Search Results (13743 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-48965 2 Watchful, Wordpress 2 Xcloner, Wordpress 2026-06-16 6.5 Medium
Subscriber Sensitive Data Exposure in XCloner <= 4.8.6 versions.
CVE-2026-49764 2 Metagauss, Wordpress 2 Registrationmagic, Wordpress 2026-06-16 9.8 Critical
Unauthenticated Broken Authentication in RegistrationMagic <= 6.0.8.6 versions.
CVE-2026-49773 2 Foliovision, Wordpress 2 Fv Flowplayer Video Player, Wordpress 2026-06-16 6.5 Medium
Subscriber Cross Site Scripting (XSS) in FV Flowplayer Video Player < 7.5.51.7212 versions.
CVE-2019-25746 2 Slicedinvoices, Wordpress 2 Sliced Invoices, Wordpress 2026-06-16 7.1 High
WordPress Sliced Invoices 3.8.2 contains an authenticated SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'post' parameter. Attackers can send requests to the admin.php endpoint with action=duplicate_quote_invoice and malicious 'post' values to extract sensitive database information or modify data.
CVE-2026-34902 2 Wcproducttable, Wordpress 2 Woocommerce Product Table Lite, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WooCommerce Product Table Lite <= 4.6.3 versions.
CVE-2026-39471 2 Shortpixel, Wordpress 2 Shortpixel Image Optimizer, Wordpress 2026-06-16 7.2 High
Author PHP Object Injection in ShortPixel Image Optimizer <= 6.4.3 versions.
CVE-2026-39489 2 Wordpress, Wpchill 2 Wordpress, Download Monitor 2026-06-16 4.4 Medium
Author Arbitrary File Download in Download Monitor <= 5.1.9 versions.
CVE-2026-39514 2 Cozmoslabs, Wordpress 2 Paid Member Subscriptions, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Paid Member Subscriptions <= 2.17.3 versions.
CVE-2026-39579 2 Bplugins, Wordpress 2 B Blocks, Wordpress 2026-06-16 8.8 High
Contributor Privilege Escalation in B Blocks <= 2.0.31 versions.
CVE-2026-40727 2 Groundhogg, Wordpress 2 Groundhogg, Wordpress 2026-06-16 7.7 High
Sales Representative Arbitrary File Deletion in Groundhogg <= 4.4 versions.
CVE-2026-40774 2 Saasproject, Wordpress 2 Booking Package, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Booking Package <= 1.7.06 versions.
CVE-2026-48883 2 Wordpress, Wpclever 2 Wordpress, Wpc Product Bundles For Woocommerce 2026-06-16 7.5 High
Unauthenticated Broken Access Control in WPC Product Bundles for WooCommerce <= 8.5.3 versions.
CVE-2026-52704 2 Edgarrojas, Wordpress 2 Woocommerce Pdf Invoice Builder, Wordpress 2026-06-16 10 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Edgar Rojas WooCommerce PDF Invoice Builder allows Remote Code Inclusion. This issue affects WooCommerce PDF Invoice Builder: from n/a through 2.0.8.
CVE-2026-48874 2 Gamipress, Wordpress 2 Gamipress, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in GamiPress <= 7.8.7 versions.
CVE-2026-3297 2 Softaculous, Wordpress 2 Page Builder: Pagelayer – Drag And Drop Website Builder, Wordpress 2026-06-15 6.4 Medium
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Anchor block in versions up to, and including, 2.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-1291 2 Tigroumeow, Wordpress 2 Meow Gallery, Wordpress 2026-06-15 4.3 Medium
The Meow Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the REST API endpoint /wp-json/meow-gallery/v1/save_shortcode in all versions up to, and including, 5.4.4 This makes it possible for authenticated attackers, with Author-level access and above, to arbitrarily create or overwrite existing gallery shortcode records by supplying a user-controlled id value. The endpoint performs database update operations without verifying that the requesting user is authorized to modify the referenced gallery record or create their own.
CVE-2026-9109 2 John-dagelmore, Wordpress 2 Gptranslate – Multilingual Ai Translation For Wordpress: Automatically Translate Websites, Wordpress 2026-06-15 7.2 High
The GPTranslate – Multilingual AI Translation for WordPress: Automatically Translate Websites plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API Translation Storage in all versions up to, and including, 2.31 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The deterministically derived API key (sha256 of the site URL) is printed in the HTML source of every page via the JavaScript variable gptApiKey, meaning any unauthenticated visitor can retrieve the key and submit malicious translation payloads to the /wp-json/gptranslate/v1/request endpoint without any additional precondition.
CVE-2026-9134 2 Fooplugins, Wordpress 2 Photo Gallery By Foogallery : Responsive Image Gallery, Masonry Gallery & Carousel, Wordpress 2026-06-15 6.4 Medium
The FooGallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'custom_attribute_key' shortcode parameter in versions up to, and including, 3.1.31 This is due to an incomplete JavaScript event handler blacklist in the foogallery_sanitize_javascript() function, which blocks only a subset of HTML event attributes (onmouseover, onmouseout, onpointerenter, onclick, onload, onchange, onerror) while permitting others such as 'onmouseenter', combined with the failure to escape the attribute key when building the gallery container HTML in foogallery_build_container_attributes_safe(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-9061 2 Store Locator Wordpress, Wordpress 2 Store Locator Wordpress, Wordpress 2026-06-15 3.5 Low
The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).
CVE-2026-2470 2 Softaculous, Wordpress 2 Page Builder: Pagelayer – Drag And Drop Website Builder, Wordpress 2026-06-15 4.3 Medium
The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.9. This is due to the pagelayer_save_content AJAX handler allowing users with basic post-edit capability to persist pagelayer_contact_templates metadata on posts they can edit (including pending posts), while the unauthenticated pagelayer_contact_submit endpoint later consumes that metadata by user-controlled post/form identifiers without enforcing a privileged or published-context boundary. This makes it possible for authenticated attackers, with Contributor-level access and above, to configure arbitrary contact-form mail templates that are usable through unauthenticated form submission via the contacts parameter. In typical deployments this template feature is configured via Pagelayer Pro UI; however, the vulnerable backend trust path is still present. This issue may be chained with CVE-2026-2442 to increase exploitability and attacker control over outbound email behavior.