Export limit exceeded: 10339 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (10339 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-0727 | 2 Essentialplugin, Wordpress | 2 Accordion And Accordion Slider, Wordpress | 2026-02-18 | 5.4 Medium |
| The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site. | ||||
| CVE-2026-1939 | 2 Cutesalah, Wordpress | 2 Percent To Infograph, Wordpress | 2026-02-18 | 6.4 Medium |
| The Percent to Infograph plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `percent_to_graph` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1796 | 2 Indextwo, Wordpress | 2 Stylebidet, Wordpress | 2026-02-18 | 6.1 Medium |
| The StyleBidet plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2026-1983 | 2 Sourcez, Wordpress | 2 Seatt: Simple Event Attendance, Wordpress | 2026-02-18 | 4.3 Medium |
| The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-1912 | 2 Ulaulaman, Wordpress | 2 Citations Tools, Wordpress | 2026-02-18 | 6.4 Medium |
| The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-0692 | 2 Hblpay, Wordpress | 2 Payment Gateway For Woocommerce, Wordpress | 2026-02-18 | 7.5 High |
| The BlueSnap Payment Gateway for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.0. This is due to the plugin relying on WooCommerce's `WC_Geolocation::get_ip_address()` function to validate IPN requests, which trusts user-controllable headers like X-Real-IP and X-Forwarded-For to determine the client IP address. This makes it possible for unauthenticated attackers to bypass IP allowlist restrictions by spoofing a whitelisted BlueSnap IP address and send forged IPN (Instant Payment Notification) data to manipulate order statuses (mark orders as paid, failed, refunded, or on-hold) without proper authorization. | ||||
| CVE-2026-1932 | 2 Bssoftware, Wordpress | 2 Appointment Booking Calendar Plugin – Bookr, Wordpress | 2026-02-18 | 5.3 Medium |
| The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment. | ||||
| CVE-2026-1164 | 2 Phoenixstudiodz, Wordpress | 2 Easy Voice Mail, Wordpress | 2026-02-18 | 6.1 Medium |
| The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2025-14067 | 2 Hassantafreshi, Wordpress | 2 Easy Form Builder By Whitestudio — Drag & Drop Form Builder, Wordpress | 2026-02-18 | 5.3 Medium |
| The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive form response data, including messages, admin replies, and user information due to a logic error in the authorization check that uses AND (&&) instead of OR (||). | ||||
| CVE-2026-2022 | 2 Edgarrojas, Wordpress | 2 Smart Forms – When You Need More Than Just A Contact Form, Wordpress | 2026-02-18 | 4.3 Medium |
| The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names. | ||||
| CVE-2026-2312 | 2 Maxfoundry, Wordpress | 2 Media Library Folders, Wordpress | 2026-02-18 | 4.3 Medium |
| The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss. | ||||
| CVE-2025-13973 | 2 Kasuga16, Wordpress | 2 Stickeasy Protected Contact Form, Wordpress | 2026-02-18 | 5.3 Medium |
| The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.txt). This makes it possible for unauthenticated attackers to download the log file and access sensitive information including visitor IP addresses, email addresses, and comment snippets from contact form submissions that were flagged as spam. | ||||
| CVE-2026-0736 | 2 Collectchat, Wordpress | 2 Chatbot For Wordpress By Collect.chat ⚡️, Wordpress | 2026-02-18 | 6.4 Medium |
| The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1187 | 2 Terrazoom, Wordpress | 2 Zoomifywp Free, Wordpress | 2026-02-18 | 6.4 Medium |
| The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filename' parameter of the 'zoomify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1303 | 2 Matthieuscarset, Wordpress | 2 Mailchimp Campaigns, Wordpress | 2026-02-18 | 5.3 Medium |
| The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations. | ||||
| CVE-2026-1841 | 2 Pixelyoursite, Wordpress | 2 Pixelyoursite – Your Smart Pixel (tag) & Api Manager, Wordpress | 2026-02-18 | 7.2 High |
| The PixelYourSite – Your smart PIXEL (TAG) & API Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 11.2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-1249 | 2 Sonaar, Wordpress | 2 Mp3 Audio Player – Music Player, Podcast Player & Radio By Sonaar, Wordpress | 2026-02-18 | 5 Medium |
| The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 5.3 to 5.10 via the 'load_lyrics_ajax_callback' function. This makes it possible for authenticated attackers, with author level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2025-14873 | 2 Latepoint, Wordpress | 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress | 2026-02-18 | 4.3 Medium |
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-14852 | 2 Antevenio, Wordpress | 2 Mdirector Newsletter, Wordpress | 2026-02-18 | 4.3 Medium |
| The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-2144 | 2 Katsushi-kawamori, Wordpress | 2 Magic Login Mail Or Qr Code, Wordpress | 2026-02-18 | 8.1 High |
| The Magic Login Mail or QR Code plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.05. This is due to the plugin storing the magic login QR code image with a predictable, static filename (QR_Code.png) in the publicly accessible WordPress uploads directory during the email sending process. The file is only deleted after wp_mail() completes, creating an exploitable race condition window. This makes it possible for unauthenticated attackers to trigger a login link request for any user, including administrators, and then exploit the race condition between QR code file creation and deletion to obtain the login URL encoded in the QR code, thereby gaining unauthorized access to the targeted user's account. | ||||