368753 matches found
CVE-2025-69152
CVE-2025-69152 affects the Artale | Wedding Photography WordPress theme (versions
CVE-2025-69134
CVE-2025-69134: WordPress OpenAI Chatbot for WordPress – Helper plugin
CVE-2025-69133
CVE-2025-69133 affects the WordPress Tourmaster plugin versions
CVE-2025-69132
Technical details about CVE-2025-69132 are not publicly available in the provided documents. Please monitor sources for updates regarding affected product versions, root cause, impact, and remediation.
CVE-2025-69094
CVE-2025-69094 affects the WordPress Unicamp theme (versions
CVE-2025-66076
The CVE concerns WordPress Woostify Sites Library plugin (versions ≤ 1.6.2) with an Unauthenticated Broken Access Control vulnerability. The connected documents confirm the affected product and issue type but do not provide a remediation version or explicit exploit details. No further technical s...
CVE-2025-58902
CVE-2025-58902 affects the WordPress Lighthouse theme (versions <= 1.2.12). It is an unauthenticated Local File Inclusion (LFI) vulnerability in Lighthouse
CVE-2026-11946
CVE-2026-11946 affects open62541 (1.4.0–1.4.16, 1.5.0–1.5.4, master). An unauthenticated remote attacker can exhaust server memory through GetEndpoints by sending an oversized endpointUrl in GetEndpointsRequest; length is not validated, allowing ~4.09 GB strings split across chunks, buffered in R...
CVE-2026-54431
CVE-2026-54431 affects the liboauth2 DPoP verifier. The bug allows a DPoP proof whose JWK header embeds private key material to be accepted, violating RFC 9449 section 4.3 step 7, because the function oauth2_token_verify() returns success for a malformed DPoP proof that embeds the private EC key ...
CVE-2026-54430
liboauth2 is affected by a Server-Side Request Forgery in the oauth2_jose_jwks_aws_alb_resolve() function. The AWS ALB verifier reads signer and kid from the unverified JWT header; if the signer matches the configured ARN, the kid is appended to alb_base_url without URL encoding or path sanitizat...
CVE-2026-13369
CVE-2026-13369 affects the WordPress plugin Ninja Forms - File Uploads (versions up to 3.3.29). The vulnerability stems from the function chain around attach_files() → get_files_for_attachment() where a client-controlled raw files array is accepted when the process() method exits early due to a u...
CVE-2026-8441
WP Review Slider Pro for WordPress is affected up to v12.7.2 by an unauthenticated SQL injection via the wprp_load_more_revs AJAX action. The notinstring parameter is read from $_POST, sanitized only with sanitize_text_field(), and concatenated into an unquoted numeric clause (AND id NOT IN (...)...
CVE-2026-13251
The CVE-2026-13251 entry concerns the WordPress Perfmatters plugin (
CVE-2026-9145
The CVE-2026-9145 entry describes an Arbitrary File Copy vulnerability in the Database for Contact Form 7, WPforms, and Elementor forms plugin for WordPress (≤ 1.5.1). The flaw is in the Contact Form Entries handler, which uses the raw_value from Elementor Pro’s Form_Record for upload-type fields...
CVE-2026-8482
StormShield Network Security versions affected: 4.3.0–4.3.41, 4.8.0–4.8.15, and 5.0.0–5.0.5. A disclosed information-leak vulnerability arises when administration commands are executed via the CLI tool. If an attacker gains SSH access to the firewall (in SSH multiuser mode), they may obtain sensi...
CVE-2026-14029
The Groundhogg WordPress plugin (versions up to and including 4.5.8) is affected by a generic SQL Injection via the 'select' parameter. The root cause is insufficient escaping and inadequate preparation of the underlying SQL query, allowing an authenticated attacker with a custom Groundhogg role ...
CVE-2026-10104
The Product Video Gallery for Woocommerce plugin (WordPress) is affected up to version 1.5.1.8 by a Stored Cross-Site Scripting flaw in the custom_thumbnail parameter, caused by insufficient input sanitization and output escaping. Exploitation requires shop manager-level access or higher (authent...
CVE-2026-13252
The CVE-2026-13252 entry concerns the WordPress plugin RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator. Affected: the plugin’s handling of the aspectRatio attribute allows Stored Cross-Site Scripting due to insufficient input sanitization and output es...
CVE-2026-12472
The CVE-2026-12472 entry concerns the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin. It states an authorization bypass in all versions up to 6.0.11, enabling unauthenticated attackers to send arbitrary HTML-injected emails via the site’s mail server, potentially phi...
CVE-2026-11896
The CVE-2026-11896 entry describes a flaw in the WordPress plugin “My Calendar – Accessible Event Manager” (versions up to 3.7.14). The root cause is missing validation on a user-controlled key used by the vcal parameter, enabling Insecure Direct Object Reference. This allows unauthenticated atta...