Export limit exceeded: 13898 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13898 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42748 | 2 Wordpress, Wpify | 2 Wordpress, Woo Czech | 2026-05-27 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in WPify WPify Woo Czech wpify-woo allows Upload a Web Shell to a Web Server.This issue affects WPify Woo Czech: from n/a through <= 5.4.1. | ||||
| CVE-2026-42740 | 2 Tainacan, Wordpress | 2 Tainacan, Wordpress | 2026-05-27 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in tainacan Tainacan tainacan allows Blind SQL Injection.This issue affects Tainacan: from n/a through <= 1.0.3. | ||||
| CVE-2026-48968 | 2 Averta, Wordpress | 2 Master Slider, Wordpress | 2026-05-27 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS. This issue affects Master Slider: from n/a through 3.10.8. | ||||
| CVE-2026-42746 | 2 Wordpress, Zaytech | 2 Wordpress, Smart Online Order For Clover | 2026-05-27 | 7.3 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in ZAYTECH Smart Online Order for Clover clover-online-orders allows Retrieve Embedded Sensitive Data.This issue affects Smart Online Order for Clover: from n/a through <= 1.6.0. | ||||
| CVE-2026-42753 | 2 Wclovers, Wordpress | 2 Wcfm Membership, Wordpress | 2026-05-27 | 7.3 High |
| Missing Authorization vulnerability in WC Lovers WCFM Membership wc-multivendor-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Membership: from n/a through <= 2.11.10. | ||||
| CVE-2026-42760 | 2 Revmakx, Wordpress | 2 Backup And Staging By Wp Time Capsule, Wordpress | 2026-05-27 | 7.5 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in revmakx Backup and Staging by WP Time Capsule wp-time-capsule allows Password Recovery Exploitation.This issue affects Backup and Staging by WP Time Capsule: from n/a through <= 1.22.25. | ||||
| CVE-2026-42761 | 2 Realmag777, Wordpress | 2 Active Products Tables For Woocommerce, Wordpress | 2026-05-27 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.9. | ||||
| CVE-2026-42734 | 2 Dylan Kuhn, Wordpress | 2 Geo Mashup, Wordpress | 2026-05-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan Kuhn Geo Mashup geo-mashup allows Reflected XSS.This issue affects Geo Mashup: from n/a through <= 1.13.19. | ||||
| CVE-2026-42725 | 2 Wordpress, Wpwham | 2 Wordpress, Checkout Files Upload For Woocommerce | 2026-05-27 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in WP Wham Checkout Files Upload for WooCommerce checkout-files-upload-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Files Upload for WooCommerce: from n/a through <= 2.2.5. | ||||
| CVE-2026-42729 | 2 Propertyhive, Wordpress | 2 Propertyhive, Wordpress | 2026-05-27 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Property Hive PropertyHive propertyhive allows DOM-Based XSS.This issue affects PropertyHive: from n/a through <= 2.2.2. | ||||
| CVE-2026-42727 | 2 Realmag777, Wordpress | 2 Active Products Tables For Woocommerce, Wordpress | 2026-05-27 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 Active Products Tables for WooCommerce profit-products-tables-for-woocommerce allows Blind SQL Injection.This issue affects Active Products Tables for WooCommerce: from n/a through <= 1.0.8. | ||||
| CVE-2026-8042 | 2 Octalmage, Wordpress | 2 Github Shortcode, Wordpress | 2026-05-27 | 6.4 Medium |
| The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3896 | 2 Livemesh, Wordpress | 2 Livemesh Siteorigin Widgets, Wordpress | 2026-05-27 | 6.4 Medium |
| The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing authorization checks and insufficient input sanitization. The AJAX handler verifies a nonce but does not check user capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to modify plugin settings and inject malicious scripts that execute when administrators access the plugin settings page or when any user visits the frontend. | ||||
| CVE-2026-27331 | 2 Magepeople, Wordpress | 2 Wptravelly, Wordpress | 2026-05-27 | 6.3 Medium |
| Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5. | ||||
| CVE-2026-25444 | 2 Magepeopleteam, Wordpress | 2 Wpbookingly, Wordpress | 2026-05-27 | 4.3 Medium |
| Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9. | ||||
| CVE-2026-24520 | 2 Bplugins, Wordpress | 2 Tiktok Feed Plugin, Wordpress | 2026-05-27 | 4.3 Medium |
| Missing Authorization vulnerability in bPlugins Tiktok Feed allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tiktok Feed: from n/a through 1.0.24. | ||||
| CVE-2026-25426 | 2 Magepeople, Wordpress | 2 Taxi Booking Manager For Woocommerce, Wordpress | 2026-05-27 | 5.3 Medium |
| Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1. | ||||
| CVE-2025-14361 | 2 Aa-team, Wordpress | 2 Woocommerce Envato Affiliates, Wordpress | 2026-05-27 | 7.1 High |
| Missing Authorization vulnerability in AA-Team Woocommerce Envato Affiliates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Woocommerce Envato Affiliates: from n/a through 1.2.1. | ||||
| CVE-2026-7493 | 2 Croixhaug, Wordpress | 2 Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin, Wordpress | 2026-05-27 | 5.3 Medium |
| The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to denial of service in all versions up to, and including, 1.6.11.5. This is due to a publicly accessible REST API endpoint (/wp-json/ssa/v1/async) that calls PHP's sleep() function on a user-supplied delay parameter without any rate limiting. This makes it possible for unauthenticated attackers to exhaust PHP worker processes, denying access to the site to legitimate users. | ||||
| CVE-2026-6565 | 2 Analogwp, Wordpress | 2 Style Kits For Elementor, Wordpress | 2026-05-27 | 6.4 Medium |
| The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input sanitization and output escaping in an admin attribute context. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||