Search

Search Results (334029 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2016-20081 2 Husain, Wordpress 2 Hb Audio Gallery Lite, Wordpress 2026-06-23 7.5 High
WordPress Plugin HB Audio Gallery Lite 1.0.0 contains a path traversal vulnerability that allows unauthenticated attackers to download arbitrary files by manipulating the file_path parameter. Attackers can send requests to the audio-download.php endpoint with directory traversal sequences to access sensitive files like wp-config.php outside the intended gallery directory.
CVE-2016-20082 2 Abtest, Wordpress 2 Abtest, Wordpress 2026-06-23 6.2 Medium
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.
CVE-2016-20083 2 Henrikmelin, Wordpress 2 More Fields, Wordpress 2026-06-23 5.3 Medium
WordPress More Fields Plugin 2.1 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by disabling CSRF token validation. Attackers can craft malicious web pages that trick logged-in administrators into adding or deleting custom fields and boxes on the Write/Edit page via POST and GET requests to the options-general.php endpoint.
CVE-2016-20084 2 Dwbooster, Wordpress 2 Booking Calendar Contact, Wordpress 2026-06-23 7.2 High
WordPress appointment-booking-calendar 1.1.24 contains multiple privilege escalation vulnerabilities that allow unauthenticated attackers to modify calendar settings and inject persistent cross-site scripting payloads through the admin.php page parameters. Attackers can inject malicious JavaScript into the 'ict' and 'ics' options or the calendar 'name' parameter via GET requests to execute arbitrary scripts when the calendar is displayed or accessed in the administration interface.
CVE-2018-25436 2 Shipster, Wordpress 2 Baggage Freight Shipping Australia, Wordpress 2026-06-23 9.8 Critical
WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the upload-package.php endpoint. Attackers can submit POST requests with malicious file extensions to the upload handler, which moves files without validation to the plugin upload directory, enabling remote code execution.
CVE-2018-25437 2 Cherryframework, Wordpress 2 Cherry Framework Themes, Wordpress 2026-06-23 7.5 High
WordPress CherryFramework Themes 3.1.4 contains an information disclosure vulnerability that allows unauthenticated attackers to download sensitive backup files by accessing the download_backup.php endpoint. Attackers can directly access the download_backup.php script in the admin/data_management directory to obtain ZIP archives containing the entire wp-content/themes directory contents.
CVE-2025-15658 2 Rewish, Wordpress 2 Wp Emmet, Wordpress 2026-06-23 5.9 Medium
Administrator Cross Site Scripting (XSS) in WP Emmet <= 0.3.4 versions.
CVE-2025-15659 2 Liseperu, Wordpress 2 Elizaibots, Wordpress 2026-06-23 6.5 Medium
Contributor Cross Site Scripting (XSS) in Elizaibots <= 1.0.2 versions.
CVE-2025-60175 2 Vynnus, Wordpress 2 Popad, Wordpress 2026-06-23 4.4 Medium
Administrator Server Side Request Forgery (SSRF) in PopAd <= 1.0.4 versions.
CVE-2025-68049 2 Bunny.net, Wordpress 2 Bunny.net, Wordpress 2026-06-23 6.3 Medium
Subscriber Broken Access Control in bunny.net <= 2.3.6 versions.
CVE-2025-68840 2 Markbeljaars, Wordpress 2 Irobots.txt Seo, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in iRobots.txt SEO <= 1.1.2 versions.
CVE-2025-68851 2 Arrayhq, Wordpress 2 Okay Toolkit, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Okay Toolkit <= 2.3 versions.
CVE-2025-68872 2 Eli, Wordpress 2 Eli's Wordcents Adsense Widget With Analytics, Wordpress 2026-06-23 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Eli&#039;s WordCents adSense Widget with Analytics <= 1.3.03.27 versions.
CVE-2025-69332 2 Mycred, Wordpress 2 Bookify, Wordpress 2026-06-23 6.5 Medium
Subscriber Broken Access Control in Bookify <= 1.1.1 versions.
CVE-2025-10262 1 Nokia 1 Sr Linux 2026-06-23 6.3 Medium
Nokia SR Linux is vulnerable to local privilege escalation vulnerability due to unsanitized format validation. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privileges.
CVE-2025-9912 1 Nokia 1 Nokia Sr Linux 2026-06-23 6.3 Medium
Nokia SR Linux is vulnerable to a local privilege escalation vulnerability. Successful exploitation of this vulnerability may allow an authenticated user to execute arbitrary commands with superuser privilege.
CVE-2026-10093 2 Deepakkite, Wordpress 2 Secure Client Portal And Private File Sharing Plugin – User Private Files, Wordpress 2026-06-23 6.4 Medium
The File Sharing & Download Manager – User Private Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fldr_ttl' parameter in all versions up to, and including, 2.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2025-68045 2 Arraytics, Wordpress 2 Wp Event Solution, Wordpress 2026-06-23 7.5 High
Unauthenticated Broken Access Control in WP Event SOlution <= 4.1.12 versions.
CVE-2024-39575 1 Dell 1 Dell Emc Vxrail Appliance 2026-06-23 7.4 High
update_disk_psu_baseline.sh requires password in plain text
CVE-2026-10303 1 Serverco 1 Getssl 2026-06-23 7.4 High
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized file write/path traversal effects, usually with elevated privileges, ultimately allowing for remote command injection. This issue appears related in spirit to CVE-2023-38198, and is an instance of CWE-73, "External control of file name or path." Other ACME shell script handlers may be affected by similar issues.