Export limit exceeded: 13974 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13974 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12360 | 2 Crocoblock, Wordpress | 2 Jetengine, Wordpress | 2026-06-17 | 7.5 High |
| The JetEngine plugin for WordPress is vulnerable to SQL injection in all versions up to and including 3.8.10.1. The listing_load_more AJAX handler accepts a filtered_query parameter that is intentionally excluded from the HMAC query signature check to support front-end filter integration. However, meta_query row values within filtered_query are not sanitized before being merged into SQL construction. This makes it possible for unauthenticated attackers to perform time-based or boolean blind SQL injection by appending a malicious meta_query value to a Load More AJAX request captured from any public Listing Grid page. | ||||
| CVE-2026-48869 | 2 Kriesi, Wordpress | 2 Enfold, Wordpress | 2026-06-17 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions. | ||||
| CVE-2026-9062 | 2 Store Locator Wordpress, Wordpress | 2 Store Locator Wordpress, Wordpress | 2026-06-17 | 3.4 Low |
| The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys. | ||||
| CVE-2026-39481 | 2 Wordpress, Wpchill | 2 Wordpress, Modula Image Gallery | 2026-06-16 | 7.2 High |
| Author PHP Object Injection in Modula Image Gallery <= 2.14.18 versions. | ||||
| CVE-2026-39449 | 2 Itpathsolutions, Wordpress | 2 Contact Form To Any Api, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Contact Form to Any API <= 3.0.3 versions. | ||||
| CVE-2026-34892 | 2 Rank Math Seo, Wordpress | 2 Rank Math Seo, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Broken Access Control in Rank Math SEO <= 1.0.271 versions. | ||||
| CVE-2026-39435 | 2 Bgermann, Wordpress | 2 Cformsii, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in CformsII <= 15.1.3 versions. | ||||
| CVE-2026-39463 | 2 Managewp, Wordpress | 2 Managewp Worker, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in ManageWP Worker <= 4.9.31 versions. | ||||
| CVE-2026-39474 | 2 Metaphorcreations, Wordpress | 2 Post Duplicator, Wordpress | 2026-06-16 | 8.8 High |
| Contributor PHP Object Injection in Post Duplicator <= 3.0.10 versions. | ||||
| CVE-2026-39584 | 2 Webful Creations, Wordpress | 2 Repairbuddy, Wordpress | 2026-06-16 | 6.5 Medium |
| Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions. | ||||
| CVE-2026-40770 | 2 Relywp, Wordpress | 2 Coupon Affiliates, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Coupon Affiliates <= 7.5.3 versions. | ||||
| CVE-2026-42663 | 2 Wordpress, Wp.insider | 2 Wordpress, Simple Membership | 2026-06-16 | 6.5 Medium |
| Unauthenticated Cross Site Scripting (XSS) in Simple Membership <= 4.7.2 versions. | ||||
| CVE-2026-48867 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.1.2 versions. | ||||
| CVE-2026-52712 | 2 Tnomi, Wordpress | 2 Attendance Manager, Wordpress | 2026-06-16 | 7.6 High |
| Subscriber SQL Injection in Attendance Manager <= 0.6.2 versions. | ||||
| CVE-2026-54198 | 2 Davidlingren, Wordpress | 2 Media Library Assistant, Wordpress | 2026-06-16 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Media LIbrary Assistant <= 3.35 versions. | ||||
| CVE-2026-2381 | 2 Woocommerce, Wordpress | 2 Stripe Payment Gateway, Wordpress | 2026-06-16 | 6.5 Medium |
| The WooCommerce Stripe Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_pay_for_order()` function in all versions up to, and including, 10.7.0 This is due to a missing order ownership or order_key verification when processing payment for an order via the `wc_stripe_pay_for_order` WC-AJAX endpoint. The function only validates a nonce (which is publicly available on any WooCommerce page where Express Checkout is enabled), but does not verify that the requesting user owns the target order and is allowed to modify it. This makes it possible for unauthenticated attackers to force any pending order into a failed status by providing a fake payment method, causing a payment exception that updates the order status to "failed" via sequential order ID enumeration. | ||||
| CVE-2026-5149 | 2 Rometheme, Wordpress | 2 Rtmkit, Wordpress | 2026-06-16 | 6.5 Medium |
| The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter. | ||||
| CVE-2026-39499 | 2 Wombat Plugins, Wordpress | 2 Advanced Product Fields Product Addons For Woocommerce, Wordpress | 2026-06-16 | 7.2 High |
| Shop manager PHP Object Injection in Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.19 versions. | ||||
| CVE-2026-39513 | 2 Easy-appointments, Wordpress | 2 Easy Appointments, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Broken Access Control in Easy Appointments <= 3.12.21 versions. | ||||
| CVE-2026-49769 | 2 Tomdever, Wordpress | 2 Wpforo Forum, Wordpress | 2026-06-16 | 9.8 Critical |
| Unauthenticated PHP Object Injection in wpForo Forum <= 3.1.0 versions. | ||||