Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

264056 matches found

EUVD
EUVDadded 2026/05/28 5:30 a.m.14 views

EUVD-2026-32722

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.5.1. This is due to the plugin allowing users to specify arbitrary object IDs and object types via block attributes without validating whether the authenticated user...

6.5CVSS5.9AI score0.00243EPSS
Exploits0References4
CVE
CVEadded 2026/05/28 5:30 a.m.17 views

CVE-2026-3173

The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.5.1. Authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta from any object, potentially exposing PII (...

6.5CVSS5.9AI score0.00243EPSS
Exploits0References4
NVD
NVDadded 2026/05/28 5:16 a.m.18 views

CVE-2026-9241

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the getvalue function in classes/fixed/fixeduserrole.php trusting the attacker-controlled...

4.3CVSS0.00213EPSS
Exploits0References5
NVD
NVDadded 2026/05/28 5:16 a.m.18 views

CVE-2026-5737

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrerurl values when the signature matches, combined with a...

6.5CVSS0.00366EPSS
Exploits0References10
NVD
NVDadded 2026/05/28 5:16 a.m.15 views

CVE-2026-7802

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8.8CVSS0.00402EPSS
Exploits0References14
NVD
NVDadded 2026/05/28 5:16 a.m.14 views

CVE-2026-2374

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

7.2CVSS0.00346EPSS
Exploits0References7
Cvelist
Cvelistadded 2026/05/28 3:27 a.m.30 views

CVE-2026-7802 Frontend Admin by DynamiApps <= 3.29.2 - Missing Authorization to Authenticated (Subscriber+) Account Takeover via 'user_id' URL Query Parameter

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8.8CVSS0.00402EPSS
Exploits0References14
EUVD
EUVDadded 2026/05/28 3:27 a.m.10 views

EUVD-2026-32706

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8.8CVSS6AI score0.00402EPSS
Exploits0References14
ATTACKERKB
ATTACKERKBadded 2026/05/28 3:27 a.m.8 views

CVE-2026-7802

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.29.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

8.8CVSS6AI score0.00402EPSS
Exploits0References15
CVE
CVEadded 2026/05/28 3:27 a.m.19 views

CVE-2026-2374

The CVE-2026-2374 entry applies to the Login No Captcha reCAPTCHA WordPress plugin (v &lt;= 1.8.0). The vulnerability is a Stored Cross-Site Scripting (XSS) that occurs because authenticate() stores the unsanitized basename($_SERVER['PHP_SELF']) output in the login_nocaptcha_error WordPress optio...

7.2CVSS6AI score0.00346EPSS
Exploits0References7
Cvelist
Cvelistadded 2026/05/28 3:27 a.m.29 views

CVE-2026-2374 Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

7.2CVSS0.00346EPSS
Exploits0References7
Cvelist
Cvelistadded 2026/05/28 3:27 a.m.31 views

CVE-2026-9241 FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the getvalue function in classes/fixed/fixeduserrole.php trusting the attacker-controlled...

4.3CVSS0.00213EPSS
Exploits0References5
EUVD
EUVDadded 2026/05/28 3:27 a.m.9 views

EUVD-2026-32704

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

7.2CVSS6AI score0.00346EPSS
Exploits0References7
Vulnrichment
Vulnrichmentadded 2026/05/28 3:27 a.m.9 views

CVE-2026-2374 Login No Captcha reCAPTCHA <= 1.8.0 - Unauthenticated Stored Cross-Site Scripting via PHP_SELF

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

7.2CVSS6AI score0.00346EPSS
Exploits0References7
ATTACKERKB
ATTACKERKBadded 2026/05/28 3:27 a.m.9 views

CVE-2026-9228

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the actiongeteventdata due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00218EPSS
Exploits0References7
Vulnrichment
Vulnrichmentadded 2026/05/28 3:27 a.m.11 views

CVE-2026-9228 Timetable and Event Schedule by MotoPress <= 2.4.16 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via action_get_event_data Function

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the actiongeteventdata due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00218EPSS
Exploits0References6
ATTACKERKB
ATTACKERKBadded 2026/05/28 3:27 a.m.10 views

CVE-2026-2374

The Login No Captcha reCAPTCHA plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $SERVER'PHPSELF' superglobal in all versions up to, and including, 1.8.0. This is due to the authenticate function storing the unsanitized output of basename$SERVER'PHPSELF' in the...

7.2CVSS6AI score0.00346EPSS
Exploits0References8
EUVD
EUVDadded 2026/05/28 3:27 a.m.11 views

EUVD-2026-32705

The Timetable and Event Schedule by MotoPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.16 via the actiongeteventdata due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

4.3CVSS5.8AI score0.00218EPSS
Exploits0References6
EUVD
EUVDadded 2026/05/28 3:27 a.m.10 views

EUVD-2026-32703

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the getvalue function in classes/fixed/fixeduserrole.php trusting the attacker-controlled...

4.3CVSS5.7AI score0.00213EPSS
Exploits0References5
Vulnrichment
Vulnrichmentadded 2026/05/28 3:27 a.m.8 views

CVE-2026-5737 Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrerurl values when the signature matches, combined with a...

6.5CVSS5.9AI score0.00366EPSS
Exploits0References10
Rows per page
Query Builder