Export limit exceeded: 346772 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346772 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22512 | 2 Elated-themes, Wordpress | 2 Roisin, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Roisin roisin allows PHP Local File Inclusion.This issue affects Roisin: from n/a through <= 1.2.1. | ||||
| CVE-2026-22506 | 2 Elated-themes, Wordpress | 2 Amoli, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Amoli amoli allows PHP Local File Inclusion.This issue affects Amoli: from n/a through <= 1.0. | ||||
| CVE-2026-22505 | 2 Ancorathemes, Wordpress | 2 Morning Records, Wordpress | 2026-04-24 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2. | ||||
| CVE-2026-22502 | 2 Ancorathemes, Wordpress | 2 Mr. Cobbler, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mr. Cobbler mr-cobbler allows PHP Local File Inclusion.This issue affects Mr. Cobbler: from n/a through <= 1.1.9. | ||||
| CVE-2026-22496 | 2 Ancorathemes, Wordpress | 2 Hypnotherapy, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10. | ||||
| CVE-2026-22493 | 2 Elated-themes, Wordpress | 2 Gaspard, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gaspard gaspard allows PHP Local File Inclusion.This issue affects Gaspard: from n/a through <= 1.3. | ||||
| CVE-2026-22485 | 2 Ruhul080, Wordpress | 2 My Album Gallery, Wordpress | 2026-04-24 | 6.5 Medium |
| Missing Authorization vulnerability in Ruhul Amin My Album Gallery my-album-gallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Album Gallery: from n/a through <= 1.0.4. | ||||
| CVE-2026-22484 | 2 Pebas, Wordpress | 2 Lisfinity Core, Wordpress | 2026-04-24 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pebas Lisfinity Core lisfinity-core allows SQL Injection.This issue affects Lisfinity Core: from n/a through <= 1.5.0. | ||||
| CVE-2026-22448 | 2 Flexcubed, Wordpress | 2 Pitchprint, Wordpress | 2026-04-24 | 7.5 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in flexcubed PitchPrint pitchprint allows Path Traversal.This issue affects PitchPrint: from n/a through <= 11.1.2. | ||||
| CVE-2026-3138 | 2 Woobewoo, Wordpress | 2 Product Filter For Woocommerce By Wbw, Wordpress | 2026-04-24 | 6.5 Medium |
| The Product Filter for WooCommerce by WBW plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check in all versions up to, and including, 3.1.2. This is due to the plugin's MVC framework dynamically registering unauthenticated AJAX handlers via `wp_ajax_nopriv_` hooks without verifying user capabilities, combined with the base controller's `__call()` magic method forwarding undefined method calls to the model layer, and the `havePermissions()` method defaulting to `true` when no permissions are explicitly defined. This makes it possible for unauthenticated attackers to truncate the plugin's `wp_wpf_filters` database table via a crafted AJAX request with `action=delete`, permanently destroying all filter configurations. | ||||
| CVE-2026-3079 | 2 Stellarwp, Wordpress | 2 Learndash Lms, Wordpress | 2026-04-24 | 6.5 Medium |
| The LearnDash LMS plugin for WordPress is vulnerable to blind time-based SQL Injection via the 'filters[orderby_order]' parameter in the 'learndash_propanel_template' AJAX action in all versions up to, and including, 5.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-25359 | 2 Rascals, Wordpress | 2 Pendulum, Wordpress | 2026-04-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5. | ||||
| CVE-2026-25357 | 2 Azzaroco, Wordpress | 2 Ultimate Membership Pro, Wordpress | 2026-04-24 | 8.1 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7. | ||||
| CVE-2026-25352 | 2 Skygroup, Wordpress | 2 Mydecor, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup MyDecor mydecor allows Reflected XSS.This issue affects MyDecor: from n/a through < 1.5.9. | ||||
| CVE-2026-25350 | 2 Skygroup, Wordpress | 2 Miti, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Miti miti allows Reflected XSS.This issue affects Miti: from n/a through < 1.5.3. | ||||
| CVE-2026-25340 | 2 Nootheme, Wordpress | 2 Jobmonster, Wordpress | 2026-04-24 | 9.3 Critical |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in NooTheme Jobmonster noo-jobmonster allows Blind SQL Injection.This issue affects Jobmonster: from n/a through < 4.8.4. | ||||
| CVE-2026-25327 | 2 Rustaurius, Wordpress | 2 Five Star Restaurant Reservations, Wordpress | 2026-04-24 | 6.5 Medium |
| Missing Authorization vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.9. | ||||
| CVE-2026-25317 | 2 Tychesoftwares, Wordpress | 2 Print Invoice & Delivery Notes For Woocommerce, Wordpress | 2026-04-24 | 7.5 High |
| Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.9.0. | ||||
| CVE-2026-4632 | 1 Itsourcecode | 1 Online Enrollment System | 2026-04-24 | 7.3 High |
| A weakness has been identified in itsourcecode Online Enrollment System 1.0. This vulnerability affects unknown code of the file /sms/user/index.php?view=add of the component Parameter Handler. Executing a manipulation of the argument Name can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-25309 | 2 Publishpress, Wordpress | 2 Publishpress Authors, Wordpress | 2026-04-24 | 7.5 High |
| Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1. | ||||