Export limit exceeded: 11701 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11701 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1396 | 2 Magicplugins, Wordpress | 2 Magic Conversation For Gravity Forms, Wordpress | 2026-04-08 | 6.4 Medium |
| The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-39615 | 2 Shahjada, Wordpress | 2 Download Manager, Wordpress | 2026-04-08 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Download Manager download-manager allows Stored XSS.This issue affects Download Manager: from n/a through <= 3.3.53. | ||||
| CVE-2026-39486 | 2 Wordpress, Wpchill | 2 Wordpress, Download Monitor | 2026-04-08 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download Monitor: from n/a through <= 5.1.8. | ||||
| CVE-2026-2838 | 2 Idealwebdesignlk, Wordpress | 2 Whole Enquiry Cart For Woocommerce, Wordpress | 2026-04-08 | 4.4 Medium |
| The Whole Enquiry Cart for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘woowhole_success_msg’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2263 | 2 Wordpress, Wpmudev | 2 Wordpress, Hustle – Email Marketing, Lead Generation, Optins, Popups | 2026-04-08 | 5.3 Medium |
| The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustle_module_converted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for unauthenticated attackers to forge conversion tracking events for any Hustle module, including draft modules that are never displayed to users, thereby manipulating marketing analytics and conversion statistics. | ||||
| CVE-2026-39495 | 2 Nsquared, Wordpress | 2 Simply Schedule Appointments, Wordpress | 2026-04-08 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Blind SQL Injection.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.27. | ||||
| CVE-2026-39651 | 2 Totalsuite, Wordpress | 2 Total Poll Lite, Wordpress | 2026-04-08 | N/A |
| Missing Authorization vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total Poll Lite: from n/a through <= 4.12.0. | ||||
| CVE-2026-39669 | 2 Nitropack, Wordpress | 2 Nitropack, Wordpress | 2026-04-08 | N/A |
| Missing Authorization vulnerability in NitroPack NitroPack nitropack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NitroPack: from n/a through <= 1.19.3. | ||||
| CVE-2026-39620 | 2 Priyanshumittal, Wordpress | 2 Appointment, Wordpress | 2026-04-08 | N/A |
| Cross-Site Request Forgery (CSRF) vulnerability in priyanshumittal Appointment appointment allows Upload a Web Shell to a Web Server.This issue affects Appointment: from n/a through <= 3.5.5. | ||||
| CVE-2026-39561 | 2 Wordpress, Wp Chill | 2 Wordpress, Revive.so | 2026-04-08 | N/A |
| Missing Authorization vulnerability in WP Chill Revive.so revive-so allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Revive.so: from n/a through <= 2.0.7. | ||||
| CVE-2026-39516 | 2 Posimyth, Wordpress | 2 Nexter Blocks, Wordpress | 2026-04-08 | N/A |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.7.0. | ||||
| CVE-2026-39521 | 2 Nelio Software, Wordpress | 2 Nelio Content, Wordpress | 2026-04-08 | N/A |
| Server-Side Request Forgery (SSRF) vulnerability in Nelio Software Nelio Content nelio-content allows Server Side Request Forgery.This issue affects Nelio Content: from n/a through <= 4.3.1. | ||||
| CVE-2026-3618 | 2 Bestweblayout, Wordpress | 2 Columns By Bestwebsoft – Additional Columns Plugin For Posts Pages And Widgets, Wordpress | 2026-04-08 | 6.4 Medium |
| The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to and including 1.0.3. This is due to insufficient input sanitization and output escaping on the 'id' attribute. The shortcode receives the 'id' parameter via shortcode_atts() at line 596 and directly embeds it into HTML output at line 731 (in a div id attribute) and into inline CSS at lines 672-729 without any escaping or sanitization. While the SQL query uses %d to cast the value to an integer for database lookup, the original unsanitized string value of $id is still used in the HTML/CSS output. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The attack requires that at least one column exists in the plugin (created by an admin), as the SQL query must return results for the output branch to be reached. | ||||
| CVE-2026-39610 | 2 Pankaj Kumar, Wordpress | 2 Wpxmas-snow, Wordpress | 2026-04-08 | N/A |
| Missing Authorization vulnerability in Pankaj Kumar WpXmas-Snow wpxmas-snow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpXmas-Snow: from n/a through <= 1.1. | ||||
| CVE-2026-39611 | 2 Kutethemes, Wordpress | 2 Kuteshop, Wordpress | 2026-04-08 | N/A |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in kutethemes KuteShop kuteshop allows PHP Local File Inclusion.This issue affects KuteShop: from n/a through <= 4.2.9. | ||||
| CVE-2026-4394 | 2 Gravityforms, Wordpress | 2 Gravity Forms, Wordpress | 2026-04-08 | 6.1 Medium |
| The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Credit Card field's 'Card Type' sub-field (`input_<id>.4`) in all versions up to, and including, 2.9.30. This is due to the `get_value_entry_detail()` method in the `GF_Field_CreditCard` class outputting the card type value without escaping, combined with `get_value_save_entry()` accepting and storing unsanitized user input for the `input_<id>.4` parameter. The Card Type field is not rendered on the frontend form (it is normally derived from the card number), but the backend submission parser blindly accepts it if included in the POST request. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the form entry in the WordPress dashboard. | ||||
| CVE-2026-4401 | 2 Wordpress, Wpchill | 2 Wordpress, Download Monitor | 2026-04-08 | 5.4 Medium |
| The Download Monitor plugin for WordPress is vulnerable to Cross-Site Request Forgery in the `actions_handler()` and `bulk_actions_handler()` methods in `class-dlm-downloads-path.php` in all versions up to, and including, 5.1.10. This is due to missing nonce verification on these functions. This makes it possible for unauthenticated attackers to delete, disable, or enable approved download paths via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-39479 | 2 Brainstorm Force, Wordpress | 2 Ottokit, Wordpress | 2026-04-08 | N/A |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from n/a through <= 1.1.20. | ||||
| CVE-2026-39643 | 2 Payment Plugins, Wordpress | 2 Payment Plugins For Paypal Woocommerce, Wordpress | 2026-04-08 | N/A |
| Missing Authorization vulnerability in Payment Plugins Payment Plugins for PayPal WooCommerce pymntpl-paypal-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Plugins for PayPal WooCommerce: from n/a through <= 2.0.13. | ||||
| CVE-2026-39526 | 2 Wordpress, Wpstream | 2 Wordpress, Wpstream | 2026-04-08 | N/A |
| Authorization Bypass Through User-Controlled Key vulnerability in wpstream WpStream wpstream allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WpStream: from n/a through < 4.11.2. | ||||