Search Results (13881 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48868 2 Mra13 / Team Tips And Tricks Hq, Wordpress 2 Simple Shopping Cart, Wordpress 2026-06-23 7.5 High
Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions.
CVE-2026-48871 2 Takashi Kitajima, Wordpress 2 Mw Wp Form, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in MW WP Form <= 5.1.3 versions.
CVE-2026-48876 2 Web Guy, Wordpress 2 Stop Spammers, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Stop Spammers <= 2026.3 versions.
CVE-2026-48886 2 Ahmad, Wordpress 2 Js Help Desk, Wordpress 2026-06-23 9.3 Critical
Unauthenticated SQL Injection in JS Help Desk <= 3.0.9 versions.
CVE-2026-48887 2 Ahmad, Wordpress 2 Js Help Desk, Wordpress 2026-06-23 6.5 Medium
Unauthenticated Broken Access Control in JS Help Desk <= 3.0.9 versions.
CVE-2026-48889 2 Tms, Wordpress 2 Amelia, Wordpress 2026-06-23 8.8 High
Subscriber Privilege Escalation in Amelia <= 2.3 versions.
CVE-2026-48966 2 Funnelkit, Wordpress 2 Funnel Builder By Funnelkit, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Funnel Builder by FunnelKit <= 3.15.0.2 versions.
CVE-2026-49063 2 Webilia Inc., Wordpress 2 Listdom, Wordpress 2026-06-23 7.3 High
Unauthenticated Privilege Escalation in Listdom <= 5.5.0 versions.
CVE-2026-49066 2 Conekta Group, Wordpress 2 Conekta Payment Gateway, Wordpress 2026-06-23 7.5 High
Unauthenticated Sensitive Data Exposure in Conekta Payment Gateway <= 6.0.0 versions.
CVE-2026-49067 2 Wordpress, Yydevelopment 2 Wordpress, Advanced 301 And 302 Redirect 2026-06-23 9.3 Critical
Unauthenticated SQL Injection in Advanced 301 and 302 Redirect <= 1.6.9 versions.
CVE-2026-49070 2 Knit Pay, Wordpress 2 Knit Pay, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in Knit Pay <= 9.4.0.0 versions.
CVE-2026-49082 2 Chatway Live Chat, Wordpress 2 Chatway Live Chat – Ai Chatbot, Customer Support, Faq & Helpdesk Customer Service & Chat Buttons, Wordpress 2026-06-23 7.4 High
Subscriber Sensitive Data Exposure in Chatway Live Chat &#8211; AI Chatbot, Customer Support, FAQ &amp; Helpdesk Customer Service &amp; Chat Buttons <= 1.4.8 versions.
CVE-2026-49780 2 Dokan, Inc., Wordpress 2 Dokan, Wordpress 2026-06-23 8.8 High
Customer Privilege Escalation in Dokan <= 5.0.2 versions.
CVE-2026-52692 2 Wordpress, Wp.insider 2 Wordpress, Affiliates Manager 2026-06-23 7.5 High
Unauthenticated Sensitive Data Exposure in Affiliates Manager <= 2.9.50 versions.
CVE-2026-52694 2 Wordpress, Wp E-signature 2 Wordpress, Signature Add-on For Woocommerce 2026-06-23 7.5 High
Unauthenticated Sensitive Data Exposure in Signature Add-On for WooCommerce <= 2.0 versions.
CVE-2026-52695 2 Al Monsor, Wordpress 2 Abc Crypto Checkout, Wordpress 2026-06-23 7.5 High
Unauthenticated Sensitive Data Exposure in ABC Crypto Checkout <= 1.8.2 versions.
CVE-2026-52700 2 Wcmultishipping – Mondial Relay & Chronopost For Wooommerce, Wordpress 2 Wcmultishipping, Wordpress 2026-06-23 8.5 High
Subscriber SQL Injection in WCMultiShipping <= 3.0.2 versions.
CVE-2026-52702 2 Wordpress, Wp-buy 2 Wordpress, Seo Redirection 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in SEO Redirection <= 9.17 versions.
CVE-2026-9187 2 Wordpress, Zealopensource 2 Wordpress, Abandoned Contact Form 7 2026-06-23 5.3 Medium
The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax.
CVE-2026-6933 2 Premmerce, Wordpress 2 Premmerce Dev Tools, Wordpress 2026-06-23 8.8 High
The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and including 2.0. This is due to the 'generatePluginHandler' function lacking any authorization check before processing user-supplied POST data, combined with the 'createFromStub' function performing unsanitized string substitution of the 'premmerce_plugin_namespace' parameter directly into PHP stub files written to the wp-content/plugins/ directory. An attacker can inject a semicolon followed by arbitrary PHP code into the namespace parameter, causing the generated plugin file to contain and execute that code when accessed via HTTP. This makes it possible for authenticated attackers with Subscriber-level access and above to create arbitrary PHP files on the server and achieve remote code execution.