Export limit exceeded: 361620 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12509 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13511 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13511 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3124 | 2 Wordpress, Wpchill | 2 Wordpress, Download Monitor | 2026-04-24 | 7.5 High |
| The Download Monitor plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.7 via the executePayment() function due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to complete arbitrary pending orders by exploiting a mismatch between the PayPal transaction token and the local order, allowing theft of paid digital goods by paying a minimal amount for a low-cost item and using that payment token to finalize a high-value order. | ||||
| CVE-2026-2595 | 2 Wordpress, Wpquads | 2 Wordpress, Quads Ads Manager For Google Adsense | 2026-04-24 | 5.4 Medium |
| The Quads Ads Manager for Google AdSense plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.0.98.1 due to insufficient input sanitization and output escaping of multiple ad metadata parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4987 | 2 Brainstormforce, Wordpress | 2 Sureforms – Contact Form, Payment Form & Other Custom Form Builder, Wordpress | 2026-04-24 | 7.5 High |
| The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0. | ||||
| CVE-2026-1307 | 2 Kstover, Wordpress | 2 Ninja Forms – The Contact Form Builder That Grows With You, Wordpress | 2026-04-24 | 6.5 Medium |
| The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information. | ||||
| CVE-2025-12886 | 2 Laborator, Wordpress | 2 Oxygen - Woocommerce Wordpress Theme, Wordpress | 2026-04-24 | 7.2 High |
| The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator_calc_route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | ||||
| CVE-2026-2442 | 2 Softaculous, Wordpress | 2 Page Builder: Pagelayer – Drag And Drop Website Builder, Wordpress | 2026-04-24 | 5.3 Medium |
| The Page Builder: Pagelayer – Drag and Drop website builder plugin for WordPress is vulnerable to Improper Neutralization of CRLF Sequences ('CRLF Injection') in all versions up to, and including, 2.0.7. This is due to the contact form handler performing placeholder substitution on attacker-controlled form fields and then passing the resulting values into email headers without removing CR/LF characters. This makes it possible for unauthenticated attackers to inject arbitrary email headers (for example Bcc / Cc) and abuse form email delivery via the 'email' parameter granted they can target a contact form configured to use placeholders in mail template headers. | ||||
| CVE-2026-4248 | 2 Ultimatemember, Wordpress | 2 Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin, Wordpress | 2026-04-24 | 8 High |
| The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover. | ||||
| CVE-2026-2389 | 2 Complianz, Wordpress | 2 Complianz – Gdpr/ccpa Cookie Consent, Wordpress | 2026-04-24 | 4.9 Medium |
| The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.4.2. This is due to the `revert_divs_to_summary` function replacing `”` HTML entities with literal double-quote characters (`"`) in post content without subsequent sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The Classic Editor plugin is required to be installed and activated in order to exploit this vulnerability. | ||||
| CVE-2026-25460 | 2 Liquidthemes, Wordpress | 2 Ave Core, Wordpress | 2026-04-24 | 6.3 Medium |
| Missing Authorization vulnerability in LiquidThemes Ave Core ave-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ave Core: from n/a through <= 2.9.1. | ||||
| CVE-2026-4278 | 2 Specialk, Wordpress | 2 Simple Download Counter, Wordpress | 2026-04-24 | 6.4 Medium |
| The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4281 | 2 Trainingbusinesspros, Wordpress | 2 Formlift For Infusionsoft Web Forms, Wordpress | 2026-04-24 | 5.3 Medium |
| The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server. | ||||
| CVE-2026-32505 | 2 Creativews, Wordpress | 2 Kiddy, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy: from n/a through <= 2.0.8. | ||||
| CVE-2026-4329 | 2 Specialk, Wordpress | 2 Blackhole For Bad Bots, Wordpress | 2026-04-24 | 7.2 High |
| The Blackhole for Bad Bots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the User-Agent HTTP header in all versions up to and including 3.8. This is due to insufficient input sanitization and output escaping. The plugin uses sanitize_text_field() when capturing bot data (which strips HTML tags but does not escape HTML entities like double quotes), then stores the data via update_option(). When an administrator views the Bad Bots log page, the stored data is output directly into HTML input value attributes (lines 75-83) without esc_attr() and into HTML span content without esc_html(). This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the Blackhole Bad Bots admin page. | ||||
| CVE-2026-31920 | 2 Devteam Haywoodtech, Wordpress | 2 Product Rearrange For Woocommerce, Wordpress | 2026-04-24 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Blind SQL Injection.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2. | ||||
| CVE-2026-31914 | 2 Hookandhook, Wordpress | 2 Wp Courses Lms, Wordpress | 2026-04-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26. | ||||
| CVE-2026-32516 | 2 Kamleshyadav, Wordpress | 2 Miraculous Core Plugin, Wordpress | 2026-04-24 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2. | ||||
| CVE-2026-32528 | 2 Don-themes, Wordpress | 2 Riode, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29. | ||||
| CVE-2026-27045 | 2 Sbthemes, Wordpress | 2 Woocommerce Infinite Scroll, Wordpress | 2026-04-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2. | ||||
| CVE-2026-25435 | 2 Wordpress, Wpdevart | 3 Wordpress, Booking Calendar, Booking Calendar, Appointment Booking System | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36. | ||||
| CVE-2026-4389 | 2 Hupe13, Wordpress | 2 Dsgvo Snippet For Leaflet Map And Its Extensions, Wordpress | 2026-04-24 | 6.4 Medium |
| The DSGVO snippet for Leaflet Map and its Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `leafext-cookie-time` and `leafext-delete-cookie` shortcodes in all versions up to, and including, 3.1. This is due to insufficient input sanitization and output escaping on user supplied attributes (`unset`, `before`, `after`). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||