Export limit exceeded: 363125 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363125 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 363125 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (363125 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-9145 | 2 Crmperks, Wordpress | 2 Database For Contact Form 7, Wpforms, Elementor Forms, Wordpress | 2026-07-02 | 6.5 Medium |
| The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file — when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation. | ||||
| CVE-2025-69133 | 2 Goodlayers, Wordpress | 2 Tour Master, Wordpress | 2026-07-02 | 7.5 High |
| Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions. | ||||
| CVE-2025-69156 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions. | ||||
| CVE-2026-27414 | 2026-07-02 | 8.8 High | ||
| Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions. | ||||
| CVE-2026-27436 | 2026-07-02 | 9.1 Critical | ||
| Editor Arbitrary Code Execution in Five Star Business Profile and Schema <= 2.3.19 versions. | ||||
| CVE-2026-57344 | 2 Radiustheme, Wordpress | 2 Classified Listing, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.4.2 versions. | ||||
| CVE-2026-57351 | 2 Haktansuren, Wordpress | 2 Handl Utm Grabber, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions. | ||||
| CVE-2026-57357 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions. | ||||
| CVE-2026-57366 | 2 Greg Winiarski, Wordpress | 2 Wpadverts, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WPAdverts <= 2.3.1 versions. | ||||
| CVE-2026-57669 | 2026-07-02 | 6.5 Medium | ||
| Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions. | ||||
| CVE-2026-57675 | 2 Jacob N. Breetvelt, Wordpress | 2 Wp Photo Album Plus, Wordpress | 2026-07-02 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in WP Photo Album Plus <= 9.2.02.004 versions. | ||||
| CVE-2026-57683 | 2026-07-02 | 9.3 Critical | ||
| Unauthenticated SQL Injection in WP Fast Total Search <= 1.80.280 versions. | ||||
| CVE-2026-57689 | 2026-07-02 | 4.3 Medium | ||
| Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions. | ||||
| CVE-2026-57748 | 2026-07-02 | 7.5 High | ||
| Contributor Local File Inclusion in Shopify <= 1.0.0 versions. | ||||
| CVE-2026-57754 | 2026-07-02 | 6.5 Medium | ||
| Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions. | ||||
| CVE-2026-57761 | 2026-07-02 | 7.1 High | ||
| Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions. | ||||
| CVE-2026-56037 | 2026-07-02 | 8.8 High | ||
| Deserialization of Untrusted Data vulnerability in Themify Themify Popup allows Object Injection. This issue affects Themify Popup: from n/a through 1.4.3. | ||||
| CVE-2026-55117 | 2026-07-02 | 8.6 High | ||
| A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi Access Application to access files on the host device. | ||||
| CVE-2026-55119 | 2026-07-02 | 8.1 High | ||
| A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Talk Application to escalate privileges within the UniFi Talk Application. | ||||
| CVE-2026-54164 | 1 Api-platform | 1 Core | 2026-07-02 | 6.5 Medium |
| API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. In versions prior to 4.1.30, 4.2.26 and 4.3.12, the serializer's AbstractItemNormalizer does not validate the resource type returned when resolving relation IRIs, allowing type confusion where a resource of an unintended type can be silently assigned to a relation property. An attacker who can submit write requests (POST/PUT/PATCH) to an API Platform endpoint with writable relations can supply a relation IRI pointing to a resource of a different type than the relation's declared class. Because getResourceFromIri() does not pass an $operation to IriConverter::getResourceFromIri(), the is_a type guard at IriConverter.php:86 is skipped. For untyped relation properties (legacy @var-only style), the wrong-typed object is silently assigned, corrupting invariants and potentially feeding downstream logic that assumes the declared type (CWE-843). For typed properties (modern PHP 8.x), the substitution is blocked by Symfony's PropertyAccessor with an InvalidTypeException. This issue has been fixed in versions 4.1.30, 4.2.26 and 4.3.12. | ||||