Export limit exceeded: 13617 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13617 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-3651 | 2 Hakeemnala, Wordpress | 2 Build App Online, Wordpress | 2026-04-24 | 5.3 Medium |
| The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability verification, or nonce validation in the update_vendor_product() function. The function accepts a user-supplied post ID from the request and calls wp_update_post() to modify the post_author field without validating whether the user has permission to modify the specified post. This makes it possible for unauthenticated attackers to modify the post_author of arbitrary posts to 0 (orphaning posts from their legitimate authors), or for authenticated attackers to claim ownership of any post by setting themselves as the author. | ||||
| CVE-2026-2837 | 2 Systemsrtk, Wordpress | 2 Ricerca – Advanced Search, Wordpress | 2026-04-24 | 4.4 Medium |
| The Ricerca – advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-27068 | 2 Ryan Howard, Wordpress | 2 Website Llms.txt, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Howard Website LLMs.txt website-llms-txt allows Reflected XSS.This issue affects Website LLMs.txt: from n/a through <= 8.2.6. | ||||
| CVE-2025-68998 | 2 Heateor, Wordpress | 2 Social Login, Wordpress | 2026-04-23 | 5.4 Medium |
| Cross-Site Request Forgery (CSRF) vulnerability in Heateor Support Heateor Social Login heateor-social-login allows Cross Site Request Forgery.This issue affects Heateor Social Login: from n/a through <= 1.1.39. | ||||
| CVE-2026-28039 | 2 Wordpress, Wpdatatables | 2 Wordpress, Wpdatatables | 2026-04-23 | 7.5 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wpDataTables wpDataTables wpdatatables allows PHP Local File Inclusion.This issue affects wpDataTables: from n/a through <= 6.5.0.1. | ||||
| CVE-2026-27367 | 2 Themegoods, Wordpress | 2 Musico, Wordpress | 2026-04-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through < 3.4.5. | ||||
| CVE-2026-27362 | 2 Kamleshyadav, Wordpress | 2 Wp Bakery Autoresponder Addon, Wordpress | 2026-04-23 | 6.5 Medium |
| Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Bakery Autoresponder Addon: from n/a through <= 1.0.6. | ||||
| CVE-2026-27352 | 2 Themegoods, Wordpress | 2 Starto, Wordpress | 2026-04-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Starto starto allows Reflected XSS.This issue affects Starto: from n/a through < 2.2.5. | ||||
| CVE-2026-27093 | 2 Ovatheme, Wordpress | 2 Tripgo, Wordpress | 2026-04-23 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Tripgo tripgo allows PHP Local File Inclusion.This issue affects Tripgo: from n/a through < 1.5.6. | ||||
| CVE-2026-27091 | 2 Uipress, Wordpress | 2 Uipress Lite, Wordpress | 2026-04-23 | 6.3 Medium |
| Missing Authorization vulnerability in UiPress UiPress lite uipress-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UiPress lite: from n/a through <= 3.5.09. | ||||
| CVE-2026-27067 | 2 Syarif, Wordpress | 2 Mobile App Editor, Wordpress | 2026-04-23 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1. | ||||
| CVE-2026-27065 | 2 Thimpress, Wordpress | 2 Builderpress, Wordpress | 2026-04-23 | 9.8 Critical |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress BuilderPress builderpress allows PHP Local File Inclusion.This issue affects BuilderPress: from n/a through <= 2.0.1. | ||||
| CVE-2026-25449 | 2 Shinetheme, Wordpress | 2 Traveler, Wordpress | 2026-04-23 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in shinetheme Traveler traveler allows Object Injection.This issue affects Traveler: from n/a through < 3.2.8.1. | ||||
| CVE-2026-25443 | 2 Dotstore, Wordpress | 2 Fraud Prevention For Woocommerce, Wordpress | 2026-04-23 | 7.5 High |
| Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.3. | ||||
| CVE-2026-25442 | 2 Qantumthemes, Wordpress | 2 Kentha, Wordpress | 2026-04-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes Kentha kentha allows Reflected XSS.This issue affects Kentha: from n/a through <= 4.7.2. | ||||
| CVE-2026-25438 | 2 Themehunk, Wordpress | 2 Gutenberg Blocks, Wordpress | 2026-04-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks allows Reflected XSS.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8. | ||||
| CVE-2026-25369 | 2 Flexmls, Wordpress | 2 Flexmls Idx, Wordpress | 2026-04-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through <= 3.15.9. | ||||
| CVE-2026-24606 | 3 Web Impian, Woocommerce, Wordpress | 3 Bayarcash Woo Commerce, Woocommerce, Wordpress | 2026-04-23 | 5.3 Medium |
| Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.13. | ||||
| CVE-2026-24604 | 1 Wordpress | 1 Wordpress | 2026-04-23 | 5.3 Medium |
| Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0. | ||||
| CVE-2026-24603 | 1 Wordpress | 1 Wordpress | 2026-04-23 | 5.3 Medium |
| Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8. | ||||