Lucene search
K

264432 matches found

CVE
CVE
added 2026/05/27 6:46 a.m.16 views

CVE-2026-3895

CVE-2026-3895 affects the WordPress plugin group: WPBakery Page Builder Addons by Livemesh. The vulnerability is a Stored Cross-Site Scripting via the lvca_admin_ajax AJAX action in all versions up to and including 3.9.4, caused by missing authorization checks and insufficient input sanitization....

6.4CVSS5.8AI score0.00223EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:46 a.m.7 views

CVE-2026-6169

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString method which compiles user-supplied template content into PHP code and executes it via eval...

7.2CVSS6.7AI score0.00581EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/27 6:46 a.m.10 views

CVE-2026-8143 Booking Calendar – Event Calendar <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hbcountryiso', 'hbusastateiso', and 'hbcanadaprovinceiso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6AI score0.0019EPSS
Exploits0References2
CVE
CVE
added 2026/05/27 6:46 a.m.15 views

CVE-2026-8143

Summary: The HBook WordPress plugin (up to version 2.1.6) is affected by a stored XSS due to insufficient input sanitization and output escaping in the parameters hb_country_iso, hb_usa_state_iso, and hb_canada_province_iso. This enables unauthenticated attackers to inject script code that execut...

7.2CVSS6AI score0.0019EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/27 6:46 a.m.6 views

CVE-2026-6169 affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString method which compiles user-supplied template content into PHP code and executes it via eval...

7.2CVSS6.7AI score0.00581EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/27 6:46 a.m.13 views

EUVD-2026-32105

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString method which compiles user-supplied template content into PHP code and executes it via eval...

7.2CVSS6.7AI score0.00581EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/27 6:46 a.m.10 views

EUVD-2026-32106

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hbcountryiso', 'hbusastateiso', and 'hbcanadaprovinceiso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS6AI score0.0019EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.29 views

CVE-2026-8143 Booking Calendar – Event Calendar <= 2.1.6 - Unauthenticated Stored Cross-Site Scripting via Multiple Parameters

The HBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hbcountryiso', 'hbusastateiso', and 'hbcanadaprovinceiso' parameters in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for...

7.2CVSS0.0019EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.31 views

CVE-2026-6169 affiliate-toolkit <= 3.8.5 - Authenticated (Editor+) Remote Code Execution

The affiliate-toolkit plugin for WordPress is vulnerable to remote code execution in all versions up to, and including, 3.8.5. This is due to the plugin using the BladeOne templating engine's runString method which compiles user-supplied template content into PHP code and executes it via eval...

7.2CVSS0.00581EPSS
Exploits0References4
CVE
CVE
added 2026/05/27 6:46 a.m.19 views

CVE-2026-2030

CVE-2026-2030: The WPBakery Page Builder Addons by Livemesh plugin for WordPress (versions up to 3.9.4) is vulnerable to Stored Cross-Site Scripting via the lvca_carousel and lvca_posts_carousel shortcode attributes. Root cause: insufficient input sanitization and output escaping, with shortcode ...

6.4CVSS6AI score0.00235EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:46 a.m.9 views

CVE-2026-2030

The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lvcacarousel and lvcapostscarousel shortcode attributes in all versions up to, and including, 3.9.4 due to insufficient input sanitization and output escaping. Specifically,...

6.4CVSS6AI score0.00235EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:46 a.m.7 views

CVE-2026-7618

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.9AI score0.00294EPSS
Exploits0References8
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:46 a.m.9 views

CVE-2026-3896

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lsowadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not...

6.4CVSS5.8AI score0.00223EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/27 6:46 a.m.9 views

CVE-2026-3896 Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lsowadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not...

6.4CVSS5.8AI score0.00223EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/27 6:46 a.m.11 views

EUVD-2026-32103

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.9AI score0.00294EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/05/27 6:46 a.m.11 views

CVE-2026-7618 EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS5.9AI score0.00294EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.32 views

CVE-2026-7618 EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

4.9CVSS0.00294EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.30 views

CVE-2026-3896 Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lsowadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not...

6.4CVSS0.00223EPSS
Exploits0References4
CVE
CVE
added 2026/05/27 6:46 a.m.16 views

CVE-2026-7618

The CVE-2026-7618 vulnerability affects the WordPress plugin EnvíaloSimple: Email Marketing y Newsletters (

4.9CVSS5.9AI score0.00294EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.31 views

CVE-2026-8832 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capabilitytype or capability...

8.8CVSS0.01214EPSS
Exploits2References8
Rows per page
Query Builder