Export limit exceeded: 13598 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13598 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-56013 | 2 Mycred, Wordpress | 2 License Manager For Woocommerce, Wordpress | 2026-06-29 | 6.5 Medium |
| Unauthenticated Insecure Direct Object References (IDOR) in License Manager for WooCommerce <= 3.0.15 versions. | ||||
| CVE-2026-27366 | 2 Mainwp, Wordpress | 2 Mainwp Child, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in MainWP Child <= 6.1.1 versions. | ||||
| CVE-2026-54830 | 2 Etoile Web Design Incorporated, Wordpress | 2 Five Star Restaurant Reservations, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Five Star Restaurant Reservations <= 2.7.19 versions. | ||||
| CVE-2026-54844 | 2 Checkview, Wordpress | 2 Checkview Automated Testing, Wordpress | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in CheckView Automated Testing <= 2.1.0 versions. | ||||
| CVE-2026-57700 | 2 Daan.dev, Wordpress | 2 Omgf Pro, Wordpress | 2026-06-29 | 10 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Daan.Dev OMGF Pro allows Using Malicious Files. This issue affects OMGF Pro: from n/a through 5.2.6. | ||||
| CVE-2026-56051 | 2 Tablepress, Wordpress | 2 Tablepress, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in TablePress <= 3.3.1 versions. | ||||
| CVE-2026-54826 | 2 Psm Plugins, Wordpress | 2 Supportcandy, Wordpress | 2026-06-29 | 7.6 High |
| Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions. | ||||
| CVE-2026-56008 | 2 Themefusion, Wordpress | 2 Fusion Builder, Wordpress | 2026-06-29 | 8.8 High |
| Contributor Privilege Escalation in Fusion Builder <= 3.15.4 versions. | ||||
| CVE-2026-57642 | 2 Bestwebsoft, Wordpress | 2 Gallery, Wordpress | 2026-06-29 | 8.5 High |
| Contributor SQL Injection in Gallery <= 4.7.8 versions. | ||||
| CVE-2026-56041 | 2 Dfactory, Wordpress | 2 Responsive Lightbox, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions. | ||||
| CVE-2026-56061 | 2 Wordpress, Wp Swings | 2 Wordpress, Subscriptions For Woocommerce | 2026-06-29 | 7.5 High |
| Unauthenticated Broken Access Control in Subscriptions for WooCommerce <= 1.9.5 versions. | ||||
| CVE-2026-57314 | 2 Surecart, Wordpress | 2 Surecart, Wordpress | 2026-06-29 | 7.1 High |
| Unauthenticated Cross Site Scripting (XSS) in SureCart <= 4.3.2 versions. | ||||
| CVE-2026-57629 | 2 Statcounter, Wordpress | 2 Statcounter, Wordpress | 2026-06-29 | 6.5 Medium |
| Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions. | ||||
| CVE-2026-57648 | 2 Nelio Software, Wordpress | 2 Nelio Content, Wordpress | 2026-06-29 | 4.3 Medium |
| Contributor Broken Access Control in Nelio Content <= 4.3.4 versions. | ||||
| CVE-2026-13333 | 2 Trainingbusinesspros, Wordpress | 2 Groundhogg — Crm, Newsletters, And Marketing Automation, Wordpress | 2026-06-29 | 6.5 Medium |
| The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via 'query[select]' Parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Sales Representative-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The sanitized Contact_Query code path can be bypassed by supplying an invalid filter type (e.g., query[filters][0][0][type]=invalid_filter_nonexistent), causing a FilterException to be caught and execution to fall through to the unsanitized Legacy_Contact_Query path. | ||||
| CVE-2026-57654 | 2 Wordpress, Wp.insider | 2 Wordpress, Affiliates Manager | 2026-06-29 | 6.5 Medium |
| Affiliate Broken Access Control in Affiliates Manager <= 2.9.49 versions. | ||||
| CVE-2026-12415 | 2 Pravel, Wordpress | 2 Invoice Generator, Wordpress | 2026-06-29 | 9.8 Critical |
| The Invoice Generator plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the pravel_invoice_edit_account() AJAX action in versions up to, and including, 1.0.0. The handler is exposed via wp_ajax_nopriv_pravel_invoice_edit_account, accepts an attacker-controlled user_id and user_email from POST data, and calls wp_update_user() without verifying authentication, ownership, or a nonce. This makes it possible for unauthenticated attackers to change the email address of any user, including administrators, and then trigger WordPress's password reset flow to gain access to the targeted account. | ||||
| CVE-2026-11783 | 2 Dokaninc, Wordpress | 2 Dokan: Ai Powered Woocommerce Multivendor Marketplace Solution – Build Your Own Amazon, Ebay, Etsy, Wordpress | 2026-06-29 | 6.4 Medium |
| The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Product SKU in all versions up to, and including, 5.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with custom-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious payload is delivered to site visitors — including unauthenticated users — when the store search widget inserts the unescaped AJAX response HTML into the DOM via jQuery's .html() method. | ||||
| CVE-2026-12399 | 2 Jegstudio, Wordpress | 2 Gutenverse – Wordpress Blocks, Page Builder & Site Editor, Wordpress | 2026-06-29 | 4.4 Medium |
| The Gutenverse – WordPress Blocks, Page Builder & Site Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.8.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-9242 | 2 Metagauss, Wordpress | 2 Registrationmagic – Custom Registration Forms, User Registration, Payment, And User Login, Wordpress | 2026-06-29 | 5.3 Medium |
| The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to Authentication Bypass via Insufficient Verification of Data Authenticity in all versions up to and including 6.0.8.6. This is due to the PayPal IPN `callback` handler being registered as a nopriv AJAX action with no authentication or nonce requirement, and critically because the handler updates the payment log database row with attacker-controlled POST data — including `payment_status` and the `custom` field encoding the target `user_id` — before PayPal IPN validation is performed, meaning the database remains poisoned even when validation subsequently fails. This makes it possible for unauthenticated attackers to authenticate as any WordPress user, including administrators, by submitting a forged IPN request that overwrites a payment log entry's `user_id` with that of a target account, then visiting the success return URL with a legitimately obtained security hash to cause the plugin to issue real WordPress authentication cookies for the targeted account. | ||||