Export limit exceeded: 11922 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11922 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22216 | 2 Gvectors, Wordpress | 2 Wpdiscuz, Wordpress | 2026-03-23 | 6.5 Medium |
| wpDiscuz before 7.6.47 contains a missing rate limiting vulnerability that allows unauthenticated attackers to subscribe arbitrary email addresses to post notifications by sending POST requests to the wpdAddSubscription handler in class.WpdiscuzHelperAjax.php. Attackers can exploit LIKE wildcard characters in the subscription query to match multiple email addresses and generate unwanted notification emails to victim accounts. | ||||
| CVE-2026-22324 | 2 Themerex, Wordpress | 2 Melania, Wordpress | 2026-03-20 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0. | ||||
| CVE-2024-31119 | 2 Vasilis Triantafyllou, Wordpress | 2 Special Box For Content, Wordpress | 2026-03-20 | 5.9 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Vasilis Triantafyllou Special Box for Content allows DOM-Based XSS.This issue affects Special Box for Content: from n/a through 1. | ||||
| CVE-2024-32537 | 2 Joshuae1974, Wordpress | 2 Flash Video Player, Wordpress | 2026-03-20 | 7.1 High |
| Cross-Site request forgery (CSRF) vulnerability in joshuae1974 Flash Video Player allows Cross Site Request Forgery.This issue affects Flash Video Player: from n/a through 5.0.4. | ||||
| CVE-2025-15473 | 2 Timetics, Wordpress | 2 Timetics, Wordpress | 2026-03-20 | 4.3 Medium |
| The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type. | ||||
| CVE-2026-2687 | 2 Reading Progressbar, Wordpress | 2 Reading Progressbar, Wordpress | 2026-03-20 | 4.3 Medium |
| The Reading progressbar WordPress plugin before 1.3.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | ||||
| CVE-2026-1753 | 2 Gutena Forms, Wordpress | 2 Gutena Forms, Wordpress | 2026-03-20 | 6.8 Medium |
| The Gutena Forms WordPress plugin before 1.6.1 does not validate option to be updated, which could allow contributors and above role to update arbitrary boolean and array options (such as users_can_register). | ||||
| CVE-2026-1867 | 2 Wordpress, Wp Front User Submit | 2 Wordpress, Guest Posting / Frontend Posting / Front Editor | 2026-03-20 | 5.9 Medium |
| The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6's settings, it is possible for an unauthenticated attacker to export and download all of the form data/settings, including the administrator's email address. | ||||
| CVE-2026-2626 | 2 Divi-booster, Wordpress | 2 Divi-booster, Wordpress | 2026-03-20 | 8.1 High |
| The divi-booster WordPress plugin before 5.0.2 does not have authorization and CSRF checks in one of its fixing function, allowing unauthenticated users to modify stored divi-booster WordPress plugin before 5.0.2 options. Furthermore, due to the use of unserialize() on the data, this could be further exploited when combined with a PHP gadget chain to achieve PHP Object Injection | ||||
| CVE-2026-2631 | 2 Datalogics Ecommerce Delivery, Wordpress | 2 Datalogics Ecommerce Delivery, Wordpress | 2026-03-20 | 9.8 Critical |
| The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator. | ||||
| CVE-2026-1993 | 2 Smub, Wordpress | 2 Exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin), Wordpress | 2026-03-20 | 8.8 High |
| The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the `update_settings()` function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to modify any plugin setting, including the `save_settings` option that controls which user roles have access to plugin functionality. The admin intended to delegate configuration access to a trusted user, not enable that user to delegate access to everyone. By setting `save_settings` to include `subscriber`, an attacker can grant plugin administrative access to all subscribers on the site. | ||||
| CVE-2026-1992 | 2 Smub, Wordpress | 2 Exactmetrics – Google Analytics Dashboard For Wordpress (website Stats Plugin), Wordpress | 2026-03-20 | 8.8 High |
| The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the `store_settings()` method in the `ExactMetrics_Onboarding` class accepting a user-supplied `triggered_by` parameter that is used instead of the current user's ID to check permissions. This makes it possible for authenticated attackers with the `exactmetrics_save_settings` capability to bypass the `install_plugins` capability check by specifying an administrator's user ID in the `triggered_by` parameter, allowing them to install arbitrary plugins and achieve Remote Code Execution. This vulnerability only affects sites on which administrator has given other user types the permission to view reports and can only be exploited by users of that type. | ||||
| CVE-2026-3906 | 1 Wordpress | 1 Wordpress | 2026-03-20 | 4.3 Medium |
| WordPress core is vulnerable to unauthorized access in versions 6.9 through 6.9.1. The Notes feature (block-level collaboration annotations) was introduced in WordPress 6.9 to allow editorial comments directly on posts in the block editor. However, the REST API `create_item_permissions_check()` method in the comments controller did not verify that the authenticated user has `edit_post` permission on the target post when creating a note. This makes it possible for authenticated attackers with Subscriber-level access to create notes on any post, including posts authored by other users, private posts, and posts in any status. | ||||
| CVE-2026-27397 | 2 Really-simple-plugins, Wordpress | 2 Really Simple Security, Wordpress | 2026-03-20 | 6.5 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0. | ||||
| CVE-2026-27096 | 2 Buddhathemes, Wordpress | 2 Colorfolio - Freelance Designer Wordpress Theme, Wordpress | 2026-03-20 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3. | ||||
| CVE-2025-60233 | 2 Themeton, Wordpress | 2 Zuut, Wordpress | 2026-03-20 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Themeton Zuut allows Object Injection.This issue affects Zuut: from n/a through 1.4.2. | ||||
| CVE-2025-60237 | 2 Themeton, Wordpress | 2 Finag, Wordpress | 2026-03-20 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in Themeton Finag allows Object Injection.This issue affects Finag: from n/a through 1.5.0. | ||||
| CVE-2025-62043 | 2 Wordpress, Wpsight | 2 Wordpress, Wpcasa | 2026-03-20 | 6.5 Medium |
| Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in WPSight WPCasa allows DOM-Based XSS.This issue affects WPCasa: from n/a through 1.4.1. | ||||
| CVE-2025-67618 | 2 Artstudioworks, Wordpress | 2 Brookside, Wordpress | 2026-03-20 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ArtstudioWorks Brookside allows Reflected XSS.This issue affects Brookside: from n/a through 1.4. | ||||
| CVE-2025-68836 | 2 Markbeljaars, Wordpress | 2 Table Of Contents Creator, Wordpress | 2026-03-20 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Markbeljaars Table of Contents Creator allows Reflected XSS.This issue affects Table of Contents Creator: from n/a through 1.6.4.1. | ||||