Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

264094 matches found

ATTACKERKB
ATTACKERKBadded 2026/05/29 8:28 a.m.9 views

CVE-2026-9189

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although cf7pppaypalipnhandler correctly validates IPN authenticity by posting back to PayPal with...

5.3CVSS5.9AI score0.00204EPSS
Exploits0References9
CVE
CVEadded 2026/05/29 8:28 a.m.23 views

CVE-2026-9189

Product & component : WordPress, Contact Form 7 – PayPal & Stripe Add-on. Vulnerability : Payment Bypass via IPN handling flaw in cf7pp_paypal_ipn_handler where the IPN payload’s mc_gross, mc_currency, or receiver_email aren’t compared against stored order values before passing the attacker-contr...

5.3CVSS5.9AI score0.00204EPSS
Exploits0References8
Patchstack
Patchstackadded 2026/05/29 8:17 a.m.8 views

WordPress Disable Comments for Any Post Types (Remove comments) plugin <= 1.3.0 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by dodoh4t in WordPress Plugin Disable Comments for Any Post Types Remove comments versions = 1.3.0...

7.1CVSS5.8AI score0.00243EPSS
Exploits0Affected Software1
NVD
NVDadded 2026/05/29 8:16 a.m.15 views

CVE-2026-3655

The OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass in versions 1.8.50 through 1.8.60. This is due to the Firebase verification flow in the lwpajaxregister AJAX handler not binding the Firebase session to the phone number supplied in the...

9.8CVSS0.00492EPSS
Exploits0References6
NVD
NVDadded 2026/05/29 8:16 a.m.14 views

CVE-2025-11262

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS0.00233EPSS
Exploits1References3
EUVD
EUVDadded 2026/05/29 7:46 a.m.12 views

EUVD-2026-33258

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an...

8.1CVSS5.8AI score0.00203EPSS
Exploits0References11
ATTACKERKB
ATTACKERKBadded 2026/05/29 7:46 a.m.8 views

CVE-2026-6075

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an...

8.1CVSS5.8AI score0.00203EPSS
Exploits0References12
Vulnrichment
Vulnrichmentadded 2026/05/29 7:46 a.m.7 views

CVE-2026-6075 Media Library Assistant <= 3.35 - Cross-Site Request Forgery via Bulk Action Form

The Media Library Assistant plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.35 This is due to missing nonce verification on the bulk action handlers in the settings tab handlers. This makes it possible for unauthenticated attackers to trick an...

8.1CVSS5.8AI score0.00203EPSS
Exploits0References11
Vulnrichment
Vulnrichmentadded 2026/05/29 7:46 a.m.8 views

CVE-2026-10039 Frontend Admin by DynamiApps <= 3.28.28 - Authenticated (Administrator+) SQL Injection via 'order' Parameter

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

4.9CVSS6AI score0.00288EPSS
Exploits0References6
ATTACKERKB
ATTACKERKBadded 2026/05/29 7:46 a.m.6 views

CVE-2026-10039

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

4.9CVSS6AI score0.00288EPSS
Exploits0References7
EUVD
EUVDadded 2026/05/29 7:46 a.m.10 views

EUVD-2026-33259

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to generic SQL Injection via the 'order' parameter in all versions up to, and including, 3.28.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes...

4.9CVSS6AI score0.00288EPSS
Exploits0References6
CVE
CVEadded 2026/05/29 7:46 a.m.23 views

CVE-2026-10039

The CVE-2026-10039 entry concerns the WordPress plugin Frontend Admin by DynamiApps. Affected versions up to and including 3.28.28 are vulnerable to a generic SQL Injection via the 'order' parameter due to insufficient escaping of user input and inadequate preparation of the existing SQL query. A...

4.9CVSS6AI score0.00288EPSS
Exploits0References6
CVE
CVEadded 2026/05/29 7:46 a.m.19 views

CVE-2026-6075

The Media Library Assistant WordPress plugin is affected by a Cross-Site Request Forgery (CSRF) vulnerability up to version 3.35 due to missing nonce verification on bulk action handlers in the settings tab. This could allow an unauthenticated attacker to trick an administrator into performing bu...

8.1CVSS5.8AI score0.00203EPSS
Exploits0References11
NVD
NVDadded 2026/05/29 7:16 a.m.18 views

CVE-2025-14042

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on...

6.4CVSS0.00159EPSS
Exploits0References2
NVD
NVDadded 2026/05/29 7:16 a.m.19 views

CVE-2026-6275

The StatCounter – Free Real Time Visitor Stats plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.1.1 This is due to insufficient output escaping on the post author's nickname in the statcounteraddToTags function. The function is hooked to wphead...

6.4CVSS0.00305EPSS
Exploits0References6
NVD
NVDadded 2026/05/29 7:16 a.m.16 views

CVE-2026-8732

The WP Maps Pro plugin for WordPress is vulnerable to Privilege Escalation via Administrator Account Creation in all versions up to, and including, 6.1.0. This is due to the wpgmptempaccessajax AJAX action being registered with wpajaxnopriv and protected only by a nonce check using the...

9.8CVSS0.09461EPSS
Exploits7References2
NVD
NVDadded 2026/05/29 7:16 a.m.17 views

CVE-2026-9714

The Simple Divi Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the showmodule shortcode in versions up to, and including, 1.2 This is due to insufficient input sanitization and output escaping in the showmoduleshortcode function, which...

6.4CVSS0.00197EPSS
Exploits0References4
Cvelist
Cvelistadded 2026/05/29 6:43 a.m.35 views

CVE-2025-11262 Link Whisper Free <= 0.9.0 - Unauthenticated Stored Cross-Site Scripting

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS0.00233EPSS
Exploits1References3
ATTACKERKB
ATTACKERKBadded 2026/05/29 6:43 a.m.8 views

CVE-2025-11262

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS6AI score0.00233EPSS
Exploits1References4
EUVD
EUVDadded 2026/05/29 6:43 a.m.11 views

EUVD-2025-209983

The Link Whisper Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the userid parameter in all versions up to, and including, 0.9.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...

7.2CVSS6AI score0.00233EPSS
Exploits1References3
Rows per page
Query Builder