Search
Search Results (359301 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59133 | 2 Projectopia, Wordpress | 2 Projectopia, Wordpress | 2026-06-16 | 7.5 High |
| Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions. | ||||
| CVE-2025-69332 | 2026-06-16 | 6.5 Medium | ||
| Subscriber Broken Access Control in Bookify <= 1.1.1 versions. | ||||
| CVE-2026-27089 | 2 Magepeople, Wordpress | 2 Wptravelly, Wordpress | 2026-06-16 | 7.5 High |
| Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions. | ||||
| CVE-2026-34898 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce <= 1.5.3 versions. | ||||
| CVE-2026-39441 | 2026-06-16 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free <= 5.3 versions. | ||||
| CVE-2026-9187 | 2026-06-16 | 5.3 Medium | ||
| The Abandoned Contact Form 7 plugin for WordPress is vulnerable to unauthorized arbitrary post deletion in versions up to, and including, 2.2. This is due to a missing capability check and missing nonce validation in the action__remove_abandoned() function, which is registered to both the wp_ajax_remove_abandoned and wp_ajax_nopriv_remove_abandoned hooks. The handler takes a user-supplied recover_id parameter from $_POST and passes it directly to wp_delete_post() with the force-delete flag set to true, without verifying that the ID belongs to the plugin's own cf7af_data post type. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, or other content on the affected site by sending a single admin-ajax. | ||||
| CVE-2026-39465 | 2 Metaslider, Wordpress | 2 Responsive Slider By Metaslider, Wordpress | 2026-06-16 | 9.1 Critical |
| Editor Remote Code Execution (RCE) in Responsive Slider by MetaSlider <= 3.106.0 versions. | ||||
| CVE-2026-39478 | 2026-06-16 | 8.8 High | ||
| Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall <= 4.23.87 versions. | ||||
| CVE-2026-39519 | 2026-06-16 | 9.3 Critical | ||
| Unauthenticated SQL Injection in GeekyBot <= 1.2.0 versions. | ||||
| CVE-2026-39493 | 2 Nsquared, Wordpress | 2 Simply Schedule Appointments, Wordpress | 2026-06-16 | 9.3 Critical |
| Unauthenticated SQL Injection in Simply Schedule Appointments <= 1.6.9.27 versions. | ||||
| CVE-2026-39511 | 2026-06-16 | 9.3 Critical | ||
| Unauthenticated SQL Injection in WP Photo Album Plus <= 9.1.08.001 versions. | ||||
| CVE-2026-39533 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Broken Access Control in AWP Classifieds <= 4.4.4 versions. | ||||
| CVE-2026-39587 | 2026-06-16 | 8.1 High | ||
| Unauthenticated Privilege Escalation in WP BASE Booking <= 5.9.0 versions. | ||||
| CVE-2026-40743 | 2 Themeum, Wordpress | 2 Tutor Lms, Wordpress | 2026-06-16 | 6.5 Medium |
| Unauthenticated Broken Access Control in Tutor LMS <= 3.9.7 versions. | ||||
| CVE-2026-40771 | 2026-06-16 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Contest Gallery <= 28.1.6 versions. | ||||
| CVE-2026-40779 | 2026-06-16 | 7.7 High | ||
| Contributor Arbitrary File Deletion in Link Library <= 7.8.8 versions. | ||||
| CVE-2026-42381 | 2026-06-16 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Funnel Builder by FunnelKit <= 3.15.0.1 versions. | ||||
| CVE-2026-42664 | 2026-06-16 | 8.2 High | ||
| Unauthenticated Broken Access Control in AI Product Search for WooCommerce – Motive Commerce Search <= 1.38.2 versions. | ||||
| CVE-2026-45439 | 2026-06-16 | 9.3 Critical | ||
| Unauthenticated SQL Injection in Realtyna Organic IDX plugin <= 5.1.0 versions. | ||||
| CVE-2026-48868 | 2026-06-16 | 7.5 High | ||
| Unauthenticated Insecure Direct Object References (IDOR) in Simple Shopping Cart <= 5.2.9 versions. | ||||