Export limit exceeded: 11858 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11858 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-54358 | 2 Adivaha, Wordpress | 2 Wordpress Adivaha Travel Plugin, Wordpress | 2026-04-15 | 6.1 Medium |
| WordPress adivaha Travel Plugin 2.3 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the isMobile parameter. Attackers can craft malicious URLs containing JavaScript payloads in the isMobile GET parameter at the /mobile-app/v3/ endpoint to execute arbitrary code in victims' browsers and steal session tokens or credentials. | ||||
| CVE-2025-15565 | 2 Cartasi, Wordpress | 2 Nexi Xpay, Wordpress | 2026-04-15 | 5.3 Medium |
| The Nexi XPay plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the redirect function in all versions up to, and including, 8.3.0. This makes it possible for unauthenticated attackers to mark pending WooCommerce orders as paid/completed. | ||||
| CVE-2026-2396 | 2 Kimipooh, Wordpress | 2 List View Google Calendar, Wordpress | 2026-04-15 | 4.4 Medium |
| The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-2834 | 2 Tokenoftrust, Wordpress | 2 Age Verification & Identity Verification By Token Of Trust, Wordpress | 2026-04-15 | 7.2 High |
| The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-6293 | 2 Udamadu, Wordpress | 2 Inquiry Form To Posts Or Pages, Wordpress | 2026-04-15 | 4.3 Medium |
| The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all user-supplied fields and missing output escaping when rendering stored values. The settings handler fires solely on the presence of `$_POST['inq_hidden'] == 'Y'` with no call to `check_admin_referer()` and no WordPress nonce anywhere in the form or handler. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request that tricks a logged-in Administrator into visiting a malicious page. | ||||
| CVE-2026-5717 | 2 Knighthawk, Wordpress | 2 Vi: Include Post By, Wordpress | 2026-04-15 | 6.4 Medium |
| The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_container' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3659 | 2 Bappidgreat, Wordpress | 2 Wp Circliful, Wordpress | 2026-04-15 | 6.4 Medium |
| The WP Circliful plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [circliful] shortcode and via multiple shortcode attributes of the [circliful_direct] shortcode in all versions up to and including 1.2. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the circliful_shortcode() function, the 'id' attribute value is concatenated directly into an HTML id attribute (line 285) without any escaping, allowing an attacker to break out of the double-quoted attribute and inject arbitrary HTML event handlers. Similarly, the circliful_direct_shortcode() function (line 257) outputs all shortcode attributes directly into HTML data-* attributes without escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4005 | 2 Coachific, Wordpress | 2 Coachific Shortcode, Wordpress | 2026-04-15 | 6.4 Medium |
| The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() on the 'userhash' parameter, which strips HTML tags but does not escape characters significant in a JavaScript string context (such as double quotes, semicolons, and parentheses). The sanitized value is then directly interpolated into a JavaScript string within a <script> tag on line 29 without any JavaScript-specific escaping (e.g., wp_json_encode() or esc_js()). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-3642 | 2 Forfront, Wordpress | 2 E-shot, Wordpress | 2026-04-15 | 5.3 Medium |
| The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action. | ||||
| CVE-2026-40729 | 2 Bplugins, Wordpress | 2 3d Viewer – Embed 3d Models, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in bPlugins 3D viewer – Embed 3D Models 3d-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 3D viewer – Embed 3D Models: from n/a through <= 1.8.5. | ||||
| CVE-2026-40734 | 2 Wordpress, Zahlan | 2 Wordpress, Categories Images | 2026-04-15 | N/A |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1. | ||||
| CVE-2026-40786 | 2 Long Watch Studio, Wordpress | 2 Myrewards, Wordpress | 2026-04-15 | N/A |
| Missing Authorization vulnerability in Long Watch Studio MyRewards woorewards allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyRewards: from n/a through <= 5.7.3. | ||||
| CVE-2026-1852 | 2 Woobeewoo, Wordpress | 2 Product Pricing Table By Woobewoo, Wordpress | 2026-04-15 | 6.1 Medium |
| The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel() and remove() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages or delete pricing tables via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-2025 | 2 Getwpfunnels, Wordpress | 2 Mail Mint, Wordpress | 2026-04-15 | 7.5 High |
| The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog | ||||
| CVE-2026-1128 | 2 Wordpress, Wp-ecommerce | 2 Wordpress, Wp Ecommerce | 2026-04-15 | 4.3 Medium |
| The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack | ||||
| CVE-2026-3589 | 2 Automattic, Wordpress | 2 Woocommerce, Wordpress | 2026-04-15 | 7.5 High |
| The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example. | ||||
| CVE-2026-1508 | 2 Court Reservation, Wordpress | 2 Court Reservation, Wordpress | 2026-04-15 | 4.3 Medium |
| The Court Reservation WordPress plugin before 1.10.9 does not have CSRF check in place when deleting events, which could allow attackers to make a logged in admin delete them via a CSRF attack | ||||
| CVE-2026-2418 | 2 Login With Salesforce, Wordpress | 2 Login With Salesforce, Wordpress | 2026-04-15 | 9.1 Critical |
| The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email | ||||
| CVE-2026-2446 | 2 Powerpackelements, Wordpress | 2 Powerpack For Learndash, Wordpress | 2026-04-15 | 9.8 Critical |
| The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options (such as default_role etc) and create arbitrary admin users | ||||
| CVE-2025-14151 | 2 Wordpress, Wp-slimstat | 2 Wordpress, Slimstat Analytics | 2026-04-15 | 7.2 High |
| The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'outbound_resource' parameter in the slimtrack AJAX action in all versions up to, and including, 5.3.2. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||