Lucene search
K

264435 matches found

Cvelist
Cvelist
added 2026/05/27 6:46 a.m.30 views

CVE-2026-3896 Livemesh SiteOrigin Widgets <= 3.9.2 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the lsowadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not...

6.4CVSS0.00223EPSS
Exploits0References4
CVE
CVE
added 2026/05/27 6:46 a.m.17 views

CVE-2026-7618

The CVE-2026-7618 vulnerability affects the WordPress plugin EnvíaloSimple: Email Marketing y Newsletters (

4.9CVSS5.9AI score0.00294EPSS
Exploits0References7
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.31 views

CVE-2026-8832 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capabilitytype or capability...

8.8CVSS0.01214EPSS
Exploits2References8
EUVD
EUVD
added 2026/05/27 6:46 a.m.11 views

EUVD-2026-32100

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capabilitytype or capability...

8.8CVSS5.8AI score0.01214EPSS
Exploits2References8
Vulnrichment
Vulnrichment
added 2026/05/27 6:46 a.m.10 views

CVE-2026-8832 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capabilitytype or capability...

8.8CVSS5.8AI score0.01214EPSS
Exploits2References8
CVE
CVE
added 2026/05/27 6:46 a.m.28 views

CVE-2026-8832

The WPCode plugin for WordPress (Insert Headers and Footers + Custom Code Snippets) is vulnerable to Remote Code Execution in versions up to and including 2.3.5. The root cause is that the 'wpcode' custom post type is registered without a proper capability_type or capability restrictions in wpcod...

8.8CVSS5.8AI score0.01214EPSS
Exploits2References8
EUVD
EUVD
added 2026/05/27 6:46 a.m.10 views

EUVD-2026-32101

The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the labbadminajax AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but doe...

6.4CVSS5.8AI score0.00223EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:46 a.m.8 views

CVE-2026-3279

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgradejqueryversion function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...

6.5CVSS5.8AI score0.00277EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/27 6:46 a.m.56 views

CVE-2026-3279 Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgradejqueryversion function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...

6.5CVSS0.00277EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/27 6:46 a.m.10 views

CVE-2026-3279 Enable jQuery Migrate Helper <= 1.4.1 - Missing Authorization to Authenticated (Subscriber+) jQuery Version Downgrade

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgradejqueryversion function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...

6.5CVSS5.8AI score0.00277EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/27 6:46 a.m.10 views

EUVD-2026-32099

The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the downgradejqueryversion function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user...

6.5CVSS5.8AI score0.00277EPSS
Exploits0References5
CVE
CVE
added 2026/05/27 6:46 a.m.23 views

CVE-2026-3279

The CVE concerns the Enable jQuery Migrate Helper plugin for WordPress. A missing capability check in the downgrade_jquery_version() function (present in all versions up to 1.4.1) allows authenticated attackers with Subscriber-level access or higher to downgrade the site-wide jQuery from 3.7.1 to...

6.5CVSS5.8AI score0.00277EPSS
Exploits0References5
Patchstack
Patchstack
added 2026/05/27 6:20 a.m.8 views

WordPress VikBooking Hotel Booking Engine & PMS plugin <= 1.8.10 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by dodoh4t in WordPress Plugin VikBooking Hotel Booking Engine & PMS versions = 1.8.10...

8.6CVSS5.8AI score0.00345EPSS
Exploits0Affected Software1
EUVD
EUVD
added 2026/05/27 6:0 a.m.11 views

EUVD-2026-32097

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpresscustomizernotifydismissaction AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in...

7.1CVSS5.8AI score0.00164EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 6:0 a.m.8 views

CVE-2026-6268

The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpresscustomizernotifydismissaction AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in...

5.8AI score0.00164EPSS
Exploits0References1
CVE
CVE
added 2026/05/27 6:0 a.m.23 views

CVE-2026-6268

The advisory concerns the EventPress WordPress theme before 22.2. The issue is that the id parameter in the eventpress_customizer_notify_dismiss_action AJAX handler is not sanitized or escaped before it is echoed in the response. This leads to Reflected Cross-Site Scripting (XSS) that can be exec...

7.1CVSS5.8AI score0.00164EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/27 5:31 a.m.13 views

EUVD-2026-32095

The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as...

6.4CVSS6AI score0.00198EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/27 5:31 a.m.8 views

CVE-2026-8884 Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00217EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/27 5:31 a.m.10 views

EUVD-2026-32096

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS6.1AI score0.00217EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/27 5:31 a.m.34 views

CVE-2026-8884 Instant-Quote.co Quotation Page <= 1.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

6.4CVSS0.00217EPSS
Exploits0References3
Rows per page
Query Builder