Export limit exceeded: 14489 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12819 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4020 | 2 Rocketgenius, Wordpress | 2 Gravity Smtp, Wordpress | 2026-04-24 | 7.5 High |
| The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true, allowing any unauthenticated visitor to access it. When the ?page=gravitysmtp-settings query parameter is appended, the plugin's register_connector_data() method populates internal connector data, causing the endpoint to return approximately 365 KB of JSON containing the full System Report. This makes it possible for unauthenticated attackers to retrieve detailed system configuration data including PHP version, loaded extensions, web server version, document root path, database server type and version, WordPress version, all active plugins with versions, active theme, WordPress configuration details, database table names, and any API keys/tokens configured in the plugin. | ||||
| CVE-2026-4267 | 2 Johnbillion, Wordpress | 2 Query Monitor – The Developer Tools Panel For Wordpress, Wordpress | 2026-04-24 | 7.2 High |
| The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1834 | 2 Vowelweb, Wordpress | 2 Ibtana – Wordpress Website Builder, Wordpress | 2026-04-24 | 6.4 Medium |
| The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1710 | 2 Woocommerce, Wordpress | 2 Woopayments: Integrated Woocommerce Payments, Wordpress | 2026-04-24 | 6.5 Medium |
| The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthenticated attackers to update plugin settings. | ||||
| CVE-2026-4146 | 2 Timwhitlock, Wordpress | 2 Loco Translate, Wordpress | 2026-04-24 | 6.1 Medium |
| The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘update_href’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-5130 | 2 Jhimross, Wordpress | 2 Debugger & Troubleshooter, Wordpress | 2026-04-24 | 8.8 High |
| The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wp_debug_troubleshoot_simulate_user cookie value directly as a user ID without any cryptographic validation or authorization checks. The cookie value was used to override the determine_current_user filter, which allowed unauthenticated attackers to impersonate any user by simply setting the cookie to their target user ID. This made it possible for unauthenticated attackers to gain administrator-level access and perform any privileged actions including creating new administrator accounts, modifying site content, installing plugins, or taking complete control of the WordPress site. The vulnerability was fixed in version 1.4.0 by implementing a cryptographic token-based validation system where only administrators can initiate user simulation, and the cookie contains a random 64-character token that must be validated against database-stored mappings rather than accepting arbitrary user IDs. | ||||
| CVE-2026-4257 | 2 Supsysticcom, Wordpress | 2 Contact Form By Supsystic, Wordpress | 2026-04-24 | 9.8 Critical |
| The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig `Twig_Loader_String` template engine without sandboxing, combined with the `cfsPreFill` prefill functionality that allows unauthenticated users to inject arbitrary Twig expressions into form field values via GET parameters. This makes it possible for unauthenticated attackers to execute arbitrary PHP functions and OS commands on the server by leveraging Twig's `registerUndefinedFilterCallback()` method to register arbitrary PHP callbacks. | ||||
| CVE-2026-39487 | 2 Ameliabooking, Wordpress | 2 Amelia, Wordpress | 2026-04-24 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ameliabooking Amelia ameliabooking allows Blind SQL Injection.This issue affects Amelia: from n/a through <= 2.1.1. | ||||
| CVE-2026-39521 | 2 Nelio Software, Wordpress | 2 Nelio Content, Wordpress | 2026-04-24 | 4.9 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1. | ||||
| CVE-2026-39517 | 2 Awplife, Wordpress | 2 Blog Filter, Wordpress | 2026-04-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6. | ||||
| CVE-2026-39516 | 2 Posimyth, Wordpress | 2 Nexter Blocks, Wordpress | 2026-04-24 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0. | ||||
| CVE-2026-39509 | 2 Wordpress, Wpwax | 2 Wordpress, Directorist | 2026-04-24 | 5.3 Medium |
| Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10. | ||||
| CVE-2026-39508 | 2 Josh Kohlbach, Wordpress | 2 Advanced Coupons For Woocommerce Coupons, Wordpress | 2026-04-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free allows DOM-Based XSS.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.7.1.1. | ||||
| CVE-2026-39505 | 2 Craig Hewitt, Wordpress | 2 Seriously Simple Podcasting, Wordpress | 2026-04-24 | 5.3 Medium |
| Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.2. | ||||
| CVE-2026-34899 | 2 Eniture Technology, Wordpress | 2 Ltl Freight Quotes – Worldwide Express Edition, Wordpress | 2026-04-24 | 5.3 Medium |
| Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1. | ||||
| CVE-2026-34903 | 2 Oceanwp, Wordpress | 2 Ocean Extra, Wordpress | 2026-04-24 | 5.4 Medium |
| Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3. | ||||
| CVE-2026-34904 | 2 Analytify, Wordpress | 2 Simple Social Media Share Buttons, Wordpress | 2026-04-24 | 7.5 High |
| Cross-Site Request Forgery (CSRF) vulnerability in Analytify Simple Social Media Share Buttons allows Cross Site Request Forgery.This issue affects Simple Social Media Share Buttons: from n/a through 6.2.0. | ||||
| CVE-2026-39479 | 2 Brainstorm Force, Wordpress | 2 Ottokit, Wordpress | 2026-04-24 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20. | ||||
| CVE-2026-39476 | 2 Syed Balkhi, Wordpress | 2 User Feedback, Wordpress | 2026-04-24 | 4.3 Medium |
| Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a through <= 1.10.1. | ||||
| CVE-2026-39464 | 2 Seedprod, Wordpress | 2 Coming Soon Page, Under Construction & Maintenance Mode, Wordpress | 2026-04-24 | 5.5 Medium |
| Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8. | ||||