Lucene search
K

264410 matches found

Cvelist
Cvelist
added 2026/05/27 5:31 a.m.30 views

CVE-2026-8877 Responsive Video Embedder <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'remvideo' shortcode in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes notably 'id' and 'list' in the...

6.4CVSS0.00235EPSS
Exploits0References3
CVE
CVE
added 2026/05/27 5:31 a.m.19 views

CVE-2026-8877

The CVE-2026-8877 entry concerns the WordPress plugin Responsive Video Embedder (

6.4CVSS6AI score0.00235EPSS
Exploits0References3
NVD
NVD
added 2026/05/27 5:16 a.m.14 views

CVE-2026-9236

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmaccampaignsaction function. This makes it...

4.3CVSS0.00128EPSS
Exploits0References5
NVD
NVD
added 2026/05/27 5:16 a.m.12 views

CVE-2025-14481

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

4.3CVSS0.00288EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/27 4:29 a.m.12 views

EUVD-2026-32052

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escapin...

5.4CVSS6AI score0.00197EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/27 4:28 a.m.9 views

EUVD-2026-32051

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmaccampaignsaction function. This makes it...

4.3CVSS5.9AI score0.00128EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/27 4:28 a.m.10 views

EUVD-2025-209950

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

4.3CVSS5.7AI score0.00288EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/05/27 4:28 a.m.33 views

CVE-2026-9236 CM Ad Changer <= 2.0.7 - Cross-Site Request Forgery to Campaign Deletion via Campaign Management

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmaccampaignsaction function. This makes it...

4.3CVSS0.00128EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/27 4:28 a.m.7 views

CVE-2025-14481

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

4.3CVSS5.7AI score0.00288EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/27 4:28 a.m.31 views

CVE-2025-14481 Yoast SEO <= 26.5 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via 'post_id' Parameter

The Yoast SEO plugin for WordPress is vulnerable to Insecure Direct Object References in all versions up to, and including, 26.5. This is due to insufficient authorization checks in the Meta Search REST API endpoint that fail to verify post ownership. This makes it possible for authenticated...

4.3CVSS0.00288EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/27 4:28 a.m.8 views

CVE-2026-9236

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmaccampaignsaction function. This makes it...

4.3CVSS5.9AI score0.00128EPSS
Exploits0References6
CVE
CVE
added 2026/05/27 4:28 a.m.22 views

CVE-2026-9236

CVE-2026-9236 concerns the WordPress plugin CM Ad Changer. The vulnerability is a Cross-Site Request Forgery flaw in all versions up to and including 2.0.7 caused by missing or incorrect nonce validation in the cmac_campaigns_action function. This enables unauthenticated attackers to permanently ...

4.3CVSS5.9AI score0.00128EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/27 4:28 a.m.11 views

CVE-2026-9236 CM Ad Changer <= 2.0.7 - Cross-Site Request Forgery to Campaign Deletion via Campaign Management

The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due to missing or incorrect nonce validation on the cmaccampaignsaction function. This makes it...

4.3CVSS5.9AI score0.00128EPSS
Exploits0References5
NVD
NVD
added 2026/05/27 4:16 a.m.13 views

CVE-2026-9022

The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS0.00197EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/27 2:27 a.m.10 views

EUVD-2026-32042

The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS5.9AI score0.00197EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/27 2:27 a.m.31 views

CVE-2026-9022 Splide Carousel Block <= 1.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'url' Block Attribute

The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS0.00197EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/27 2:27 a.m.6 views

CVE-2026-9022

The Splide Carousel Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'url' Block Attribute in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level...

6.4CVSS5.9AI score0.00197EPSS
Exploits0References5
NVD
NVD
added 2026/05/27 2:16 a.m.19 views

CVE-2026-6565

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input...

6.4CVSS0.00156EPSS
Exploits0References2
NVD
NVD
added 2026/05/27 2:16 a.m.15 views

CVE-2026-7493

The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint /wp-json/ssa/v1/async that calls PHP's sleep function on a...

5.3CVSS0.0035EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/05/27 2:12 a.m.11 views

CVE-2026-5718

The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.3.9.7. This is due to insufficient file type validation that occurs when custom blacklist types are configured, which replaces the default...

8.1CVSS6.2AI score0.04175EPSS
Exploits3References1
Rows per page
Query Builder