bypass caused by insufficient verification of user during booking, letting unauthenticated attackers log in as any existing user if they have user ID access, exploit requires access to user ID, and the 'Use WordPress...

9.8CVSS5.5AI score0.40056EPSS

Exploits0References3

Nuclei•added 16 hours ago•10 views

Post Sync Plugin <= 1.1 - Cross-Site Scripting

Post Sync WordPress plugin = 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a maliciou...

6.1CVSS7.6AI score0.01533EPSS

Exploits1References2

Nuclei•added 16 hours ago•8 views

WP Projects Portfolio <= 3.0 - Cross-Site Scripting

WP Projects Portfolio with Client Testimonials WordPress plugin = 3.0 contains a reflected cross-site scripting caused by unsanitized parameter output, letting attackers execute scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13114...

6.1CVSS7.6AI score0.02069EPSS

Exploits1References2

Nuclei•added 16 hours ago•6 views

Privacy Policy Genius WordPress plugin v2.0.4 contains a reflected cross-site scripting caused by unsanitized parameter output in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a malicious URL. id: CVE-2024-13219...

6.1CVSS7.6AI score0.01143EPSS

Exploits1References2

Nuclei•added 16 hours ago•7 views

LifterLMS < 8.0.1 - Cross-Site Scripting

LifterLMS WordPress plugin before 8.0.1 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin via a crafted request. id: CVE-2024-13619 info: name: LifterLMS 8.0.1 - Cross-Site Scripting author:...

6.1CVSS5.5AI score0.00168EPSS

Exploits1References3

Nuclei•added 16 hours ago•5 views

Dyn Business Panel Plugin <= 1.0.0 - Cross-Site Scripting

Dyn Business Panel WordPress plugin = 1.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter in output, letting attackers execute scripts in the context of high privilege users, exploit requires victim to click a malicious link. id: CVE-2024-130...

7.1CVSS7.6AI score0.02205EPSS

Exploits1References2

Nuclei•added 16 hours ago•7 views

Simple Certain Time to Show Content - Cross-Site Scripting

Simple Certain Time to Show Content WordPress plugin 1.3.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute arbitrary scripts in the context of high privilege users such as admin, explo...

7.1CVSS7.8AI score0.02644EPSS

Exploits1References2

Nuclei•added 16 hours ago•9 views

WP BASE Booking - Reflected XSS

WP BASE Booking of Appointments, Services and Events WordPress plugin 5.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to...

6.1CVSS7.6AI score0.01485EPSS

Exploits1References1

Nuclei•added 16 hours ago•12 views

WP Triggers Lite - Cross-Site Scripting

WP Triggers Lite WordPress plugin v2.5.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...

7.1CVSS7.6AI score0.02641EPSS

Exploits1References2

Nuclei•added 16 hours ago•5 views

LogDash Activity Log <= 1.1.3 - SQL Injection

The LogDash Activity Log plugin for WordPress is vulnerable to SQL Injection via the username parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

5.4CVSS5.7AI score0.00403EPSS

Exploits1References2

Nuclei•added 16 hours ago•9 views

JS Help Desk <= 2.8.1 - SQL Injection

The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...

9.8CVSS8AI score0.16327EPSS

Exploits0References2

Nuclei•added 16 hours ago•8 views

JS Help Desk <= 2.8.2 - SQL Injection

JS Help Desk WordPress plugin 2.8.2 contains a SQL injection caused by insufficient escaping and preparation of user-supplied values in 'js-support-ticket-token-tkstatus' cookie, letting unauthenticated attackers extract sensitive database information, exploit requires no authentication. id:...

7.5CVSS5.6AI score0.26435EPSS

Exploits0References2

Nuclei•added 16 hours ago•11 views

CRM Perks Forms <= 1.1.4 - SQL Injection

CRM Perks CRM Perks Forms affected versions 1.1.4 and earlier contains a SQL injection caused by improper neutralization of special elements used in an SQL command, letting attackers execute arbitrary SQL commands, exploit requires user interaction. id: CVE-2024-30498 info: name: CRM Perks Forms ...

10CVSS8.2AI score0.14998EPSS

Exploits0References3

Nuclei•added 16 hours ago•17 views

WordPress User Registration & Membership <= 5.1.2 - Unauthenticated Privilege Escalation

User Registration & Membership WordPress plugin = 5.1.2 contains an improper privilege management vulnerability caused by accepting user-supplied roles without server-side allowlist enforcement, letting unauthenticated attackers create administrator accounts id: CVE-2026-1492 info: name: WordPres...

9.8CVSS8.1AI score0.24774EPSS

Exploits2References3

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by