CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

PT-2026-49186

The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against...

5.3AI score0.00159EPSS

6.5CVSS5.1AI score0.00279EPSS

PT-2026-49417

Subscriber Broken Access Control in rtMedia for WordPress, BuddyPress and bbPress = 4.7.9 versions...

Positive Technologies•added 5 days ago•9 views

PT-2026-49214

WordPress Simple-Backup 2.7.11 contains multiple vulnerabilities that allow unauthenticated attackers to delete arbitrary files and download sensitive files by manipulating the delete backup file and download backup file parameters in tools.php. Attackers can exploit insufficient input validation...

8.7CVSS5.5AI score0.00601EPSS

Exploits0References3

9.8CVSS5.2AI score0.00268EPSS

PT-2026-49185

Name of the Vulnerable Software and Affected Versions WP MAPS PRO versions prior to 6.1.1 Description The plugin registers an unauthenticated AJAX action that allows the creation of an administrator account. By providing a valid nonce, which is publicly available on any frontend page that enqueue...

Exploits0References7

8.8CVSS6.2AI score0.00302EPSS

PT-2026-49206

WordPress Booking Calendar Contact Form version 1.0.23 contains an unauthenticated blind SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send requests to the admin-ajax.php endpoint wit...

8.8CVSS6.1AI score0.0027EPSS

PT-2026-49210

BBS e-Franchise 1.1.1 plugin for WordPress contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the uid parameter. Attackers can craft requests to pages using the plugin's shortcode with UNION-based SQL...

Exploits0References5

Positive Technologies•added 5 days ago•9 views

PT-2026-49428

Subscriber Sensitive Data Exposure in WP SMS = 7.2.1 versions...

6.5CVSS5.2AI score0.00326EPSS

9.8CVSS5.3AI score0.00383EPSS

PT-2026-49507

Unauthenticated PHP Object Injection in WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms = 1.1.4 versions...

Exploits1References2

5.9CVSS5.2AI score0.00249EPSS

PT-2026-49446

Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP = 4.6.19 versions...

9.9CVSS5.2AI score0.00465EPSS

PT-2026-49404

Subscriber Arbitrary File Upload in WP-BusinessDirectory = 4.0.0 versions...

8.8CVSS6.1AI score0.0024EPSS

PT-2026-49207

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to...

9.3CVSS5.7AI score0.00363EPSS

PT-2026-49384

Unauthenticated SQL Injection in WP Maps = 4.9.1 versions...

6.9CVSS5.6AI score0.0039EPSS

PT-2026-49218

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp...

Exploits0References5

6.9CVSS5.8AI score0.00326EPSS

PT-2026-49220

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest admin.php with malicious action values to include files from the admin directory a...

6.4CVSS5.2AI score0.00231EPSS

PT-2026-49208

WordPress Booking Calendar Contact Form 1.0.23 contains privilege escalation and stored cross-site scripting vulnerabilities that allow authenticated users to modify plugin options and inject malicious scripts by failing to verify user privileges and sanitize input parameters. Attackers with...

7.5CVSS5.1AI score0.00414EPSS

PT-2026-49420

Unauthenticated Broken Access Control in WP Event SOlution = 4.1.8 versions...

Exploits2References2

6.9CVSS5.4AI score0.00374EPSS

PT-2026-49215

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...

8.1CVSS5.2AI score0.00405EPSS

PT-2026-49440

Unauthenticated Broken Authentication in CloudSecure WP Security = 1.4.7 versions...

8.5CVSS5.6AI score0.00371EPSS

PT-2026-49231

Name of the Vulnerable Software and Affected Versions Cornerstone versions prior to 7.8.8 Description A flaw allows a user with subscriber privileges to achieve arbitrary code execution, which is the ability to run unauthorized commands or code on the host system. Recommendations Update to versio...

Exploits0References3

Positive Technologies•added 5 days ago•11 views

PT-2026-49221

WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxe...

6.9CVSS5.2AI score0.00138EPSS