Export limit exceeded: 14083 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (14083 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-13250 | 2 Solacewp, Wordpress | 2 Solace Extra, Wordpress | 2026-07-13 | 5.3 Medium |
| The Solace Extra plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.5.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete all content previously imported via the Starter Template feature, including posts, pages, media attachments, WooCommerce products, taxonomy terms, and sitebuilder templates. The required nonce is emitted on every wp-admin page via wp_localize_script() hooked to admin_enqueue_scripts without a page guard, meaning any Subscriber visiting /wp-admin/profile.php can obtain it; the handler is additionally registered via wp_ajax_nopriv_, making it reachable by fully unauthenticated users as well. | ||||
| CVE-2026-4661 | 2 Blendmedia, Wordpress | 2 Wp Cta – Call Now Button, Sticky Button & Call To Action Builder, Wordpress | 2026-07-13 | 7.5 High |
| The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes. | ||||
| CVE-2026-6801 | 2 Postmagthemes, Wordpress | 2 Context Blog, Wordpress | 2026-07-13 | 5.3 Medium |
| The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts. | ||||
| CVE-2026-1359 | 2 Genolve, Wordpress | 2 Genolve Ai Business Graphics, Ai Images, Wordpress | 2026-07-13 | 8.8 High |
| The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary WordPress options, including enabling user registration and setting the default role to administrator, resulting in privilege escalation. | ||||
| CVE-2026-12126 | 2 Wclovers, Wordpress | 2 Wcfm Marketplace – Multivendor Marketplace For Woocommerce, Wordpress | 2026-07-13 | 6.4 Medium |
| The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard. | ||||
| CVE-2026-10041 | 2 Wclovers, Wordpress | 2 Wcfm – Frontend Manager For Woocommerce, Wordpress | 2026-07-13 | 4.3 Medium |
| The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors. | ||||
| CVE-2026-57371 | 2 Denishua, Wordpress | 2 Wpjam Basic, Wordpress | 2026-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0. | ||||
| CVE-2026-57379 | 2 Wordpress, Wppool | 2 Wordpress, Formychat | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3. | ||||
| CVE-2026-57386 | 2 Kodezen, Wordpress | 2 Ablocks, Wordpress | 2026-07-13 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in Kodezen LLC aBlocks ablocks allows Privilege Escalation.This issue affects aBlocks: from n/a through < 2.9.1. | ||||
| CVE-2026-57392 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2026-07-13 | 6.5 Medium |
| Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5. | ||||
| CVE-2026-57399 | 2 Proxy & Vpn Blocker, Wordpress | 2 Proxy & Vpn Blocker, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.8. | ||||
| CVE-2026-57405 | 2 Themehunk, Wordpress | 2 Open Shop, Wordpress | 2026-07-13 | 7.1 High |
| Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1. | ||||
| CVE-2026-57411 | 2 Aman, Wordpress | 2 Cf7 Views – Complete Entry Management For Contact Form 7, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views – Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views – Complete Entry Management for Contact Form 7: from n/a through <= 3.2.2. | ||||
| CVE-2026-57365 | 2 Hitesh Chandwani, Wordpress | 2 Recaptcha (v2 & V3) For Asgaros Forum, Wordpress | 2026-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 & v3) for Asgaros Forum: from n/a through <= 1.1.0. | ||||
| CVE-2026-57364 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Better Payment – Instant Payments, Donations, Fundraising With Subscriptions & More | 2026-07-13 | 6.5 Medium |
| Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More: from n/a through <= 2.2.0. | ||||
| CVE-2026-57378 | 2 Phil Kurth, Wordpress | 2 Advanced Forms, Wordpress | 2026-07-13 | 7.5 High |
| Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7. | ||||
| CVE-2026-57417 | 2 Rextheme, Wordpress | 2 Cart Lift, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme Cart Lift cart-lift allows Stored XSS.This issue affects Cart Lift: from n/a through <= 3.1.57. | ||||
| CVE-2026-57423 | 2 Kofimokome, Wordpress | 2 Message Filter For Contact Form 7, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows Reflected XSS.This issue affects Message Filter for Contact Form 7: from n/a through <= 1.6.3.8. | ||||
| CVE-2026-57406 | 2 Roxnor, Wordpress | 2 Fundengine, Wordpress | 2026-07-13 | 6.5 Medium |
| Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6. | ||||
| CVE-2026-57695 | 2 Dan Rossiter, Wordpress | 2 Document Gallery, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through <= 5.1.0. | ||||