Search
Search Results (85992 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-27412 | 2 Stylemixthemes, Wordpress | 2 Pearl - Corporate Business, Wordpress | 2026-07-06 | 8.1 High |
| Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions. | ||||
| CVE-2026-27414 | 2 Fuelthemes, Wordpress | 2 Werkstatt, Wordpress | 2026-07-06 | 8.8 High |
| Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions. | ||||
| CVE-2026-27425 | 2 Themesuite, Wordpress | 2 Automotive Listings, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Automotive Listings <= 18.6 versions. | ||||
| CVE-2026-27430 | 2 Tranmautritam, Wordpress | 2 Thefox, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in TheFox <= 3.9.76 versions. | ||||
| CVE-2026-39448 | 2 Coderpress, Wordpress | 2 Nowpayments For Woocommerce, Wordpress | 2026-07-06 | 7.5 High |
| Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions. | ||||
| CVE-2026-57350 | 2 Andy Fragen, Wordpress | 2 Wp Debugging, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WP Debugging <= 2.12.2 versions. | ||||
| CVE-2026-57357 | 2 Search Atlas Group, Wordpress | 2 Search Atlas Seo, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions. | ||||
| CVE-2026-57358 | 2 Sysbasics, Wordpress | 2 Customize My Account For Woocommerce, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Customize My Account for WooCommerce <= 4.3.9 versions. | ||||
| CVE-2026-57426 | 2 Chill Media Labs S.r.l., Wordpress | 2 Modula - Pro, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Modula - PRO <= 2.10.8 versions. | ||||
| CVE-2026-57672 | 2 Melograno Venture Studio, Wordpress | 2 Wpdatatables, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in wpDataTables <= 6.5.1.1 versions. | ||||
| CVE-2026-57673 | 2 Optimole, Wordpress | 2 Optimole, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Optimole <= 4.2.7 versions. | ||||
| CVE-2026-57686 | 2 Wordpress, Wpxpo | 2 Wordpress, Wowaddons | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WowAddons <= 1.6.14 versions. | ||||
| CVE-2026-57688 | 2 Gurmehub, Wordpress | 2 Pos Entegratör, Wordpress | 2026-07-06 | 8.2 High |
| Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions. | ||||
| CVE-2026-57748 | 2 Shopify Help Center, Wordpress | 2 Shopify, Wordpress | 2026-07-06 | 7.5 High |
| Contributor Local File Inclusion in Shopify <= 1.0.0 versions. | ||||
| CVE-2026-57751 | 2 Heateor Support, Wordpress | 2 Heateor Social Login, Wordpress | 2026-07-06 | 8.1 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in Heateor Social Login <= 1.1.39 versions. | ||||
| CVE-2026-57756 | 2 Wordpress, 友人a丶 | 2 Wordpress, Nicen-localize-image | 2026-07-06 | 8.5 High |
| Contributor SQL Injection in nicen-localize-image <= 1.4.9 versions. | ||||
| CVE-2026-57757 | 2 Ploudapp, Wordpress | 2 Pcloud Wp Backup, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in pCloud WP Backup <= 2.0.2 versions. | ||||
| CVE-2026-57761 | 2 Blueastralthemes, Wordpress | 2 Seowp, Wordpress | 2026-07-06 | 7.1 High |
| Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions. | ||||
| CVE-2026-58652 | 1 Openwrt | 2 Luci-app-travelmate, Travelmate | 2026-07-06 | 7.5 High |
| luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known. | ||||
| CVE-2024-58352 | 1 Landray | 1 Landray Office Automation | 2026-07-06 | 7.5 High |
| Landray OA contains an unauthenticated HQL injection vulnerability that allows unauthenticated attackers to query arbitrary Hibernate entity classes by injecting malicious HQL syntax into the uid POST parameter of the wechatLoginHelper.do endpoint. Attackers can exploit the lack of input sanitization in the string-concatenated filter expression passed to the Hibernate findList() call to extract sensitive data such as administrator password hashes and, with sufficient database privileges, perform file-write operations enabling remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-03-11 (UTC). | ||||