Export limit exceeded: 13974 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (13974 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12360 2 Crocoblock, Wordpress 2 Jetengine, Wordpress 2026-06-17 7.5 High
The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page.
CVE-2026-48869 2 Kriesi, Wordpress 2 Enfold, Wordpress 2026-06-17 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
CVE-2026-9062 2 Store Locator Wordpress, Wordpress 2 Store Locator Wordpress, Wordpress 2026-06-17 3.4 Low
The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.
CVE-2026-39481 2 Wordpress, Wpchill 2 Wordpress, Modula Image Gallery 2026-06-16 7.2 High
Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions.
CVE-2026-39449 2 Itpathsolutions, Wordpress 2 Contact Form To Any Api, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions.
CVE-2026-34892 2 Rank Math Seo, Wordpress 2 Rank Math Seo, Wordpress 2026-06-16 6.5 Medium
Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions.
CVE-2026-39435 2 Bgermann, Wordpress 2 Cformsii, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions.
CVE-2026-39463 2 Managewp, Wordpress 2 Managewp Worker, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions.
CVE-2026-39474 2 Metaphorcreations, Wordpress 2 Post Duplicator, Wordpress 2026-06-16 8.8 High
Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions.
CVE-2026-39584 2 Webful Creations, Wordpress 2 Repairbuddy, Wordpress 2026-06-16 6.5 Medium
Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions.
CVE-2026-40770 2 Relywp, Wordpress 2 Coupon Affiliates, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions.
CVE-2026-42663 2 Wordpress, Wp.insider 2 Wordpress, Simple Membership 2026-06-16 6.5 Medium
Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions.
CVE-2026-48867 2 Expresstech, Wordpress 2 Quiz And Survey Master, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions.
CVE-2026-52712 2 Tnomi, Wordpress 2 Attendance Manager, Wordpress 2026-06-16 7.6 High
Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions.
CVE-2026-54198 2 Davidlingren, Wordpress 2 Media Library Assistant, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions.
CVE-2026-2381 2 Woocommerce, Wordpress 2 Stripe Payment Gateway, Wordpress 2026-06-16 6.5 Medium
The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration.
CVE-2026-5149 2 Rometheme, Wordpress 2 Rtmkit, Wordpress 2026-06-16 6.5 Medium
The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.
CVE-2026-39499 2 Wombat Plugins, Wordpress 2 Advanced Product Fields Product Addons For Woocommerce, Wordpress 2026-06-16 7.2 High
Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions.
CVE-2026-39513 2 Easy-appointments, Wordpress 2 Easy Appointments, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions.
CVE-2026-49769 2 Tomdever, Wordpress 2 Wpforo Forum, Wordpress 2026-06-16 9.8 Critical
Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions.