Export limit exceeded: 13616 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13616 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-12073 | 2 Metagauss, Wordpress | 2 Profilegrid – User Profiles, Groups And Communities, Wordpress | 2026-06-30 | 9.8 Critical |
| The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.9.9.5. This is due to the plugin not validating a `user_login` on registration forms that don't contain this parameter, and not properly handling the error messages. This makes it possible for unauthenticated attackers to change email address of user account with ID=1 (usually an administrator), and leverage that to reset the user's password and gain access to their account. | ||||
| CVE-2026-8896 | 2 Mirsoftware, Wordpress | 2 Mir Blocks And Shortcodes, Wordpress | 2026-06-30 | 6.4 Medium |
| The MIR blocks and shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' attribute (and other attributes such as 'ready_animation_text') of the 'msc_stats' shortcode in versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes inside the msc_stats() rendering function. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-57340 | 2 Shoheitanaka, Wordpress | 2 Japanized For Woocommerce, Wordpress | 2026-06-29 | 6.5 Medium |
| Unauthenticated Broken Access Control in Japanized For WooCommerce <= 2.9.12 versions. | ||||
| CVE-2026-57327 | 2 Mainwp, Wordpress | 2 Mainwp, Wordpress | 2026-06-29 | 6.3 Medium |
| Subscriber Broken Access Control in MainWP <= 6.1.1 versions. | ||||
| CVE-2026-57332 | 2 Wordpress, Wpswings | 2 Wordpress, Wallet System For Woocommerce | 2026-06-29 | 7.1 High |
| Subscriber Broken Access Control in Wallet System for WooCommerce <= 2.7.6 versions. | ||||
| CVE-2026-57320 | 2 Realmag777, Wordpress | 2 Bear, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in BEAR <= 1.1.8 versions. | ||||
| CVE-2026-57337 | 2 Pluginops, Wordpress | 2 Landing Page Builder, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Landing Page Builder <= 1.5.3.5 versions. | ||||
| CVE-2026-57333 | 2 Spencer Haws, Wordpress | 2 Link Whisper Free, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Link Whisper Free <= 0.9.4 versions. | ||||
| CVE-2026-57334 | 2 Wedevs, Wordpress | 2 Wp User Frontend, Wordpress | 2026-06-29 | 6.5 Medium |
| Unauthenticated Broken Access Control in WP User Frontend <= 4.3.7 versions. | ||||
| CVE-2026-57336 | 2 Astoundify, Wordpress | 2 Jobify, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Jobify <= 4.3.2 versions. | ||||
| CVE-2026-57338 | 2 Reputeinfosystems, Wordpress | 2 Arforms, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in ARForms <= 7.1.2 versions. | ||||
| CVE-2025-10268 | 2 Printcart, Wordpress | 2 Web To Print Product Designer, Wordpress | 2026-06-29 | 5.3 Medium |
| The Printcart Web to Print Product Designer for WooCommerce WordPress plugin through 2.4.8 is vulnerable to path traversal which makes it possible for the attacker to retrieve the directory listing for arbitrary directories on the server. | ||||
| CVE-2026-10823 | 2 Wordpress, Ymc Filter | 2 Wordpress, Ymc Filter | 2026-06-29 | 7.5 High |
| The YMC Filter WordPress plugin before 3.11.3 does not properly authorize access to one of its REST API endpoints and does not validate a user-supplied query parameter, allowing unauthenticated attackers to retrieve the titles and content of private, draft, and other non-public posts. | ||||
| CVE-2026-10835 | 2 Salesmanago, Wordpress | 2 Salesmanago, Wordpress | 2026-06-29 | 7.7 High |
| The SALESmanago & Leadoo WordPress plugin before 3.11.3 does not properly sanitise and escape a parameter passed to one of its AJAX actions before using it in a SQL statement, and fails to enforce authorisation on that action, allowing authenticated users with minimal permissions, such as subscribers, to perform SQL injection attacks. | ||||
| CVE-2025-63041 | 2 Codeamp, Wordpress | 2 Forget About Shortcode Buttons, Wordpress | 2026-06-29 | 5.4 Medium |
| Contributor Broken Access Control in Forget About Shortcode Buttons <= 2.1.3 versions. | ||||
| CVE-2025-63078 | 2 Jetmonsters, Wordpress | 2 Restaurant Menu By Motopress, Wordpress | 2026-06-29 | 4.3 Medium |
| Subscriber Broken Access Control in Restaurant Menu by MotoPress <= 2.4.11 versions. | ||||
| CVE-2025-63079 | 2 Bdthemes, Wordpress | 2 Live Copy Paste For Elementor, Wordpress | 2026-06-29 | 4.3 Medium |
| Contributor Broken Access Control in Live Copy Paste for Elementor <= 1.5.3 versions. | ||||
| CVE-2025-64636 | 2 Rhewlif, Wordpress | 2 Donation Thermometer, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Broken Access Control in Donation Thermometer <= 2.2.7 versions. | ||||
| CVE-2025-64637 | 2 Opal Wp, Wordpress | 2 Auros Core, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Content Injection in Auros Core <= 5.3.1 versions. | ||||
| CVE-2025-66123 | 2 About Envato, Wordpress | 2 Bookpro, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in BookPro <= 1.1.0 versions. | ||||