CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2 days ago•28 views

CVE-2026-8880 RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The RomanCart Ecommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blclass' attribute and other attributes of the romancartbutton shortcode in versions up to, and including, 2.0.8. This is due to insufficient input sanitization and output escaping on user supplied...

6.4CVSS0.00029EPSS

Cvelist•added 2 days ago•27 views

CVE-2026-8907 WP-Ultimate-Map <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'zoom-level' Parameter

6.1CVSS0.00012EPSS

CVE•added 2 days ago•10 views

CVE-2026-10024

CVE-2026-10024 affects the TinyMCE shortcode Addon for WordPress (versions

CVE•added 2 days ago•8 views

CVE-2026-8499

The CVE concerns the WordPress Helpfulcrowd Product Reviews plugin (vulnerable up to 1.2.9). Root cause: a PHP type-juggling flaw in helpfulcrowd_validate_token() uses a loose != comparison, paired with a REST route (wp-json/helpfulcrowd/v1/update-settings) that has a permissive permission_callba...

5.3CVSS5.6AI score0.00048EPSS

Cvelist•added 2 days ago•28 views

CVE-2026-8499 Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update

The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the helpfulcrowdvalidatetoken function using a loose comparison operator != instead of a strict comparison !== when validating...

5.3CVSS0.00048EPSS

Vulnrichment•added 2 days ago•4 views

CVE-2026-8499 Helpfulcrowd Product Reviews <= 1.2.9 - Inccorect Authorization via Type Juggling in 'token' Parameter to Arbitrary Settings Update

5.3CVSS5.6AI score0.00048EPSS

Vulnrichment•added 2 days ago•5 views

CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

The TinyMCE shortcode Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

Cvelist•added 2 days ago•29 views

CVE-2026-10024 TinyMCE shortcode Addon <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'btnrel' Shortcode Attribute

6.4CVSS0.00029EPSS

CVE•added 2 days ago•6 views

CVE-2026-8883

The CVE-2026-8883 entry concerns the WordPress plugin Global Body Mass Index Calculator, affected in versions up to 1.2. The vulnerability is a Stored Cross-Site Scripting issue via the gbmicalc shortcode attributes, caused by insufficient input sanitization and output escaping in GBMI_Calc_Widge...

6.4CVSS5.7AI score0.00032EPSS

Vulnrichment•added 2 days ago•3 views

CVE-2026-8940 WP Meta Sort Posts <= 0.9 - Cross-Site Request Forgery to Plugin Settings Update

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...

4.3CVSS5.4AI score0.00013EPSS

Cvelist•added 2 days ago•27 views

CVE-2026-8940 WP Meta Sort Posts <= 0.9 - Cross-Site Request Forgery to Plugin Settings Update

4.3CVSS0.00013EPSS

EUVD•added 2 days ago•6 views

EUVD-2026-35299

The Global Body Mass Index Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gbmicalc' shortcode in versions up to, and including, 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the...

6.4CVSS5.7AI score0.00032EPSS

EUVD•added 2 days ago•4 views

EUVD-2026-35300

4.3CVSS5.4AI score0.00013EPSS

Cvelist•added 2 days ago•26 views

CVE-2026-8883 Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS0.00032EPSS

Vulnrichment•added 2 days ago•4 views

CVE-2026-8883 Global Body Mass Index Calculator <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4CVSS5.7AI score0.00032EPSS

CVE•added 2 days ago•10 views

CVE-2026-8940

The CVE-2026-8940 entry concerns WordPress plugin WP Meta Sort Posts (versions

4.3CVSS5.4AI score0.00013EPSS

Cvelist•added 2 days ago•28 views

CVE-2026-8841 Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

6.4CVSS0.00029EPSS

EUVD•added 2 days ago•5 views

EUVD-2026-35298

CVE•added 2 days ago•8 views

CVE-2026-8841

CVE-2026-8841 affects the WordPress plugin Extra Settings for RocketChat (versions ≤ 0.1). The vulnerability is a Stored Cross-Site Scripting via the rocketchat shortcode’s title attribute caused by insufficient input sanitization/output escaping in the rxstg_shortcode() function, which directly ...