Lucene search
K
VulnrichmentRecent

160341 matches found

Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-57345 WordPress Internal Links Manager plugin <= 3.0.3 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Internal Links Manager = 3.0.3 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-57344 WordPress Classified Listing plugin <= 5.4.2 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Classified Listing = 5.4.2 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-57343 WordPress Real Estate 7 theme <= 3.5.9 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Real Estate 7 = 3.5.9 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-57342 WordPress ShortPixel Adaptive Images plugin <= 3.11.3 - Cross Site Scripting (XSS) vulnerability

Subscriber Cross Site Scripting XSS in ShortPixel Adaptive Images = 3.11.3 versions...

6.5CVSS5.8AI score0.00224EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-49779 WordPress Tax Exempt for WooCommerce plugin <= 1.9.3 - Path Traversal vulnerability

Customer Path Traversal in Tax Exempt for WooCommerce = 1.9.3 versions...

6.5CVSS5.8AI score0.00343EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-42382 WordPress Audrey theme <= 1.5 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Audrey = 1.5 versions...

8.1CVSS5.8AI score0.00303EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-39448 WordPress NOWPayments for WooCommerce plugin <= 1.4.0 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in NOWPayments for WooCommerce = 1.4.0 versions...

7.5CVSS5.8AI score0.00263EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-27436 WordPress Five Star Business Profile and Schema plugin <= 2.3.19 - Arbitrary Code Execution vulnerability

Editor Arbitrary Code Execution in Five Star Business Profile and Schema = 2.3.19 versions...

9.1CVSS5.9AI score0.00397EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago4 views

CVE-2026-27430 WordPress TheFox theme <= 3.9.76 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in TheFox = 3.9.76 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-27433 WordPress Motors theme <= 5.6.80 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Motors = 5.6.80 versions...

6.5CVSS5.8AI score0.00253EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago4 views

CVE-2026-27426 WordPress Automotive Car Dealership Business theme <= 13.3.3 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Automotive Car Dealership Business = 13.3.3 versions...

7.1CVSS5.8AI score0.00191EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago4 views

CVE-2026-27425 WordPress Automotive Listings plugin <= 18.6 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Automotive Listings = 18.6 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago5 views

CVE-2026-27419 WordPress Zegen theme <= 1.1.9 - Arbitrary File Upload vulnerability

Subscriber Arbitrary File Upload in Zegen = 1.1.9 versions...

9.9CVSS5.8AI score0.00362EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago5 views

CVE-2026-27414 WordPress Werkstatt theme <= 4.8.3 - PHP Object Injection vulnerability

Contributor PHP Object Injection in Werkstatt = 4.8.3 versions...

8.8CVSS5.8AI score0.00288EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-27412 WordPress Pearl - Corporate Business theme <= 3.4.10 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Pearl - Corporate Business = 3.4.10 versions...

8.1CVSS5.8AI score0.00282EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago5 views

CVE-2026-27408 WordPress NativeChurch theme <= 4.8.8.2 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in NativeChurch = 4.8.8.2 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-27404 WordPress LMS theme <= 9.7 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in LMS = 9.7 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-27060 WordPress ARMember Premium plugin <= 7.0 - PHP Object Injection vulnerability

Contributor PHP Object Injection in ARMember Premium = 7.0 versions...

8.8CVSS5.8AI score0.00288EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2025-69156 WordPress Kids Zone - Children WordPress Theme theme <= 5.4 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Kids Zone - Children WordPress Theme = 5.4 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2025-69155 WordPress Fitness Zone WordPress Theme theme <= 5.7 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Fitness Zone WordPress Theme = 5.7 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago5 views

CVE-2025-69154 WordPress SpaLab | Beauty Salon WordPress Theme theme <= 6.7 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in SpaLab | Beauty Salon WordPress Theme = 6.7 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago5 views

CVE-2025-69153 WordPress Trendy Travel theme <= 6.7 - Reflected Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Trendy Travel = 6.7 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2025-69152 WordPress Artale | Wedding Photography WordPress theme <= 2.2.2 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Artale | Wedding Photography WordPress = 2.2.2 versions...

7.1CVSS5.8AI score0.0018EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2025-69134 WordPress OpenAI Chatbot for WordPress – Helper plugin <= 1.1.4 - Arbitrary Content Deletion vulnerability

Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper = 1.1.4 versions...

7.5CVSS5.8AI score0.003EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2025-69133 WordPress Tourmaster plugin <= 5.4.5 - Local File Inclusion vulnerability

Subscriber Local File Inclusion in Tourmaster = 5.4.5 versions...

7.5CVSS5.8AI score0.004EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2025-69132 WordPress Corpkit theme <= 1.0.5 - Sensitive Data Exposure vulnerability

Subscriber Sensitive Data Exposure in Corpkit = 1.0.5 versions...

6.5CVSS5.8AI score0.00355EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2025-69094 WordPress Unicamp theme <= 2.2.2 - SQL Injection vulnerability

Subscriber SQL Injection in Unicamp = 2.2.2 versions...

8.5CVSS5.8AI score0.00278EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago9 views

CVE-2025-66076 WordPress Woostify Sites Library plugin <= 1.6.2 - Broken Access Control vulnerability

Unauthenticated Broken Access Control in Woostify Sites Library = 1.6.2 versions...

5.3CVSS5.8AI score0.00214EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2025-58902 WordPress Lighthouse theme <= 1.2.12 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Lighthouse = 1.2.12 versions...

8.1CVSS5.9AI score0.00282EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-11946 GetEndpoints Memory Exhaustion in open62541

An unauthenticated remote attacker can exhaust server memory via the GetEndpoints Discovery Service in open62541. The endpointUrl field of GetEndpointsRequest is not validated for length. An attacker can declare an arbitrarily large string up to 4.09 GB via the UInt32 length field delivered acros...

7.5CVSS5.8AI score0.00386EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-54431 Improper Data Validation in liboauth2

In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...

5.1CVSS5.8AI score0.00128EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-54430 Server-Site Request Forgery in liboauth2

liboauth2 is vulnerable to Server-Side Request Forgery in oauth2josejwksawsalbresolve function. The AWS ALB verifier reads both signer and kid from the unverified JWT header. If signer matches the configured ARN, kid is appended to albbaseurl without URL encoding or path sanitization, and the HTT...

5.1CVSS5.9AI score0.00121EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 4 days ago9 views

CVE-2026-8441 WP Review Slider Pro <= 12.7.2 - Unauthenticated SQL Injection via 'notinstring' Parameter

The WP Review Slider Pro plugin for WordPress is vulnerable to SQL Injection via the 'notinstring' parameter of the wprploadmorerevs AJAX action in versions up to, and including, 12.7.2. The parameter is read via $POST'notinstring' and passed through sanitizetextfield — which strips HTML and...

7.5CVSS6AI score0.00374EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 4 days ago8 views

CVE-2026-13369 Ninja Forms - File Uploads <= 3.3.29 - Unauthenticated Arbitrary File Read via File Upload Field 'files[].data.file_path' Parameter

The Ninja Forms - File Uploads plugin for WordPress is vulnerable to Arbitrary File Read via the attachfiles function in versions up to, and including, 3.3.29. This is due to the getfilesforattachment function accepting a raw attacker-controlled 'files' array when the process method returns early...

7.5CVSS6AI score0.00522EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 4 days ago8 views

CVE-2026-13251 Perfmatters <= 2.6.4 - Unauthenticated Arbitrary File Read via 's' Parameter

The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information...

7.5CVSS5.9AI score0.0082EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 4 days ago8 views

CVE-2026-9145 Database for Contact Form 7, WPforms, Elementor forms <= 1.5.1 - Unauthenticated Arbitrary File Copy/Upload via Elementor Pro Form Upload Field 'raw_value'

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the createentryel function in versions up to, and including, 1.5.1. The function reads rawvalue from Elementor Pro's FormRecord object for upload-type fields and passes it...

6.5CVSS6AI score0.00372EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-8482 Information leak in NSRPC client history

A vulnerability was discovered on StormShield Network Security 4.3.0 to 4.3.41 included, 4.8.0 to 4.8.15 included , 5.0.0 to 5.0.5 included There is a possible leak of secret information if administration commands have been passed with the CLI command line tool. Someone with SSH access to the...

4.3CVSS5.9AI score0.00212EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-14029 Groundhogg <= 4.5.8 - Authenticated (Custom+) SQL Injection via 'select' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'select' parameter in all versions up to, and including, 4.5.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

6.5CVSS5.8AI score0.00441EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 4 days ago8 views

CVE-2026-10104 Product Video Gallery for Woocommerce <= 1.5.1.8 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via custom_thumbnail Parameter

The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via customthumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

4.4CVSS5.9AI score0.00263EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-13252 RSS Aggregator by Feedzy <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aspectRatio' Attribute

The RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'aspectRatio' Attribute in all versions up to, and including, 5.2.1 due to insufficient input sanitization and output escaping. Th...

6.4CVSS5.9AI score0.00274EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-12472 Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS5.9AI score0.00283EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-11896 My Calendar <= 3.7.14 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'vcal' Parameter

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.7.14 via the 'vcal' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References14
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-12122 Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Sensitive Information Exposure via kirki_post_apis_nopriv AJAX Action

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the getsinglesymbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and...

5.3CVSS5.9AI score0.00285EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 4 days ago8 views

CVE-2026-12134 JoomSport <= 5.7.8 - Authenticated (Subscriber+) Missing Authorization to Arbitrary Group Creation/Modification via season_groupedit AJAX action

The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-9834 WP Database Backup <= 7.11 - Authenticated (Administrator+) OS Command Injection via 'wp_db_exclude_table' Parameter

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the wpdbexcludetable parameter. This is due to the direct concatenation of user-supplied $POST'wpdbexcludetable' valu...

7.2CVSS6.4AI score0.01588EPSS
Exploits0References8
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-13459 JetFormBuilder <= 3.6.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via 'context' Parameter

The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

5.3CVSS5.8AI score0.00333EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-9188 Appointment Bookings for Zoom GoogleMeet and more – Wappointment <= 2.7.6 - Unauthenticated Insecure Direct Object Reference via Predictable 'edit_key' / 'appointmentkey' Parameter

The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the appointmentkey parameter due to the appointment editkey — the sole authorization token consumed by tryCance...

5.3CVSS5.8AI score0.00297EPSS
Exploits0References10
Vulnrichment
Vulnrichment
added 4 days ago12 views

CVE-2026-12657 LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...

5.3CVSS5.8AI score0.00381EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 4 days ago6 views

CVE-2026-14336

PIA's OIDC issuer allowlist for Jenkins tokens uses a bare string-prefix check issuer.startswith' https://ci.eclipse.org ' in isissuerknown, pia/models.py:139 instead of validating the issuer as a properly host-bounded URL. An attacker can craft an issuer such as https://[email protected]...

8.2CVSS6.1AI score0.00321EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 4 days ago7 views

CVE-2026-8147 Authorization Bypass in mlflow/mlflow

In MLflow versions prior to 3.14.0, when running with authentication enabled, the trace API endpoints lack proper authorization validators. This allows any authenticated user to bypass experiment-level authorization controls on all trace operations, including reading, deleting, and modifying trac...

8.1CVSS7.2AI score0.00337EPSS
Exploits0References2
Total number of security vulnerabilities160341