Lucene search
K

371815 matches found

CVE
CVE
added 2026/07/02 11:14 a.m.10 views

CVE-2025-66076

The CVE concerns WordPress Woostify Sites Library plugin (versions ≤ 1.6.2) with an Unauthenticated Broken Access Control vulnerability. The connected documents confirm the affected product and issue type but do not provide a remediation version or explicit exploit details. No further technical s...

5.3CVSS5.8AI score0.00214EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 11:14 a.m.19 views

CVE-2025-58902

CVE-2025-58902 affects the WordPress Lighthouse theme (versions <= 1.2.12). It is an unauthenticated Local File Inclusion (LFI) vulnerability in Lighthouse

8.1CVSS5.8AI score0.00282EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 10:54 a.m.17 views

CVE-2026-11946

CVE-2026-11946 affects open62541 (1.4.0–1.4.16, 1.5.0–1.5.4, master). An unauthenticated remote attacker can exhaust server memory through GetEndpoints by sending an oversized endpointUrl in GetEndpointsRequest; length is not validated, allowing ~4.09 GB strings split across chunks, buffered in R...

7.5CVSS5.8AI score0.00386EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 10:30 a.m.23 views

CVE-2026-54431

CVE-2026-54431 affects the liboauth2 DPoP verifier. The bug allows a DPoP proof whose JWK header embeds private key material to be accepted, violating RFC 9449 section 4.3 step 7, because the function oauth2_token_verify() returns success for a malformed DPoP proof that embeds the private EC key ...

5.1CVSS5.8AI score0.00128EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 10:30 a.m.20 views

CVE-2026-54430

liboauth2 is affected by a Server-Side Request Forgery in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads signer and kid from the unverified JWT header; if the signer matches the configured ARN, the kid is appended to alb_base_url without URL encoding or path sanitizat...

5.1CVSS5.8AI score0.00121EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 9:32 a.m.18 views

CVE-2026-13369

CVE-2026-13369 affects the WordPress plugin Ninja Forms - File Uploads (versions up to 3.3.29). The vulnerability stems from the function chain around attach_files() → get_files_for_attachment() where a client-controlled raw files array is accepted when the process() method exits early due to a u...

7.5CVSS5.9AI score0.00522EPSS
Exploits0References4
CVE
CVE
added 2026/07/02 9:32 a.m.20 views

CVE-2026-8441

WP Review Slider Pro for WordPress is affected up to v12.7.2 by an unauthenticated SQL injection via the wprp_load_more_revs AJAX action. The notinstring parameter is read from $_POST, sanitized only with sanitize_text_field(), and concatenated into an unquoted numeric clause (AND id NOT IN (...)...

7.5CVSS6AI score0.00374EPSS
Exploits0References2
CVE
CVE
added 2026/07/02 9:32 a.m.17 views

CVE-2026-13251

The CVE-2026-13251 entry concerns the WordPress Perfmatters plugin (

7.5CVSS5.9AI score0.0082EPSS
Exploits0References3
CVE
CVE
added 2026/07/02 9:32 a.m.25 views

CVE-2026-9145

The CVE-2026-9145 entry describes an Arbitrary File Copy vulnerability in the Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress (≤ 1.5.1). The flaw is in the Contact Form Entries handler, which uses the raw_value from Elementor Pro’s Form_Record for upload-type fields...

6.5CVSS6AI score0.00372EPSS
Exploits0References5
CVE
CVE
added 2026/07/02 8:42 a.m.14 views

CVE-2026-8482

StormShield Network Security versions affected: 4.3.0–4.3.41, 4.8.0–4.8.15, and 5.0.0–5.0.5. A disclosed information-leak vulnerability arises when administration commands are executed via the CLI tool. If an attacker gains SSH access to the firewall (in SSH multiuser mode), they may obtain sensi...

4.3CVSS5.8AI score0.00212EPSS
Exploits0References1
CVE
CVE
added 2026/07/02 8:33 a.m.13 views

CVE-2026-10104

The Product Video Gallery for Woocommerce plugin (WordPress) is affected up to version 1.5.1.8 by a Stored Cross-Site Scripting flaw in the custom_thumbnail parameter, caused by insufficient input sanitization and output escaping. Exploitation requires shop manager-level access or higher (authent...

4.4CVSS5.9AI score0.00263EPSS
Exploits1References8
CVE
CVE
added 2026/07/02 8:33 a.m.17 views

CVE-2026-14029

The Groundhogg WordPress plugin (versions up to and including 4.5.8) is affected by a generic SQL Injection via the 'select' parameter. The root cause is insufficient escaping and inadequate preparation of the underlying SQL query, allowing an authenticated attacker with a custom Groundhogg role ...

6.5CVSS5.8AI score0.00441EPSS
Exploits0References10
CVE
CVE
added 2026/07/02 8:33 a.m.13 views

CVE-2026-13252

The CVE-2026-13252 entry concerns the WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator. Affected: the plugin’s handling of the aspectRatio attribute allows Stored Cross-Site Scripting due to insufficient input sanitization and output es...

6.4CVSS5.9AI score0.00274EPSS
Exploits0References6
CVE
CVE
added 2026/07/02 8:33 a.m.16 views

CVE-2026-12472

The CVE-2026-12472 entry concerns the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin. It states an authorization bypass in all versions up to 6.0.11, enabling unauthenticated attackers to send arbitrary HTML-injected emails via the site’s mail server, potentially phi...

5.3CVSS5.9AI score0.00283EPSS
Exploits0References6
CVE
CVE
added 2026/07/02 8:33 a.m.15 views

CVE-2026-12134

The CVE concerns the WordPress plugin JoomSport – for Sports: Team & League, Football, Hockey & more (up to and including version 5.7.8). It describes an authorization bypass where authenticated users with subscriber-level access and above can create arbitrary season groups or modify group names,...

4.3CVSS5.9AI score0.00232EPSS
Exploits0References8
CVE
CVE
added 2026/07/02 8:33 a.m.15 views

CVE-2026-12122

The CVE-2026-12122 entry documents a vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions up to and including 6.0.11). The issue is a Sensitive Information Exposure via get_single_symbol that allows unauthenticated attackers to extract full b...

5.3CVSS5.8AI score0.00285EPSS
Exploits0References8
CVE
CVE
added 2026/07/02 8:33 a.m.20 views

CVE-2026-11896

The CVE-2026-11896 entry describes a flaw in the WordPress plugin “My Calendar – Accessible Event Manager” (versions up to 3.7.14). The root cause is missing validation on a user-controlled key used by the vcal parameter, enabling Insecure Direct Object Reference. This allows unauthenticated atta...

5.3CVSS5.8AI score0.00313EPSS
Exploits0References14
CVE
CVE
added 2026/07/02 8:33 a.m.17 views

CVE-2026-13459

JetFormBuilder for WordPress (Dynamic Blocks Form Builder) is affected up to version 3.6.3 due to an authorization bypass in the get_from_db generator. Unauthenticated attackers can retrieve distinct values stored in wp_postmeta (including Woocommerce PII like _billing_email, _billing_phone, and ...

5.3CVSS5.8AI score0.00333EPSS
Exploits0References12
CVE
CVE
added 2026/07/02 8:33 a.m.19 views

CVE-2026-9834

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin (WordPress) is vulnerable to OS Command Injection in all versions up to 7.11 via the wp_db_exclude_table parameter. The root cause is direct concatenation of user-supplied $_POST['wp_db_exclude_table'] values into ...

7.2CVSS6.3AI score0.01588EPSS
Exploits0References8
CVE
CVE
added 2026/07/02 8:33 a.m.14 views

CVE-2026-9188

CVE-2026-9188 affects the WordPress plugin “Wappointment” (Appointment Bookings for Zoom GoogleMeet and more) up to version 2.7.6. The vulnerability is an Insecure Direct Object Reference via the appointmentkey/edit_key parameter, where the authorization token consumed by tryCancel() is a predict...

5.3CVSS5.8AI score0.00297EPSS
Exploits0References10
Rows per page
Query Builder