Export limit exceeded: 13615 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13615 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57664 | 2 Villatheme, Wordpress | 2 Bopo – Woocommerce Product Bundle Builder, Wordpress | 2026-06-29 | 4.3 Medium |
| Unauthenticated Sensitive Data Exposure in Bopo – WooCommerce Product Bundle Builder <= 1.1.6 versions. | ||||
| CVE-2026-57665 | 2 Gravitykit, Wordpress | 2 Gravityview, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in GravityView <= 3.0.0 versions. | ||||
| CVE-2026-57667 | 2 Adrian Tobey, Wordpress | 2 Groundhogg, Wordpress | 2026-06-29 | 8.5 High |
| Sales Representative SQL Injection in Groundhogg <= 4.5 versions. | ||||
| CVE-2026-13335 | 2 Codepeople, Wordpress | 2 Codepeople Post Map For Google Maps, Wordpress | 2026-06-29 | 6.4 Medium |
| The CodePeople Post Map for Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'cpm_point' Post Meta in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-13245 | 2 Maxfoundry, Wordpress | 2 Maxbuttons – Create Buttons, Wordpress | 2026-06-29 | 6.1 Medium |
| The MaxButtons – Create buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'view' parameter in all versions up to, and including, 9.8.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-9677 | 2 Shariff For Wordpress, Wordpress | 2 Shariff For Wordpress, Wordpress | 2026-06-29 | 4.8 Medium |
| The Shariff for WordPress Shariff for WordPress plugin through 1.0.11 does not sanitize or escape the shariff_infourl setting before outputting it in the frontend HTML via the generateshariff() function, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2026-11364 | 2 Dornaweb, Wordpress | 2 Product Specifications For Woocommerce, Wordpress | 2026-06-29 | 4.3 Medium |
| The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the __invoke() methods of the AttributeGroupController and AttributeController classes, which are bound to the 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create, edit, and delete arbitrary product specification groups and attributes (taxonomy terms in the 'spec-group' and attribute taxonomies), corrupting business data and impacting the site's frontend display. | ||||
| CVE-2026-11773 | 2 Masteriyo, Wordpress | 2 Masteriyo Lms – Lms Course Builder, Quizzes & Certificates, Wordpress | 2026-06-29 | 4.3 Medium |
| The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with student-level access and above, to modify the description (post content) of arbitrary course announcements authored by instructors or administrators. | ||||
| CVE-2026-12471 | 2 Templatescoderthemes, Wordpress | 2 Spexo, Wordpress | 2026-06-29 | 4.3 Medium |
| The Spexo theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the activate_plugin function in all versions up to, and including, 2.0.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate a limited set of plugins. | ||||
| CVE-2026-11597 | 2 Surbma, Wordpress | 2 Surbma | Infusionsoft Shortcode, Wordpress | 2026-06-29 | 6.4 Medium |
| The Surbma | Infusionsoft Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'infusionsoft-form' shortcode in versions up to, and including, 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied 'account' and 'id' shortcode attributes in the surbma_infusionsoft_shortcode_shortcode() function, which are concatenated directly into a <script> tag's src attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-12432 | 2 Themeisle, Wordpress | 2 Stripe Payment Forms By Wp Full Pay – Accept Credit Card Payments, Donations & Subscriptions, Wordpress | 2026-06-29 | 5.3 Medium |
| The WP Full Stripe Free plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 8.4.3 via the wpfs_update_failed_payment_status AJAX action. The handler is registered through both wp_ajax_ and wp_ajax_nopriv_ hooks and the underlying update_failed_payment_status() function performs no capability check, no nonce verification, and no logged-in check before calling $this->db->updatePaymentByEventId() with attacker-controlled POST parameters. This makes it possible for unauthenticated attackers who can obtain a valid Stripe Payment Intent ID for the target site (Payment Intent IDs are exposed to the customer browser during normal Stripe.js checkout flows) to manipulate payment records in the site's database, marking previously successful payments as failed and overwriting failure codes and messages with attacker-supplied values. | ||||
| CVE-2026-3462 | 2 Reepaydenmark, Wordpress | 2 Frisbii Pay, Wordpress | 2026-06-29 | 6.5 Medium |
| The Frisbii Pay plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the 'upload_csv' and 'process_batch' functions in all versions up to, and including, 1.8.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary CSV data and overwrite WooCommerce payment tokens, postmeta, and order meta records. | ||||
| CVE-2026-10083 | 2 Apcu Manager, Wordpress | 2 Apcu Manager, Wordpress | 2026-06-29 | 7.5 High |
| The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in an admin-area page, leading to a Stored Cross-Site Scripting vulnerability. When a persistent object cache is enabled, cache keys derived from unsanitised user input (e.g. a transient name created by another APCu Manager WordPress plugin before 4.5.0 from an unauthenticated request) are output without escaping and execute arbitrary JavaScript in the session of an administrator viewing the page. | ||||
| CVE-2026-9676 | 2 F4 Post Tree, Wordpress | 2 F4 Post Tree, Wordpress | 2026-06-29 | 4.3 Medium |
| The F4 Post Tree WordPress plugin before 2.0.5 does not perform capability checks or CSRF/nonce verification on one of its AJAX actions, allowing authenticated users with Subscriber-level access and above to modify the parent and menu order of arbitrary posts. | ||||
| CVE-2026-57676 | 2 Matteo Manna, Wordpress | 2 Simple User Avatar, Wordpress | 2026-06-29 | 4.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Matteo Manna Simple User Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple User Avatar: from n/a through 4.9. | ||||
| CVE-2026-57620 | 2 Timstrifler, Wordpress | 2 Exclusive Addons For Elementor, Wordpress | 2026-06-29 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tim Strifler Exclusive Addons Elementor allows Stored XSS. This issue affects Exclusive Addons Elementor: from n/a through 2.7.9.8. | ||||
| CVE-2026-24547 | 2 Siteground, Wordpress | 2 Email-marketing, Wordpress | 2026-06-29 | 5.3 Medium |
| Unauthenticated Broken Access Control in SiteGround Email Marketing <= 1.7.5 versions. | ||||
| CVE-2026-54820 | 2 Crocoblock, Wordpress | 2 Jetbooking, Wordpress | 2026-06-29 | 9.3 Critical |
| Unauthenticated SQL Injection in JetBooking <= 4.0.4.1 versions. | ||||
| CVE-2026-54824 | 2 Ads By Wpquads, Wordpress | 2 Ads By Wpquads, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Sensitive Data Exposure in Ads by WPQuads <= 3.0.3 versions. | ||||
| CVE-2026-54827 | 2 Contempothemes, Wordpress | 2 Real Estate 7, Wordpress | 2026-06-29 | 9.3 Critical |
| Unauthenticated SQL Injection in Real Estate 7 <= 3.5.9 versions. | ||||