CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

83649 matches found

CVE-2026-9179

Summary: WP Forms Connector for WordPress (versions ≤ 1.8) is susceptible to unauthenticated SQL injection via the order parameter in the /wp-json/wp/v3/post/list endpoint. The root cause is insufficient escaping of $_GET['order'], with the value concatenated into the ORDER BY clause and executed...

7.5CVSS5.9AI score0.00376EPSS

Exploits0References4

CVE•added 5 days ago•9 views

CVE-2026-11370

CVE-2026-11370 : In the WordPress WP Meta SEO plugin (versions up to 4.5.18), there is a Server-Side Request Forgery (SSRF) via the new_link parameter. Exploitation requires an authenticated user with at leastContributor+ access. The vulnerability allows outbound web requests originating from the...

6.4CVSS6AI score0.00242EPSS

Exploits0References4

Cvelist•added 5 days ago•31 views

CVE-2026-10092 Cincopa video and media plug-in <= 1.163 - Unauthenticated Stored Cross-Site Scripting via cincopa Shortcode in Post Comments

The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers...

7.2CVSS0.00297EPSS

Exploits0References4

EUVD•added 5 days ago•6 views

EUVD-2026-38662

7.2CVSS6AI score0.00297EPSS

Exploits0References4

CVE•added 5 days ago•9 views

CVE-2026-10092

The Cincopa video and media plugin for WordPress (versions up to 1.163) is vulnerable to unauthenticated Stored Cross-Site Scripting via the cincopa shortcode in post comments. The root cause is insufficient input sanitization and output escaping, enabling unauthenticated visitors who can post co...

7.2CVSS6AI score0.00297EPSS

Exploits0References4

EUVD•added 5 days ago•7 views

EUVD-2026-38661

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter read directly from $GET'order' into...

7.5CVSS5.9AI score0.00376EPSS

Exploits0References4

Cvelist•added 5 days ago•31 views

CVE-2026-10091 Email JavaScript Cloak <= 1.03 - Unauthenticated Stored Cross-Site Scripting

The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

7.2CVSS0.00264EPSS

Exploits0References3

EUVD•added 5 days ago•9 views

EUVD-2026-38657

7.2CVSS6AI score0.00264EPSS

Exploits0References3

EUVD•added 5 days ago•8 views

EUVD-2026-38658

The Book a Room Event Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9. This is due to missing or incorrect nonce validation on the settingsform/updatesettings functionality. The plugin's options page handler dispatches on the...

4.3CVSS5.8AI score0.00103EPSS

Exploits0References4

CVE•added 5 days ago•5 views

CVE-2026-9721

CVE-2026-9721 affects the Book a Room Event Calendar plugin for WordPress (versions up to 1.9). The vulnerability is a Cross-Site Request Forgery due to missing nonce validation on the settings_form()/update_settings() flow. The plugin’s settings page accepts POST actions and persists configurati...

4.3CVSS5.8AI score0.00103EPSS

Exploits0References4

Cvelist•added 5 days ago•32 views

CVE-2026-9721 Book a Room Event Calendar <= 1.9 - Cross-Site Request Forgery to Settings Update

4.3CVSS0.00103EPSS

Exploits0References4

Cvelist•added 5 days ago•31 views

CVE-2026-9175 Devs Accounting <= 1.2.0 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'id' Parameter

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

5.3CVSS0.00348EPSS

Exploits0References3

CVE•added 5 days ago•6 views

CVE-2026-9175

The CVE concerns the WordPress plugin Devs Accounting – Simple Accounting and Invoicing Solution, affected versions up to 1.2.0. The root cause is a REST endpoint get-account in get_single_account() where the permission_callback unconditionally returns true, resulting in missing authorization for...

5.3CVSS6AI score0.00348EPSS

Exploits0References3

CVE•added 5 days ago•5 views

CVE-2026-8905

The CVE concerns the Osiris Signature Banner WordPress plugin (versions up to and including 0.5). The root cause is missing or incorrect nonce validation on a function, enabling Cross-Site Request Forgery (CSRF). This could allow unauthenticated attackers to update plugin settings and inject mali...

6.1CVSS5.8AI score0.00135EPSS

Exploits0References5

EUVD•added 5 days ago•7 views

EUVD-2026-38655

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

6.1CVSS5.8AI score0.00135EPSS

Exploits0References5

Cvelist•added 5 days ago•30 views

CVE-2026-8905 Osiris Signature Banner <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'prepend_text' Parameter

6.1CVSS0.00135EPSS

Exploits0References5

CVE•added 5 days ago•20 views

CVE-2026-3652

CVE-2026-3652: The ARForms WordPress plugin is vulnerable to an Unauthenticated Stored Cross-Site Scripting (XSS) via the value parameter of the arf_save_incomplete_form_data AJAX action. Affected are all versions up to 7.1.3. The root cause is insufficient input sanitization and output escaping,...

7.2CVSS6AI score0.0019EPSS

Exploits0References2

Cvelist•added 5 days ago•32 views

CVE-2026-11614 Xpro Addons <= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_attributes' Parameter of Multiple Widgets

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customattributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

6.4CVSS0.00256EPSS

Exploits0References19

EUVD•added 5 days ago•7 views

EUVD-2026-38643

6.4CVSS6AI score0.00256EPSS

Exploits0References19

CVE•added 5 days ago•14 views

CVE-2026-11614

Technical details (affected versions, root cause, exploit specifics) are not publicly available in the provided documents. Monitor for updates.

6.4CVSS6AI score0.00256EPSS

Exploits0References19

Rows per page