371791 matches found
CVE-2026-27404
CVE-2026-27404 concerns WordPress LMS theme <= 9.7 with a reflected Cross Site Scripting (XSS) vulnerability. The issue is described as unauthenticated XSS in LMS <= 9.7 versions. CVSS v3.1 base score is 7.1 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L; attack vector: NET...
CVE-2026-27402
CVE-2026-27402 refers to an unauthenticated Cross Site Scripting (XSS) vulnerability in the WordPress theme set for Kids Life | Children School, affected in versions
CVE-2026-27060
CVE-2026-27060 details (connected documents) : A PHP Object Injection vulnerability affects the WordPress ARMember Premium plugin (<= 7.0). The root cause is PHP Object Injection in ARMember Premium
CVE-2025-69156
CVE-2025-69156 details unauthenticated Cross Site Scripting in the WordPress Kids Zone – Children WordPress Theme, affected Versions
CVE-2025-69155
CVE-2025-69155 affects the Fitness Zone WordPress Theme up to version 5.7. It is described as an unauthenticated Cross Site Scripting (XSS) vulnerability in the theme, with CVSS v3.1 base score 7.1 (HIGH). Attack vector: NETWORK; Attack complexity: LOW; Privileges required: NONE; User interaction...
CVE-2025-69154
CVE-2025-69154 affects the SpaLab | Beauty Salon WordPress Theme up to version 6.7. It is an unauthenticated Cross-Site Scripting (XSS) vulnerability in the theme. The CVSS v3.1 base score is 7.1 (HIGH) with network attack, no privileges required, user interaction required, and low impacts to con...
CVE-2025-69153
Mode C: CVE-2025-69153 affects the WordPress Trendy Travel theme (≤ 6.7). The issue is an unauthenticated reflected XSS in the Trendy Travel theme, enabling injection of script via user interaction. Impact is listed as low for confidentiality, integrity, and availability, with a CVSS ~7.1 (NETWOR...
CVE-2025-69152
CVE-2025-69152 affects the Artale | Wedding Photography WordPress theme (versions
CVE-2025-69134
CVE-2025-69134: WordPress OpenAI Chatbot for WordPress – Helper plugin
CVE-2025-69133
CVE-2025-69133 affects the WordPress Tourmaster plugin versions
CVE-2025-69132
Technical details about CVE-2025-69132 are not publicly available in the provided documents. Please monitor sources for updates regarding affected product versions, root cause, impact, and remediation.
CVE-2025-69094
CVE-2025-69094 affects the WordPress Unicamp theme (versions
CVE-2025-66076
The CVE concerns WordPress Woostify Sites Library plugin (versions ≤ 1.6.2) with an Unauthenticated Broken Access Control vulnerability. The connected documents confirm the affected product and issue type but do not provide a remediation version or explicit exploit details. No further technical s...
CVE-2025-58902
CVE-2025-58902 affects the WordPress Lighthouse theme (versions <= 1.2.12). It is an unauthenticated Local File Inclusion (LFI) vulnerability in Lighthouse
CVE-2026-11946
CVE-2026-11946 affects open62541 (1.4.0–1.4.16, 1.5.0–1.5.4, master). An unauthenticated remote attacker can exhaust server memory through GetEndpoints by sending an oversized endpointUrl in GetEndpointsRequest; length is not validated, allowing ~4.09 GB strings split across chunks, buffered in R...
CVE-2026-54431
CVE-2026-54431 affects the liboauth2 DPoP verifier. The bug allows a DPoP proof whose JWK header embeds private key material to be accepted, violating RFC 9449 section 4.3 step 7, because the function oauth2_token_verify() returns success for a malformed DPoP proof that embeds the private EC key ...
CVE-2026-54430
liboauth2 is affected by a Server-Side Request Forgery in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads signer and kid from the unverified JWT header; if the signer matches the configured ARN, the kid is appended to alb_base_url without URL encoding or path sanitizat...
CVE-2026-13369
CVE-2026-13369 affects the WordPress plugin Ninja Forms - File Uploads (versions up to 3.3.29). The vulnerability stems from the function chain around attach_files() → get_files_for_attachment() where a client-controlled raw files array is accepted when the process() method exits early due to a u...
CVE-2026-8441
WP Review Slider Pro for WordPress is affected up to v12.7.2 by an unauthenticated SQL injection via the wprp_load_more_revs AJAX action. The notinstring parameter is read from $_POST, sanitized only with sanitize_text_field(), and concatenated into an unquoted numeric clause (AND id NOT IN (...)...
CVE-2026-13251
The CVE-2026-13251 entry concerns the WordPress Perfmatters plugin (