CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

6.9CVSS5.4AI score0.00374EPSS

PT-2026-49215

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...

Positive Technologies•added 4 days ago•9 views

PT-2026-49456

Unauthenticated SQL Injection in WP Data Access = 5.5.70 versions...

9.3CVSS5.7AI score0.00283EPSS

Positive Technologies•added 4 days ago•11 views

PT-2026-49232

Name of the Vulnerable Software and Affected Versions GPTranslate – Multilingual AI Translation for WordPress versions prior to 2.32.7 Description An unauthenticated SQL Injection exists in the GPTranslate plugin for WordPress. This allows an attacker to execute arbitrary SQL queries on the...

9.3CVSS6.1AI score0.00289EPSS

Positive Technologies•added 4 days ago•6 views

PT-2026-49223

WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the uplo...

9.8CVSS6AI score0.00661EPSS

Exploits0References5

Positive Technologies•added 4 days ago•7 views

PT-2026-49487

Subscriber SQL Injection in WP Time Slots Booking Form = 1.2.50 versions...

8.5CVSS5.7AI score0.00332EPSS

8.5CVSS5.7AI score0.00332EPSS

PT-2026-49493

Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System = 3.3.6 versions...

Positive Technologies•added 4 days ago•8 views

PT-2026-49403

Unauthenticated Privilege Escalation in WP BASE Booking = 5.9.0 versions...

8.1CVSS5.2AI score0.00283EPSS

Positive Technologies•added 4 days ago•8 views

PT-2026-49222

WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScrip...

7.2CVSS5.3AI score0.00245EPSS

PT-2026-49184

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

5.4AI score0.00206EPSS

PT-2026-49186

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.3AI score0.00159EPSS

Positive Technologies•added 4 days ago•10 views

PT-2026-49204

WordPress CP Polls 1.0.8 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through unsanitized file upload functionality. Attackers can upload files containing script payloads with event handlers like onerror attributes to execute arbitrary...

7.2CVSS5.3AI score0.00192EPSS

Exploits0References3

Positive Technologies•added 4 days ago•7 views

PT-2026-49417

Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress = 4.7.9 versions...

6.5CVSS5.1AI score0.00279EPSS

Positive Technologies•added 4 days ago•7 views

PT-2026-49185

Name of the Vulnerable Software and Affected Versions WP MAPS PRO versions prior to 6.1.1 Description The plugin registers an unauthenticated AJAX action that allows the creation of an administrator account. By providing a valid nonce, which is publicly available on any frontend page that enqueue...

9.8CVSS5.2AI score0.00268EPSS

Exploits0References7

Positive Technologies•added 4 days ago•10 views

PT-2026-49221

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...

6.9CVSS5.2AI score0.00138EPSS

9.8CVSS5.3AI score0.00383EPSS

PT-2026-49507

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms = 1.1.4 versions...

Exploits1References2

Positive Technologies•added 4 days ago•11 views

PT-2026-49209

The 404 Redirection Manager plugin version 1.0 for WordPress contains an unauthenticated SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through unsanitized user input. Attackers can craft GET requests with SQL injection payloa...

8.8CVSS6.1AI score0.00302EPSS

Positive Technologies•added 4 days ago•6 views

PT-2026-49239

Administrator Cross Site Scripting XSS in WP Emmet = 0.3.4 versions...

5.9CVSS5.2AI score0.0014EPSS

5.9CVSS5.2AI score0.00249EPSS

PT-2026-49446

Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP = 4.6.19 versions...