CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

261351 matches found

MStore API < 3.9.8 - SQL Injection

The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind SQL injection via the productid parameter. id: CVE-2023-3077 info: name: MStore API 3.9.8 - SQL Injection author: DhiyaneshDK severity: critical description: | The MStore API WordPress plugin before 3.9.8 is vulnerable to Blind S...

9.8CVSS7.9AI score0.68111EPSS

Exploits2References2

Nuclei•added 13 hours ago•42 views

Registrations for the Events Calendar < 2.7.6 - SQL Injection

The Registrations for the Events Calendar WordPress plugin before 2.7.6 does not sanitise and escape the eventid in the rtecsendunregisterlink AJAX action available to both unauthenticated and authenticated users before using it in a SQL statement, leading to an unauthenticated SQL injection. id:...

9.8CVSS7.9AI score0.55452EPSS

Exploits2References3

Nuclei•added 13 hours ago•29 views

Newsletter < 7.6.9 - Cross-Site Scripting

The plugin does not escape generated URLs before outputting them in attributes, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as administrators id: CVE-2023-27922 info: name: Newsletter 7.6.9 - Cross-Site Scripting author: r3Y3r53 severity: medium...

6.1CVSS6.2AI score0.03868EPSS

Exploits1References4

Nuclei•added 13 hours ago•41 views

Quick Event Manager < 9.7.5 - Cross-Site Scripting

The Quick Event Manager WordPress Plugin, version 9.7.5, is affected by a reflected cross-site scripting vulnerability in the 'category' parameter of its 'qemajaxcalendar' action. id: CVE-2023-23491 info: name: Quick Event Manager 9.7.5 - Cross-Site Scripting author: ritikchaddha severity: medium...

6.1CVSS6AI score0.11089EPSS

Exploits2References4

Nuclei•added 13 hours ago•44 views

Directorist < 7.5.4 - Local File Inclusion

Directorist before 7.5.4 is susceptible to Local File Inclusion as it does not validate the file parameter when importing CSV files. id: CVE-2023-2252 info: name: Directorist 7.5.4 - Local File Inclusion author: r3Y3r53 severity: low description: | Directorist before 7.5.4 is susceptible to Local...

2.7CVSS6.3AI score0.09621EPSS

Exploits2References3

Nuclei•added 13 hours ago•27 views

Ninja Forms < 3.6.22 - Cross-Site Scripting

Ninja Forms before 3.6.22 is susceptible to cross-site scripting via the page parameter due to insufficient input sanitization and output escaping. An attacker can inject arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to...

6.1CVSS6.5AI score0.14001EPSS

Exploits2References3

Nuclei•added 13 hours ago•22 views

Companion Sitemap Generator < 4.5.3 - Cross-Site Scripting

The plugin does not sanitise and escape some parameters before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin. id: CVE-2023-1780 info: name: Companion Sitemap Generator 4.5.3 - Cross-Site Scripting author:...

6.1CVSS6.6AI score0.16021EPSS

Exploits2References2

Nuclei•added 13 hours ago•23 views

WordPress Panda Pods Repeater Field <1.5.4 - Cross-Site Scripting

WordPress Panda Pods Repeater Field before 1.5.4 contains a cross-site scripting vulnerability. The plugin does not sanitize and escape a parameter before outputting it back in the page. This can be leveraged against a user who has at least Contributor permission. An attacker can also steal...

5.4CVSS5.7AI score0.03325EPSS

Exploits2References5

Nuclei•added 13 hours ago•82 views

WordPress IWS Geo Form Fields <=1.0 - SQL Injection

WordPress IWS Geo Form Fields plugin through 1.0 contains a SQL injection vulnerability. The plugin does not properly escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users. An attacker can possibly obtain sensitive information, modify data,...

9.8CVSS8.1AI score0.60813EPSS

Exploits1References5

Nuclei•added 13 hours ago•23 views

Autoptimize < 3.1.0 - Information Disclosure

The Autoptimize WordPress plugin before 3.1.0 uses an easily guessable path to store plugin's exported settings and logs. id: CVE-2022-4057 info: name: Autoptimize 3.1.0 - Information Disclosure author: DhiyaneshDK severity: medium description: | The Autoptimize WordPress plugin before 3.1.0 uses...

5.3CVSS5.9AI score0.45389EPSS

Exploits1References3

Nuclei•added 13 hours ago•28 views

WordPress JoomSport <5.2.8 - SQL Injection

WordPress JoomSport plugin before 5.2.8 contains a SQL injection vulnerability. The plugin does not properly sanitize and escape a parameter before using it in a SQL statement. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operation...

9.8CVSS8.1AI score0.77249EPSS

Exploits2References5

Nuclei•added 13 hours ago•9 views

NewsTicker <= 1.0 - Reflected Cross-Site Scripting

NewsTicker WordPress plugin v1.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute arbitrary scripts in the context of high privilege users, exploit requires attacker to craft a maliciou...

6.1CVSS7.8AI score0.01725EPSS

Exploits1References2

Nuclei•added 13 hours ago•26 views

WordPress Related Posts <2.1.3 - Stored Cross-Site Scripting

WordPress Related Posts plugin prior to 2.1.3 contains a cross-site scripting vulnerability in the rp4wpheadingtext parameter. User input is not properly sanitized, allowing the insertion of arbitrary code that can allow an attacker to steal cookie-based authentication credentials and launch othe...

5.5CVSS5.9AI score0.01734EPSS

Exploits1References5

Nuclei•added 13 hours ago•21 views

Gravity SMTP WordPress Plugin - Sensitive Information Exposure

Gravity SMTP WordPress plugin = 2.1.4 contains a sensitive information exposure caused by an unrestricted REST API endpoint at /wp-json/gravitysmtp/v1/tests/mock-data, letting unauthenticated attackers retrieve detailed system configuration data, exploit requires no authentication. id:...

7.5CVSS5.4AI score0.13382EPSS

Exploits0References3

Nuclei•added 13 hours ago•14 views

WordPress Varnish/Nginx Proxy Caching <= 1.8.3 - Information Exposure

Razvan Stanga Varnish/Nginx Proxy Caching = 1.8.3 contains an insertion of sensitive information into sent data vulnerability caused by improper handling of embedded sensitive data, letting attackers retrieve sensitive information, exploit requires crafted requests. id: CVE-2025-62126 info: name:...

5.3CVSS5.4AI score0.0087EPSS

Exploits0References3

Nuclei•added 13 hours ago•9 views

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...

7.5CVSS5.4AI score0.30797EPSS

Exploits0References3

Nuclei•added 13 hours ago•14 views

WordPress Email Newsletter - Reflected XSS

WordPress Email Newsletter plugin through 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to cra...

5.4CVSS7.6AI score0.03097EPSS

Exploits1References1

Nuclei•added 13 hours ago•8 views

Advance Post Prefix WordPress plugin - Reflected XSS

Advance Post Prefix WordPress plugin through 1.1.1 contains a reflected cross-site scripting caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12734 info: name: Advance...

6.1CVSS5.3AI score0.00199EPSS

Exploits1References2

Nuclei•added 13 hours ago•9 views

WP DeskLite - Reflected XSS

WP DeskLite WordPress plugin through 1.0.0 contains a reflected XSS caused by unsanitized and unescaped parameter output, letting attackers execute scripts against high privilege users such as admin, exploit requires crafted request. id: CVE-2024-12724 info: name: WP DeskLite - Reflected XSS...

6.1CVSS5.5AI score0.00252EPSS

Exploits1References2

Nuclei•added 13 hours ago•16 views

WordPress Perfect Images (WP Retina 2x) < 6.4.6 - Sensitive Information Exposure

Jordy Meow Perfect Images Manage Image Sizes, Thumbnails, Replace, Retina versions up to 6.4.5 contain a vulnerability that exposes sensitive information to unauthorized actors, letting attackers access confidential data, exploit requires no specific conditions. id: CVE-2023-44982 info: name:...

7.5CVSS7.3AI score0.12906EPSS

Exploits0References1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by