Export limit exceeded: 14527 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13662 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13662 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-11783 | 2 Dokaninc, Wordpress | 2 Dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy, Wordpress | 2026-06-29 | 6.4 Medium |
| The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious payload is delivered to site visitors — including unauthenticated users — when the store search widget inserts the unescaped AJAX response HTML into the DOM via jQuery's .html() method. | ||||
| CVE-2026-12399 | 2 Jegstudio, Wordpress | 2 Gutenverse – Wordpress Blocks, Page Builder & Site Editor, Wordpress | 2026-06-29 | 4.4 Medium |
| The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-9242 | 2 Metagauss, Wordpress | 2 Registrationmagic – Custom Registration Forms, User Registration, Payment, And User Login, Wordpress | 2026-06-29 | 5.3 Medium |
| The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account. | ||||
| CVE-2026-13295 | 2 Gpriday, Wordpress | 2 Page Builder By Siteorigin, Wordpress | 2026-06-29 | 6.4 Medium |
| The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via panels_data Parameter in all versions up to, and including, 2.34.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is possible because the nonce and edit_post capability checks enforced during save are both satisfied by Contributor-level users for their own posts, and the panels_data value is stored as post meta — outside the scope of WordPress's unfiltered_html carve-out — meaning no wp_kses fallback prevents the unsanitized WP_Widget_Custom_HTML content from being persisted and later rendered verbatim on the frontend. | ||||
| CVE-2026-13422 | 2 Harmonicdesign, Wordpress | 2 Hd Quiz, Wordpress | 2026-06-29 | 4.3 Medium |
| The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdq_validate_nonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create new quizzes, and change plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-13331 | 2 Trainingbusinesspros, Wordpress | 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress | 2026-06-27 | 6.5 Medium |
| The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with marketer-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-57643 | 2 Afthemes, Wordpress | 2 Wp Post Author, Wordpress | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in WP Post Author <= 3.9.1 versions. | ||||
| CVE-2026-57653 | 2 Wordpress, Wpjobportal | 2 Wordpress, Wp Job Portal | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in WP Job Portal <= 2.5.2 versions. | ||||
| CVE-2026-56031 | 2 Uncannyowl, Wordpress | 2 Uncanny Automator, Wordpress | 2026-06-26 | 8.1 High |
| Unauthenticated PHP Object Injection in Uncanny Automator <= 7.3.1.2 versions. | ||||
| CVE-2026-57652 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-06-26 | 5.3 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in JS Help Desk <= 3.1.0 versions. | ||||
| CVE-2026-54825 | 2 Wordpress, Wpdatatables | 2 Wordpress, Wpdatatables | 2026-06-26 | 9.3 Critical |
| Unauthenticated SQL Injection in wpDataTables <= 7.4 versions. | ||||
| CVE-2026-56064 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2026-06-26 | 8.5 High |
| Subscriber SQL Injection in Tourfic <= 2.22.5 versions. | ||||
| CVE-2026-57631 | 2 Ays-pro, Wordpress | 2 Popup Box, Wordpress | 2026-06-26 | 7.6 High |
| Administrator SQL Injection in Popup box <= 6.0.1 versions. | ||||
| CVE-2026-57646 | 2 Majesticsupport, Wordpress | 2 Majestic Support, Wordpress | 2026-06-26 | 5.4 Medium |
| Subscriber Insecure Direct Object References (IDOR) in Majestic Support <= 1.1.7 versions. | ||||
| CVE-2026-57661 | 2 Nexcess, Wordpress | 2 Wpcomplete, Wordpress | 2026-06-26 | 5.4 Medium |
| Subscriber Broken Access Control in WPComplete <= 2.9.5.5 versions. | ||||
| CVE-2026-8380 | 2 Frontend File Manager Plugin, Wordpress | 2 Frontend File Manager Plugin, Wordpress | 2026-06-26 | 6.5 Medium |
| The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugin WordPress plugin through 23.6's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users. | ||||
| CVE-2026-52701 | 2 Themegrill, Wordpress | 2 User Registration, Wordpress | 2026-06-26 | 6.5 Medium |
| Unauthenticated Broken Access Control in User Registration <= 5.2.2 versions. | ||||
| CVE-2026-57318 | 2 Geminilabs, Wordpress | 2 Site Reviews, Wordpress | 2026-06-26 | 6.5 Medium |
| Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions. | ||||
| CVE-2026-57322 | 2 Wedevs, Wordpress | 2 Wemail, Wordpress | 2026-06-26 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions. | ||||
| CVE-2026-57636 | 2 Tomdever, Wordpress | 2 Wpforo Forum, Wordpress | 2026-06-26 | 8.5 High |
| Contributor SQL Injection in wpForo Forum <= 3.0.9 versions. | ||||