Export limit exceeded: 11765 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11765 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3513 | 2 Realmag777, Wordpress | 2 Tableon – Wordpress Posts Table Filterable, Wordpress | 2026-04-09 | 6.4 Medium |
| The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'class', 'help_link', 'popup_title', and 'help_title'. The do_shortcode_button() function extracts these attributes without sanitization and passes them to TABLEON_HELPER::draw_html_item(), which concatenates attribute values into HTML using single quotes without escaping (line 29: $item .= " {$key}='{$value}'"). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4338 | 2 Activitypub, Wordpress | 2 Activitypub, Wordpress | 2026-04-09 | 7.5 High |
| The ActivityPub WordPress plugin before 8.0.2 does not properly filter posts to be displayed, allowed unauthenticated users to access drafts/scheduled/pending posts | ||||
| CVE-2026-3477 | 2 Projectzealous, Wordpress | 2 Pz Frontend Manager, Wordpress | 2026-04-09 | 5.3 Medium |
| The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_ajax_pzfm_user_request_action action hook, lacks both capability checks and nonce verification. This function handles user activation, deactivation, and deletion operations. When the 'dataType' parameter is set to 'delete', the function calls wp_delete_user() on all provided user IDs without verifying that the current user has the appropriate permissions. Notably, the similar pzfm_remove_item_callback() function does check pzfm_can_delete_user() before performing deletions, indicating this was an oversight. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary WordPress users (including administrators) by sending a crafted request to the AJAX endpoint. | ||||
| CVE-2026-4654 | 2 Awesomesupport, Wordpress | 2 Awesome Support Wordpress Helpdesk & Support, Wordpress | 2026-04-09 | 5.3 Medium |
| The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ticket_replies_ajax() function failing to verify whether the authenticated user has permission to view the specific ticket being requested. This makes it possible for authenticated attackers, with subscriber-level access and above, to access sensitive information from all support tickets in the system by manipulating the ticket_id parameter. | ||||
| CVE-2026-39464 | 2 Seedprod, Wordpress | 2 Coming Soon Page, Under Construction & Maintenance Mode, Wordpress | 2026-04-09 | N/A |
| Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.8. | ||||
| CVE-2026-39466 | 2 Wordpress, Wpmu Dev - Your All-in-one Wordpress Platform | 2 Wordpress, Broken Link Checker | 2026-04-09 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind SQL Injection.This issue affects Broken Link Checker: from n/a through <= 2.4.7. | ||||
| CVE-2026-39496 | 2 Wordpress, Yaycommerce | 2 Wordpress, Yaymail | 2026-04-09 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3. | ||||
| CVE-2026-39497 | 2 Realmag777, Wordpress | 2 Fox, Wordpress | 2026-04-09 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through <= 1.4.5. | ||||
| CVE-2026-39501 | 2 Realmag777, Wordpress | 2 Fox, Wordpress | 2026-04-09 | N/A |
| Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FOX: from n/a through <= 1.4.5. | ||||
| CVE-2026-39506 | 2 Jordy Meow, Wordpress | 2 Ai-engine, Wordpress | 2026-04-09 | N/A |
| Missing Authorization vulnerability in Jordy Meow AI Engine (Pro) ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine (Pro): from n/a through < 3.4.2. | ||||
| CVE-2026-39517 | 2 Awplife, Wordpress | 2 Blog Filter, Wordpress | 2026-04-09 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.6. | ||||
| CVE-2026-39538 | 2 Mikado-themes, Wordpress | 2 Mikado Core, Wordpress | 2026-04-09 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through <= 1.6. | ||||
| CVE-2026-39565 | 2 Magepeople, Wordpress | 2 Wptravelly, Wordpress | 2026-04-09 | N/A |
| Missing Authorization vulnerability in magepeopleteam WpTravelly tour-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpTravelly: from n/a through <= 2.1.7. | ||||
| CVE-2026-39572 | 2 Mage-people, Wordpress | 2 Bus Ticket Booking With Seat Reservation, Wordpress | 2026-04-09 | N/A |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Retrieve Embedded Sensitive Data.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through < 5.6.5. | ||||
| CVE-2026-39603 | 2 Themegoods, Wordpress | 2 Grand Photography, Wordpress | 2026-04-09 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Photography grandphotography allows Cross Site Request Forgery.This issue affects Grand Photography: from n/a through <= 5.7.8. | ||||
| CVE-2026-39634 | 2 Themegoods, Wordpress | 2 Grand Portfolio, Wordpress | 2026-04-09 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in ThemeGoods Grand Portfolio grandportfolio allows Cross Site Request Forgery.This issue affects Grand Portfolio: from n/a through <= 3.3. | ||||
| CVE-2026-39636 | 2 Livemesh, Wordpress | 2 Livemesh Addons For Elementor, Wordpress | 2026-04-09 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Elementor addons-for-elementor allows Stored XSS.This issue affects Livemesh Addons for Elementor: from n/a through <= 9.0. | ||||
| CVE-2026-39647 | 2 Sonaar, Wordpress | 2 Mp3 Audio Player For Music, Radio & Podcast, Wordpress | 2026-04-09 | N/A |
| Server-Side Request Forgery (SSRF) vulnerability in sonaar MP3 Audio Player for Music, Radio & Podcast by Sonaar mp3-music-player-by-sonaar allows Server Side Request Forgery.This issue affects MP3 Audio Player for Music, Radio & Podcast by Sonaar: from n/a through <= 5.11. | ||||
| CVE-2026-39653 | 2 Imdpen, Wordpress | 2 Video Conferencing With Zoom, Wordpress | 2026-04-09 | N/A |
| Missing Authorization vulnerability in Deepen Bajracharya Video Conferencing with Zoom video-conferencing-with-zoom-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Video Conferencing with Zoom: from n/a through <= 4.6.6. | ||||
| CVE-2026-39678 | 2 Dotonpaper, Wordpress | 2 Pinpoint Booking System, Wordpress | 2026-04-09 | 5.3 Medium |
| Missing Authorization vulnerability in DOTonPAPER Pinpoint Booking System booking-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Pinpoint Booking System: from n/a through <= 2.9.9.6.5. | ||||