Search Results (13671 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-49078 2 Wordpress, Wptravelengine 2 Wordpress, Wp Travel Engine 2026-06-26 7.5 High
Unauthenticated Other Vulnerability Type in WP Travel Engine <= 6.7.10 versions.
CVE-2026-49104 2 Crm Perks, Wordpress 2 Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Keap/infusionsoft and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.2.1 versions.
CVE-2026-49109 2 Crmperks, Wordpress 2 Integration For Salesforce And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms <= 1.4.3 versions.
CVE-2026-49766 2 Wordpress, Wpusermanager 2 Wordpress, Wp User Manager 2026-06-26 9.9 Critical
Subscriber Arbitrary File Deletion in WP User Manager <= 2.9.16 versions.
CVE-2026-49770 2 Wordpress, Wptravelengine 2 Wordpress, Wp Travel Engine 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in WP Travel Engine <= 6.7.12 versions.
CVE-2026-49775 2 Welcart, Wordpress 2 Welcart E-commerce, Wordpress 2026-06-26 6.5 Medium
Unauthenticated Broken Access Control in Welcart e-Commerce <= 2.11.28 versions.
CVE-2026-49776 2 John-dagelmore, Wordpress 2 Gptranslate – Multilingual Ai Translation For Wordpress: Automatically Translate Websites, Wordpress 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites <= 2.32.6 versions.
CVE-2026-52703 2 Ninjateam, Wordpress 2 Fastdup, Wordpress 2026-06-26 9.6 Critical
Unauthenticated Path Traversal in FastDup <= 2.7.2 versions.
CVE-2026-52714 2 Squirrly, Wordpress 2 Seo Plugin By Squirrly Seo, Wordpress 2026-06-26 7.5 High
Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO <= 12.4.16 versions.
CVE-2026-49772 2 Stellarwp, Wordpress 2 The Events Calendar, Wordpress 2026-06-26 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Liquid Web / StellarWP The Events Calendar allows Blind SQL Injection. This issue affects The Events Calendar: from 6.15.12 through 6.16.2.
CVE-2026-12256 2 Theme-fusion, Wordpress 2 Avada, Wordpress 2026-06-26 8.8 High
Contributor PHP Object Injection in Avada <= 3.15.3 versions.
CVE-2026-39433 2 Mojoomla, Wordpress 2 Wpams Plugin, Wordpress 2026-06-26 6.5 Medium
Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions.
CVE-2026-39539 2 Edge-themes, Wordpress 2 Alloggio Hotel Booking, Wordpress 2026-06-26 8.1 High
Unauthenticated PHP Object Injection in Alloggio - Hotel Booking <= 2.1.2 versions.
CVE-2026-49073 2 Wordpress, Wpwax 2 Wordpress, Directorist 2026-06-26 8.5 High
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
CVE-2026-39598 2 Kodezen, Wordpress 2 Academy Lms, Wordpress 2026-06-26 8 High
Unrestricted Upload of File with Dangerous Type vulnerability in Kodezen LLC Academy LMS Pro allows Upload a Web Shell to a Web Server. This issue affects Academy LMS Pro: from n/a before 3.5.2.
CVE-2026-8089 2 Wedevs, Wordpress 2 Wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins, Wordpress 2026-06-26 7.1 High
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated attackers to deliver Reflected Cross-Site Scripting against any authenticated user (including administrators) via a crafted URL.
CVE-2026-8607 2 Saadiqbal, Wordpress 2 Mycred – Points Management System For Gamification, Ranks, Badges, And Loyalty Program., Wordpress 2026-06-26 6.4 Medium
The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-8494 2 Maciej Bis, Wordpress 2 Permalink Manager Lite, Wordpress 2026-06-26 6.4 Medium
The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in the admin Permalink Manager page that will execute whenever an administrator accesses the Permalink Manager page.
CVE-2026-9690 2 Joomunited, Wordpress 2 Wp Media Folder, Wordpress 2026-06-26 7.5 High
Unauthenticated Arbitrary File Download in WP Media folder Addon <= 4.0.1 versions.
CVE-2026-22332 2 Themeum, Wordpress 2 Tutor Lms, Wordpress 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in Tutor LMS Pro <= 3.9.6 versions.