CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

263148 matches found

NVD•added 3 days ago•6 views

CVE-2026-39581

Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic = 1.1.4 versions...

8.5CVSS0.0027EPSS

Exploits0References1

NVD•added 3 days ago•4 views

CVE-2025-68045

Unauthenticated Broken Access Control in WP Event SOlution = 4.1.12 versions...

7.5CVSS0.00232EPSS

Exploits0References1

CVE•added 3 days ago•7 views

CVE-2026-8176

CVE-2026-8176 affects the LatePoint – Calendar Booking Plugin for WordPress. In versions up to 5.5.1, three independent flaws allow an authenticated Agent+ to overwrite a WordPress Administrator’s password without using an Administrator-only API, enabling privilege escalation to Administrator. Th...

7.5CVSS5.3AI score0.00349EPSS

Exploits0References22

EUVD•added 3 days ago•6 views

EUVD-2026-37060

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent Agent+ to overwrite a...

7.5CVSS5.3AI score0.00349EPSS

Exploits0References22

Cvelist•added 3 days ago•22 views

CVE-2026-8176 LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset

7.5CVSS0.00349EPSS

Exploits0References22

CVE•added 3 days ago•8 views

CVE-2026-8442

The WP Review Slider Pro plugin for WordPress is affected up to version 12.6.8 by Arbitrary File Deletion due to missing authorization on the wpfb_hide_review and wprp_save_review_admin AJAX handlers and inadequate path validation in wpfb_hidereview_ajax(), which uses strpos() to verify the URL p...

8.1CVSS6.3AI score0.00516EPSS

Exploits0References2

EUVD•added 3 days ago•6 views

EUVD-2026-37061

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfbhidereview and wprpsavereviewadmin AJAX handlers combined with insufficient path validation in the wpfbhidereviewaj...

8.1CVSS6.4AI score0.00516EPSS

Exploits0References2

Cvelist•added 3 days ago•24 views

CVE-2026-8442 WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via 'myaction' Parameter

8.1CVSS0.00516EPSS

Exploits0References2

CVE•added 3 days ago•13 views

CVE-2026-2381

The CVE concerns the WooCommerce Stripe Payment Gateway plugin for WordPress, affected in all versions up to 10.7.0. Root cause: missing capability check and missing order ownership/order_key verification in the wc_stripe_pay_for_order WC‑AJAX endpoint, with only a nonce validation. Impact: unaut...

6.5CVSS5.3AI score0.00267EPSS

Exploits0References6

Cvelist•added 3 days ago•25 views

CVE-2026-40809 WordPress Metro Magazine theme <= 1.4.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in Rara Themes Metro Magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Metro Magazine: from n/a through 1.4.1...

6.5CVSS0.00196EPSS

Exploits0References1

Cvelist•added 3 days ago•24 views

CVE-2026-49772 WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2...

9.3CVSS0.00236EPSS

Exploits0References1

Cvelist•added 3 days ago•25 views

CVE-2026-49774 WordPress RD Station plugin <= 5.6.0 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Filipe Nasc RD Station allows Remote Code Inclusion. This issue affects RD Station: from n/a through 5.6.0...

9.9CVSS0.00408EPSS

Exploits0References1

Patchstack•added 3 days ago•5 views

WordPress WooCommerce Stripe Payment Gateway plugin <= 10.7.0 - Missing Authorization to Unauthenticated Order Status Manipulation vulnerability

Missing Authorization to Unauthenticated Order Status Manipulation vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin WooCommerce Stripe Payment Gateway versions = 10.7.0...

6.5CVSS5.2AI score0.00267EPSS

Exploits0References1Affected Software1

Patchstack•added 3 days ago•4 views

WordPress Secure Client Portal and Private File Sharing Plugin – User Private Files plugin <= 2.1.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting vulnerability

Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by pham quang huy Zibanana in WordPress Plugin User Private Files versions = 2.1.6...

6.4CVSS5.2AI score0.00235EPSS

Exploits0References1Affected Software1

Cvelist•added 3 days ago•24 views

CVE-2026-54198 WordPress Media LIbrary Assistant plugin <= 3.35 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Media LIbrary Assistant = 3.35 versions...

7.1CVSS0.00146EPSS

Exploits0References1

Cvelist•added 3 days ago•23 views

CVE-2026-54191 WordPress Pods plugin <= 3.3.8 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Pods = 3.3.8 versions...

7.1CVSS0.00146EPSS

Exploits0References1