83679 matches found
CVE-2025-15546
The CVE-2025-15546 entry concerns the Iptanus File Upload WordPress plugin (pre-5.1.7). A TOCTOU race condition between the file existence check and the actual write operation, when the duplicatepolicy is set to “maintain both,” allows an authenticated attacker to overwrite files uploaded by othe...
PT-2026-49140
Name of the Vulnerable Software and Affected Versions Chatway Live Chat – AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons versions prior to 1.4.9 Description An issue exists that leads to the exposure of sensitive subscriber data. Recommendations Update to a version...
PT-2026-49115
Name of the Vulnerable Software and Affected Versions Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms versions prior to 1.2.2 Description An unauthenticated PHP Object Injection issue exists in the software. PHP Object Injection occurs when...
PT-2026-49142
Name of the Vulnerable Software and Affected Versions WP User Manager versions prior to 2.9.17 Description A flaw allows a user with Subscriber privileges to perform arbitrary file deletion. Recommendations Update to a version newer than 2.9.16...
PT-2026-49107
Name of the Vulnerable Software and Affected Versions WP Insightly for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms versions prior to 1.1.5 Description An unauthenticated PHP Object Injection issue exists in the plugin. PHP Object Injection occurs when user-supplied input is...
PT-2026-49116
Name of the Vulnerable Software and Affected Versions Shared Files versions prior to 1.7.65 Description An unauthenticated path traversal issue exists, allowing an attacker to access files and directories outside the intended folder on the server. Recommendations Update to a version newer than...
PT-2026-49106
The Iptanus File Upload WordPress plugin before 5.1.7 does not implement proper file handling when the duplicatepolicy setting is configured to "maintain both." Due to a Time-of-Check to Time-of-Use TOCTOU race condition between the file existence check and the actual file write operation, an...
PT-2026-49169
Name of the Vulnerable Software and Affected Versions WP Travel Engine versions prior to 6.7.11 Description An unauthenticated issue exists in the WP Travel Engine plugin that allows for an unspecified vulnerability type to be exploited without requiring user authentication. Recommendations Updat...
CVE-2026-5513
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for...
EUVD-2026-36651
The Online Scheduling and Appointment Booking System – Bookly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bookly-customer-full-name' cookie in versions up to, and including, 27.2 due to insufficient input sanitization and output escaping. This makes it possible for...
CVE-2026-5513
The Bookly WordPress plugin (Online Scheduling and Appointment Booking System) is vulnerable to Stored XSS in versions up to 27.2 via the bookly-customer-full-name cookie due to insufficient input sanitization and output escaping. Unauthenticated attackers can inject arbitrary scripts that execut...
CVE-2026-1291
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...
EUVD-2026-36649
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...
CVE-2026-1291 Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...
CVE-2026-1291 Meow Gallery <= 5.4.4 - Missing Authorization to Authenticated (Author+) Shortcode creation
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/saveshortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with...
CVE-2026-3297
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers...
CVE-2026-9629
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...
CVE-2026-2470
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayersavecontent AJAX handler allowing users with basic post-edit capability to persist...
CVE-2026-9629 Canvas <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'tag' Block Attribute
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...
EUVD-2026-36648
The Canvas plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag' parameter in all versions up to, and including, 2.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above,...