Search Results (13985 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-49060 2 Hippooo, Wordpress 2 Hippoo Mobile App For Woocommerce, Wordpress 2026-06-12 9.8 Critical
Incorrect Privilege Assignment vulnerability in Hippoo Mobile App for WooCommerce allows Privilege Escalation. This issue affects Hippoo Mobile App for WooCommerce: from n/a through 1.9.4.
CVE-2026-53736 2 Bplugins, Wordpress 2 Easy Twitter Feed, Wordpress 2026-06-11 4.3 Medium
Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate_post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type.
CVE-2026-53740 2 Duplicate Post Project, Wordpress 2 Duplicate Post, Wordpress 2026-06-11 5.4 Medium
Yoast Duplicate Post through 4.6 inserts an unescaped post title and permalink into the Classic Editor scheduled republish notice. Attackers can schedule a republish copy with a crafted title to execute script when an administrator views the resulting notice.
CVE-2024-32110 2 Magepeopleteam, Wordpress 2 Wpevently, Wordpress 2026-06-11 4.3 Medium
Cross-Site request forgery (CSRF) vulnerability in Magepeople inc. WpEvently allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through 4.1.2.
CVE-2022-45813 2 Berocket, Wordpress 2 Advanced Ajax Product Filters, Wordpress 2026-06-11 5.4 Medium
Missing Authorization vulnerability in BeRocket Advanced AJAX Product Filters allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced AJAX Product Filters: from n/a through 1.6.3.3.
CVE-2023-33999 2 Wordpress, Wpvibes 2 Wordpress, Wp Mail Log 2026-06-11 7.1 High
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPVibes WP Mail Log allows DOM-Based XSS. This issue affects WP Mail Log: from n/a through 1.0.2.
CVE-2026-2827 2 100plugins, Wordpress 2 Open User Map, Wordpress 2026-06-11 4.7 Medium
The Open User Map PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'oum_location_notification' parameter in versions up to, and including, 1.4.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-53741 2 Quantumcloud, Wordpress 2 Simple Link Directory, Wordpress 2026-06-11 5.4 Medium
Simple Link Directory through 9.0.4 interpolates the sld_no_results_found option into a JavaScript string literal without encoding. Because sanitize_text_field leaves quotes intact, a stored payload breaks out of the string and runs script for every page visitor.
CVE-2026-53738 3 Copy-delete-posts, Inisev, Wordpress 3 Duplicate Post, Copy & Delete Posts, Wordpress 2026-06-11 8.1 High
Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler. Attackers with an enabled role can delete posts or overwrite plugin settings via the f parameter, bypassing per-function capability checks.
CVE-2023-25969 2 Themehunk, Wordpress 2 Contact Form & Lead Form Elementor Builder, Wordpress 2026-06-11 5.4 Medium
Missing Authorization vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through 1.8.4.
CVE-2026-10795 2 Davidanderson, Wordpress 2 Updraftplus: Wp Backup & Migration Plugin, Wordpress 2026-06-11 8.1 High
The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlus_Remote_Communications_V2::wp_loaded function. This is due to insufficient validation of the remote communications message format, where signature verification can be bypassed and unchecked decryption return values collapse to a predictable all-zero encryption key. This makes it possible for unauthenticated attackers to forge arbitrary RPC commands and run them as the connected administrator, such as uploading and activating a malicious plugin, which ultimately leads to remote code execution.
CVE-2026-53737 2 Saas.group, Wordpress 2 Juicer, Wordpress 2026-06-11 6.1 Medium
Juicer through 1.12.18 fails to escape remote feed API response fields before rendering them on the admin settings page. Attackers controlling the connected feed data can inject script that executes in an administrator's browser when the settings page loads.
CVE-2026-53742 2 Quantumcloud, Wordpress 2 Simple Link Directory, Wordpress 2026-06-11 5.4 Medium
Simple Link Directory through 9.0.4 echoes embed shortcode attributes into HTML data attributes without escaping in the embedder template. Attackers with contributor access can craft a shortcode attribute that injects an event handler executing in a viewer's browser.
CVE-2026-53739 3 Duplicate Post Project, Wordpress, Yoast 3 Duplicate Post, Wordpress, Yoast Duplicate Post 2026-06-11 4.3 Medium
Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate_post_dismiss_notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate_post_show_notice site option, suppressing admin notices network-wide.
CVE-2023-40200 2 Essential Plugin, Wordpress 2 Wp Logo Showcase Responsive Slider And Carousel, Wordpress 2026-06-11 5.3 Medium
Authorization bypass through User-Controlled key vulnerability in Essential Plugin WP Logo Showcase Responsive Slider and Carousel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Logo Showcase Responsive Slider and Carousel: from n/a through 3.6.
CVE-2026-27066 2 Pi Web Solution, Wordpress 2 Live Sales Notification For Woocommerce, Wordpress 2026-06-11 N/A
This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVE-2022-47150 2 Wedevs, Wordpress 2 Woocommerce Conversion Tracking, Wordpress 2026-06-11 4.3 Medium
Cross-Site request forgery (CSRF) vulnerability in weDevs WooCommerce Conversion Tracking allows Cross Site Request Forgery. This issue affects WooCommerce Conversion Tracking: from n/a through 2.0.10.
CVE-2026-0677 2 Totalsuite, Wordpress 2 Totalcontest, Wordpress 2026-06-10 6.3 Medium
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1.
CVE-2026-53673 2 Buddypress, Wordpress 2 Buddypress, Wordpress 2026-06-10 8.1 High
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the messages REST API that allows authenticated attackers to access arbitrary private message threads by supplying a user_id parameter in the request. Attackers can pass another user's identifier to the get_item_permissions_check method, which validates the supplied user_id instead of the logged-in user and is reused by the update and delete handlers, to read, reply to, or delete any user's private messages.
CVE-2026-53674 2 Buddypress, Wordpress 2 Buddypress, Wordpress 2026-06-10 7.1 High
BuddyPress 14.4.0 contains a regular expression injection vulnerability in the activity mention resolver that, when username compatibility mode is enabled, allows attackers to manipulate a REGEXP database clause by crafting mention names containing regex metacharacters. Attackers can submit @mentions whose metacharacters pass through esc_sql unescaped and are inserted into an unprepared REGEXP query against the users table, enabling boolean-based inference of usernames and denial of service through catastrophic backtracking.