Search Results (13885 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12923 2 Emarket-design, Wordpress 2 Video Gallery – Youtube Gallery, Playlist & Video Grid, Wordpress 2026-07-06 7.5 High
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.
CVE-2026-2387 2 Stephenharris, Wordpress 2 Event Organiser, Wordpress 2026-07-06 6.4 Medium
The Event Organiser plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.12.9. This is due to the 'eo_events' shortcode accepting attacker-controlled 'no_events' content and rendering it in event list templates without output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-6070 2 Cmsjunkie, Wordpress 2 Wp-businessdirectory – Business Directory Plugin For Wordpress, Wordpress 2026-07-06 9.1 Critical
The WP-BusinessDirectory plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Deletion in versions up to and including 4.0.1. This is due to insufficient path validation in the remove() method of the JBusinessDirectoryControllerUpload class. The task=upload.remove endpoint is accessible without authentication via the plugin's frontend routing system. The _filename parameter is accepted with RAW filter (no sanitization), and the helper function makePathFile() only normalizes directory separator characters without stripping path traversal sequences (../). When combined with the _path_type=2 parameter, which sets the base directory to the plugin's site folder, an attacker can supply a _filename value containing ../ sequences to traverse outside the plugin directory and call PHP's unlink() on arbitrary files — including wp-config.php, wp-config-backup.php, or other critical server files accessible to the web server process. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
CVE-2026-12408 2 Rilwis, Wordpress 2 Slim Seo – A Fast & Automated Seo Plugin For Wordpress, Wordpress 2026-07-06 4.3 Medium
The Slim SEO – A Fast & Automated SEO Plugin For WordPress plugin for WordPress is vulnerable to Unauthorized Private Content Disclosure in all versions up to, and including, 4.9.8 via the `/wp-json/slim-seo/meta-tags/ai` REST API endpoint. This is due to the endpoint's `permission_callback` performing only a top-level `edit_posts` capability check without verifying that the requesting user has read access to the specific post supplied via the `object.ID` parameter, allowing the `generate` function to pass the attacker-controlled post ID to `Data::get_post_content()`, which calls `get_post()` regardless of post status or ownership. This makes it possible for authenticated attackers with Contributor-level access and above to retrieve AI-generated summaries of the raw `post_content` of arbitrary posts they are not authorized to view — including private posts, drafts, pending, future, and password-protected content authored by other users — with the substance of the protected content disclosed via the HTTP response.
CVE-2026-11387 2 Cozyvision1, Wordpress 2 Sms Alert – Sms & Otp For Woocommerce, Order Notifications & Abandoned Cart Recovery, Wordpress 2026-07-06 9.8 Critical
The SMS Alert – SMS & OTP for WooCommerce, Order Notifications & Abandoned Cart Recovery plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.9.5. This is due to the plugin not properly validating a user's identity prior to updating their details like reset the password of any user account, including administrators, and gain full access to those accounts. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. This is only vulnerable on sites with OTP verification for password resets enabled, and where the administrator (or other user) has set a phone number for OTP verification.
CVE-2026-57720 2 Codexpert, Wordpress 2 Thumbpress, Wordpress 2026-07-06 4.3 Medium
Missing Authorization vulnerability in Codexpert Inc ThumbPress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThumbPress: from n/a through 6.3.2.
CVE-2026-57721 2 Wordpress, Wp Reloaded 2 Wordpress, Applyonline 2026-07-06 5.3 Medium
Missing Authorization vulnerability in WP Reloaded ApplyOnline allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ApplyOnline: from n/a through 2.6.7.6.
CVE-2026-14249 2 Emarket-design, Wordpress 2 Request A Quote – Quote Forms For Any Wordpress Site, Wordpress 2026-07-06 7.5 High
The Request a Quote plugin for WordPress is vulnerable to Code Injection in versions up to, and including, 2.5.5 via the emd_delete_file AJAX action. This is due to the emd_delete_file() handler deriving a PHP function name from the attacker-controlled $_POST['path'] parameter and invoking it dynamically via the variable-function call $sess_name(), and the handler being registered for wp_ajax_nopriv with its only protection being a nonce that the plugin prints into the public quote-form page via wp_localize_script. This makes it possible for unauthenticated attackers to invoke arbitrary zero-argument PHP functions on the server, such as phpinfo(), potentially exposing sensitive server configuration and credentials, or executing other destructive built-in PHP functions.
CVE-2026-5821 2 Elemntor, Wordpress 2 Image Optimizer – Optimize Images And Convert To Webp Or Avif, Wordpress 2026-07-06 8.1 High
The Image Optimizer plugin for WordPress is vulnerable to arbitrary file deletion in versions up to and including 1.7.4. This is due to insufficient path validation in the Image_Backup::remove() function where backup file paths stored in post meta are used directly in file deletion operations without verifying they are within the uploads directory. The plugin stores backup file paths in the image_optimizer_metadata post meta field and trusts these paths completely when deleting backups on the delete_attachment hook. An authenticated attacker with Author-level access can edit the image_optimizer_metadata post meta on their own attachments via WordPress's Custom Fields interface, injecting arbitrary absolute file paths into the backups array. When the attacker subsequently deletes the attachment, the plugin calls File_System::delete() on each path without validation. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server within the web server's filesystem permissions, potentially leading to denial of service, data loss, or security degradation.
CVE-2026-10089 2 Figureone, Wordpress 2 Insert Pages, Wordpress 2026-07-06 6.4 Medium
The Insert Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post custom field keys (meta key names) in all versions up to, and including, 3.11.4. This is due to insufficient output escaping in the the_meta() function: while the custom field VALUE is sanitized with wp_kses_post(), the custom field KEY ($key) is interpolated into the rendered HTML (lines 1786-1791) and echoed (line 1806) without any escaping when an inserted page is rendered with the [insert page='ID' display='all'] shortcode. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-5348 2 Kodezen, Wordpress 2 Academy Lms – Wordpress Lms Plugin For Complete Elearning Solution, Wordpress 2026-07-06 5.3 Medium
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.8.1. This is due to the '/topics' REST API endpoint being registered with a permission callback set to '__return_true', allowing unauthenticated access to course curriculum data without verifying the course's post status or user enrollment. This makes it possible for unauthenticated attackers to access detailed curriculum information for private, draft, scheduled, or password-protected courses by enumerating course IDs.
CVE-2026-9188 2 Wappointment, Wordpress 2 Appointment Bookings For Zoom Googlemeet And More – Wappointment, Wordpress 2026-07-06 5.3 Medium
The Appointment Bookings for Zoom GoogleMeet and more – Wappointment plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 2.7.6 via the `appointmentkey` parameter due to the appointment `edit_key` — the sole authorization token consumed by `tryCancel()` — being generated as a predictable, unsalted MD5 hash of only `client_id` (a sequential integer), `start_at` (a publicly observable appointment timestamp), and `staff_id` (a small enumerable integer), with no secret salt or random component, and the unauthenticated cancellation and rescheduling REST endpoints performing no ownership or identity verification beyond matching this reconstructible key. This makes it possible for unauthenticated attackers to compute valid `edit_key` values for appointments belonging to other users and cancel or reschedule those appointments arbitrarily. Exploitation requires the `allow_cancellation` or `allow_rescheduling` setting to be enabled on the site, both of which are common configurations for active booking deployments; an attacker can obtain the inputs needed to reconstruct a victim's key by booking their own appointment to observe their sequential `client_id` and correlating publicly visible appointment times and enumerable staff identifiers.
CVE-2026-9834 2 Databasebackup, Wordpress 2 Wp Database Backup – Unlimited Database & Files Backup By Backup For Wp, Wordpress 2026-07-06 7.2 High
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to OS Command Injection in all versions up to and including 7.11 via the `wp_db_exclude_table` parameter. This is due to the direct concatenation of user-supplied `$_POST['wp_db_exclude_table']` values into the `mysqldump` shell command string in the `mysqldump()` function of `includes/admin/class-wpdb-admin.php` without wrapping them in `escapeshellarg()`—every other argument in the same command (DB_USER, DB_PASSWORD, host, filename, DB_NAME) is properly escaped, making the exclude-table values the sole exception—and because the only applied filtering, `sanitize_text_field()` via `recursive_sanitize_text_field()`, strips HTML tags but leaves shell metacharacters such as `;`, `|`, `` ` ``, and `$()` intact. This makes it possible for authenticated attackers, with administrator-level access and above, to execute arbitrary operating system commands on the server, potentially enabling full remote code execution. The injection is stored: malicious values submitted through the plugin settings form are persisted to the WordPress options table via `update_option('wp_db_exclude_table')` and later retrieved with `get_option()` and passed unsanitized to `shell_exec()` whenever a backup operation runs.
CVE-2026-10104 2 Nikhilgadhiya, Wordpress 2 Product Video Gallery For Woocommerce, Wordpress 2026-07-06 4.4 Medium
The Product Video Gallery for Woocommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom_thumbnail Parameter in all versions up to, and including, 1.5.1.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-69132 2 Wordpress, Zozothemes 2 Wordpress, Corpkit 2026-07-06 6.5 Medium
Subscriber Sensitive Data Exposure in Corpkit <= 1.0.5 versions.
CVE-2025-69134 2 Merkulove, Wordpress 2 Openai Chatbot For Wordpress – Helper, Wordpress 2026-07-06 7.5 High
Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions.
CVE-2025-69152 2 Themegoods, Wordpress 2 Artale | Wedding Photography Wordpress, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Artale | Wedding Photography WordPress <= 2.2.2 versions.
CVE-2025-69153 2 Designthemes, Wordpress 2 Trendy Travel, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Trendy Travel <= 6.7 versions.
CVE-2025-69154 2 Designthemes, Wordpress 2 Spalab | Beauty Salon Wordpress Theme, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in SpaLab | Beauty Salon WordPress Theme <= 6.7 versions.
CVE-2025-69155 2 Designthemes, Wordpress 2 Fitness Zone Wordpress Theme, Wordpress 2026-07-06 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Fitness Zone WordPress Theme <= 5.7 versions.