370190 matches found
CVE-2026-12579
Technical details (affected products, root cause, remediation) are not publicly available in the provided documents. Monitor for updates from vendors and CVE/NVD entries.
CVE-2026-11380
The CVE-2026-11380 entry concerns the WordPress plugin JetWidgets For Elementor. Affected: JetWidgets For Elementor (WordPress) versions up to and including 1.0.21. Vulnerability: Stored Cross-Site Scripting due to insufficient output escaping and missing server-side validation of the Animated Bo...
CVE-2026-11988
CVE-2026-11988 affects LearnPress
CVE-2026-6070
The WP-BusinessDirectory WordPress plugin (versions up to and including 4.0.1) is vulnerable to unauthenticated arbitrary file deletion via path traversal. The issue stems from insufficient path validation in the remove() method of JBusinessDirectoryControllerUpload. The task=upload.remove endpoi...
CVE-2026-12127
WPForms – Easy Form Builder for WordPress (WordPress plugin WPForms Lite) versions up to 1.10.2 are vulnerable to CRLF header injection in outgoing notification emails. The root cause is improper neutralization of CRLF sequences: get_reply_to_address() expands the Reply-To display name with conte...
CVE-2026-12113
The WordPress plugin Appointment Booking Calendar (versions
CVE-2026-2387
The CVE-2026-2387 entry concerns the WordPress Event Organiser plugin (versions up to and including 3.12.9). The vulnerability is a Stored Cross-Site Scripting flaw in the eo_events shortcode: attacker-controlled no_events content is rendered in event list templates without output escaping, allow...
CVE-2026-11981
The CVE-2026-11981 entry concerns the WordPress GiveWP plugin (affected: versions up to 4.15.3) with a Cross-Site Request Forgery vulnerability due to missing nonce validation in give_set_notification_status_handler(). This allows unauthenticated attackers to disable donation email notifications ...
CVE-2026-7517
The CVE-2026-7517 entry concerns the Custom Payment Gateways for WooCommerce WordPress plugin. It is vulnerable to Stored Cross-Site Scripting via the alg_wc_cpg_input_fields parameter in all versions up to 2.1.0 due to insufficient input sanitization and output escaping. Exploitation is possible...
CVE-2026-55407
Technical details for CVE-2026-55407 are not publicly available in the provided documents. No affected products, impact, or remediation are disclosed. Monitor for updates and additional connected sources.
CVE-2026-58519
CVE-2026-58519 describes an Stored XSS in The Wikimedia Foundation MediaWiki Cargo Extension caused by improper neutralization of input during web page generation. Affected software is MediaWiki Cargo Extension prior to version 3.9.1. The connected sources confirm the vulnerability and its scope ...
CVE-2026-58518
The CVE-2026-58518 entry describes a CSRF vulnerability in the MediaWiki RedirectManager Extension prior to version 1.3.3. The affected component is the RedirectManager Extension for MediaWiki; the documented impact is Cross-Site Request Forgery, but no exploitation details, specific vulnerable f...
CVE-2026-12135
The CVE-2026-12135 entry concerns the FV Flowplayer Video Player plugin for WordPress. Affected versions are all releases up to 7.5.51.7212, where a Stored Cross-Site Scripting vulnerability exists in the video_player shortcode align attribute due to insufficient input sanitization and output esc...
CVE-2026-12090
The Taskbuilder WordPress plugin (Taskbuilder – Project Management & Task Management Tool With Kanban Board) is affected by a generic SQL Injection via the wppm_proj_filter parameter in all versions up to 5.0.8. The root cause is insufficient escaping of the user-supplied parameter and an inadequ...
CVE-2026-12923
The Youtube Showcase plugin for WordPress (up to version 4.0.3) is vulnerable to an Arbitrary Function Call via the 'path' parameter in the emd_delete_file() AJAX handler (includes/common-functions.php). A user-supplied value is sanitized, has its trailing '_PLUGIN_DIR' stripped, and is then invo...
CVE-2026-12902
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor (WordPress) contains an authorization bypass in all versions up to 3.7.7. Authenticated attackers with contributor-level access can create arbitrary Media Library attachments by downloading remote images into the uploads directory via wp_...
CVE-2026-13015
The CVE-2026-13015 entry applies to the WordPress plugin “Wp Google Places Review Slider” (versions up to and including 18.1). The vulnerability is a Reflected Cross-Site Scripting (XSS) in admin/partials/googlecrawl_dfs.php via the 'place' GET parameter. The value from $_GET['place'] is URL-deco...
CVE-2026-12110
CVE-2026-12110 relates to the WordPress plugin Taskbuilder – Project Management & Task Management Tool With Kanban Board. All versions up to 5.0.8 are affected by a generic SQL Injection in the task_search parameter caused by insufficient escaping and lack of proper query preparation. This allows...
CVE-2026-9107
The CVE-2026-9107 entry concerns the Kali Forms — Contact Form & Drag-and-Drop Builder WordPress plugin. A Stored Cross-Site Scripting vulnerability exists via the meta[kaliforms_field_components] parameter in all versions up to 2.4.13, caused by insufficient input sanitization and output escapin...
CVE-2026-13443
The CVE-2026-13443 entry concerns the WordPress plugin Tutor LMS (eLearning and online course solution). Affected: all versions up to and including 3.9.13. Issue: Stored Cross-Site Scripting via the Lesson Attachment Title due to insufficient input sanitization and output escaping. Impact: authen...