Lucene search
K
Vulncheck KevRecent

4985 matches found

VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2024-13744

The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the validateproductinputfieldsonaddtocart function in versions 4.0.1 to 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

9.8CVSS8AI score0.00645EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2024-4845

The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘optionslistid’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

8.8CVSS5.9AI score0.00454EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.14 views

VulnCheck KEV: CVE-2024-13421

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to...

9.8CVSS7.4AI score0.00716EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.16 views

VulnCheck KEV: CVE-2024-6028

The Quiz Maker plugin for WordPress is vulnerable to time-based SQL Injection via the 'aysquestions' parameter in all versions up to, and including, 6.5.8.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it...

9.8CVSS5.9AI score0.11755EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-15403

The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. This is due to the 'addmenu' function is accessible via the 'rmuserexists' AJAX action and allows arbitrary updates to the 'adminorder' setting. This makes it possible f...

9.8CVSS5.9AI score0.00461EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2022-1281

The Photo Gallery WordPress plugin through 1.6.3 does not properly escape the $POST'filtertag' parameter, which is appended to an SQL query, making SQL Injection attacks possible...

9.8CVSS7.4AI score0.23459EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.9 views

VulnCheck KEV: CVE-2024-2879

The LayerSlider plugin for WordPress is vulnerable to SQL Injection via the lsgetpopupmarkup action in versions 7.9.11 and 7.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated...

9.8CVSS7.4AI score0.18402EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2026-2931

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

8.8CVSS7.4AI score0.00382EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.13 views

VulnCheck KEV: CVE-2023-2745

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wplang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such ...

6.1CVSS6.5AI score0.79527EPSS
Exploits7References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.10 views

VulnCheck KEV: CVE-2024-13448

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trxaddonsuploadssavedata' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

9.8CVSS8.1AI score0.00881EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-4606

The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it...

9.8CVSS5.9AI score0.00561EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.7 views

VulnCheck KEV: CVE-2022-0633

The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup's nonce identifier, which may allow any users with an account on the site such as subscriber to download the most recent site & database...

6.5CVSS6.7AI score0.01979EPSS
Exploits3References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.3 views

VulnCheck KEV: CVE-2025-7340

The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the tempfileupload function in all versions up to, and including, 2.2.1. This makes it possible for...

9.8CVSS6.7AI score0.0161EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.5 views

VulnCheck KEV: CVE-2024-12281

The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by...

9.8CVSS7.3AI score0.00402EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.9 views

VulnCheck KEV: CVE-2024-4346

The Startklar Elementor Addons plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 1.7.13. This is due to the plugin not properly validating the path of an uploaded file prior to deleting it. This makes it possible for unauthenticated attackers to...

9.1CVSS6.4AI score0.01522EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.12 views

VulnCheck KEV: CVE-2024-8420

The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on site...

9.8CVSS7.5AI score0.00505EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-64377

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CridioStudio ListingPro listingpro allows PHP Local File Inclusion.This issue affects ListingPro: from n/a through 2.9.10...

8.1CVSS5.8AI score0.00344EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/04 12:0 a.m.11 views

VulnCheck KEV: CVE-2024-31286

Unrestricted Upload of File with Dangerous Type vulnerability in J.N. Breetvelt a.K.A. OpaJaap WP Photo Album Plus.This issue affects WP Photo Album Plus: from n/a before 8.6.03.005...

9.9CVSS7.3AI score0.00862EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/01 12:0 a.m.11 views

VulnCheck KEV: CVE-2021-27358

The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call if a commonly used configuration is set...

7.5CVSS7.2AI score0.83042EPSS
Exploits0References18
VulnCheck KEV
VulnCheck KEV
added 2026/05/01 12:0 a.m.20 views

VulnCheck KEV: CVE-2025-60021

Remote command injection vulnerability in heap profiler builtin service in Apache bRPC all versions 1.15.0 on all platforms allows attacker to inject remote command. Root Cause: The bRPC heap profiler built-in service /pprof/heap does not validate the user-provided extraoptions parameter and...

9.8CVSS7.6AI score0.26163EPSS
Exploits3References2
VulnCheck KEV
VulnCheck KEV
added 2026/05/01 12:0 a.m.74 views

VulnCheck KEV: CVE-2026-31431

In the Linux kernel, the following vulnerability has been resolved: crypto: algifaead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associated data. There is no benefit in operating in-place in algifaead since the source and destination...

7.8CVSS6AI score0.96267EPSS
Exploits228References5
VulnCheck KEV
VulnCheck KEV
added 2026/05/01 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-40554

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk...

9.8CVSS6AI score0.58447EPSS
Exploits2References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.11 views

VulnCheck KEV: CVE-2026-33478

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...

10CVSS6.3AI score0.13266EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.2 views

VulnCheck KEV: CVE-2022-50993

Weaver Fanwei E-office versions prior to 10.020221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types...

9.8CVSS6.8AI score0.00774EPSS
Exploits0References7
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.25 views

VulnCheck KEV: CVE-2023-6909

Path Traversal: '..\filename' in GitHub repository mlflow/mlflow prior to 2.9.2...

7.5CVSS7.1AI score0.89716EPSS
Exploits1References16
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.2 views

VulnCheck KEV: CVE-2025-4078

A vulnerability, which was classified as problematic, has been found in Wangshen SecGate 3600 2400. This issue affects some unknown processing of the file ?g=logexportfile. The manipulation of the argument filename leads to path traversal. The attack may be initiated remotely. The exploit has bee...

5.3CVSS4.2AI score0.00966EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.6 views

VulnCheck KEV: CVE-2022-4059

The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

9.8CVSS7.3AI score0.04756EPSS
Exploits1References13
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-56132

LiquidFiles filetransfer server is vulnerable to a user enumeration issue in its password reset functionality. The application returns distinguishable responses for valid and invalid email addresses, allowing unauthenticated attackers to determine the existence of user accounts. Version 4.2...

7.3CVSS5.3AI score0.00648EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.9 views

VulnCheck KEV: CVE-2026-2025

The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog...

7.5CVSS5.3AI score0.01379EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.4 views

VulnCheck KEV: CVE-2022-50992

Weaver Fanwei E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and...

8.7CVSS5.8AI score0.00705EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.7 views

VulnCheck KEV: CVE-2026-1969

The trxaddons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448...

5.3CVSS8.9AI score0.00198EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-58179

Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...

7.2CVSS5.2AI score0.00773EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-53558

ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices...

8.8CVSS8AI score0.0135EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.11 views

VulnCheck KEV: CVE-2026-1890

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data...

5.3CVSS5.3AI score0.00645EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-24963

Vitest is a testing framework powered by Vite. The screenshot-error handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by browser.api.host: true, an attacker can send a request to that handler from remote to get th...

7.5CVSS5.7AI score0.02317EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.276 views

VulnCheck KEV: CVE-2025-71284

Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radiusaddress POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can...

9.8CVSS6.3AI score0.05727EPSS
Exploits1References8
VulnCheck KEV
VulnCheck KEV
added 2026/04/30 12:0 a.m.5 views

VulnCheck KEV: CVE-2025-15488

The Responsive Plus WordPress plugin before 3.4.3 is vulnerable to arbitrary shortcode execution due to the software allowing unauthenticated users to execute the updateresponsivewoofreeshippingleftshortcode AJAX action that does not properly validate the contentrechdata parameter before processi...

6.5CVSS5.8AI score0.00323EPSS
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/29 12:0 a.m.17 views

VulnCheck KEV: CVE-2026-42647

A vulnerability is present in the JoomSport – for Sports: Team & League plugin due to improper sanitization of the sortf parameter, that could lead to SQL injection...

5.9AI score0.01323EPSS
Exploits1References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/28 12:0 a.m.51 views

VulnCheck KEV: CVE-2026-41940

cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel...

9.8CVSS5.5AI score0.981EPSS
Exploits64References51
VulnCheck KEV
VulnCheck KEV
added 2026/04/27 12:0 a.m.22 views

VulnCheck KEV: CVE-2026-42208

LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. From version 1.81.16 to before version 1.83.7, a database query used during proxy API key checks mixed the caller-supplied key value into the query text instead of passing it as a separate parameter. An...

9.8CVSS6AI score0.86607EPSS
Exploits7References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/26 12:0 a.m.6 views

VulnCheck KEV: CVE-2026-4047

A vulnerability is present in Qinglong due to improperly matching case sensitive paths used by middleware authenticaion but the underlying Express.js framework treats paths case insensitively...

5.3AI score
Exploits0References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/26 12:0 a.m.5 views

VulnCheck KEV: CVE-2023-3793

A vulnerability was found in Weaver e-cology. It has been rated as critical. This issue affects some unknown processing of the file filelFileDownloadForOutDoc.class of the component HTTP POST Request Handler. The manipulation of the argument fileid with the input 1+WAITFOR+DELAY leads to sql...

9.8CVSS5.9AI score0.00421EPSS
Exploits0References6
VulnCheck KEV
VulnCheck KEV
added 2026/04/25 12:0 a.m.12 views

VulnCheck KEV: CVE-2026-29014

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve...

9.8CVSS6.8AI score0.39688EPSS
Exploits4References36
VulnCheck KEV
VulnCheck KEV
added 2026/04/24 12:0 a.m.267 views

VulnCheck KEV: CVE-2025-69985

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

9.8CVSS6.3AI score0.05633EPSS
Exploits7References32
VulnCheck KEV
VulnCheck KEV
added 2026/04/23 12:0 a.m.7 views

VulnCheck KEV: CVE-2025-67945

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in MailerLite MailerLite – WooCommerce integration woo-mailerlite allows SQL Injection.This issue affects MailerLite – WooCommerce integration: from n/a through = 3.1.2...

9.3CVSS5.5AI score0.0038EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/23 12:0 a.m.6 views

VulnCheck KEV: CVE-2025-31918

Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro simple-business-directory-pro allows Privilege Escalation.This issue affects Simple Business Directory Pro: from n/a through 15.6.9...

9.8CVSS5.2AI score0.00425EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/23 12:0 a.m.9 views

VulnCheck KEV: CVE-2025-64375

Missing Authorization vulnerability in Mahmudul Hasan Arif WP Social Ninja wp-social-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Social Ninja: from n/a through = 3.20.1...

6.5CVSS5.1AI score0.00195EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/23 12:0 a.m.8 views

VulnCheck KEV: CVE-2025-49867

Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes realhomes allows Privilege Escalation.This issue affects RealHomes: from n/a through = 4.4.0...

9.8CVSS5.2AI score0.00325EPSS
Exploits0References3
VulnCheck KEV
VulnCheck KEV
added 2026/04/23 12:0 a.m.30 views

VulnCheck KEV: CVE-2026-3844

The Breeze Cache plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'fetchgravatarfromremote' function in all versions up to, and including, 2.4.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected...

9.8CVSS6.6AI score0.36512EPSS
Exploits8References2
VulnCheck KEV
VulnCheck KEV
added 2026/04/23 12:0 a.m.8 views

VulnCheck KEV: CVE-2024-52490

Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through = 2.5.1...

10CVSS8.8AI score0.00562EPSS
Exploits0References3
Total number of security vulnerabilities4985