Export limit exceeded: 11564 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11564 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-57760 | 2026-07-02 | 5.3 Medium | ||
| Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29. | ||||
| CVE-2025-69134 | 2026-07-02 | 7.5 High | ||
| Unauthenticated Arbitrary Content Deletion in OpenAI Chatbot for WordPress – Helper <= 1.1.4 versions. | ||||
| CVE-2025-66076 | 2026-07-02 | 5.3 Medium | ||
| Unauthenticated Broken Access Control in Woostify Sites Library <= 1.6.2 versions. | ||||
| CVE-2026-57750 | 2026-07-02 | 5.3 Medium | ||
| Unauthenticated Broken Access Control in ez Form Calculator Premium <= 2.14.1.2 versions. | ||||
| CVE-2026-57746 | 2026-07-02 | 7.1 High | ||
| Subscriber Broken Access Control in Booked <= 3.0.0 versions. | ||||
| CVE-2026-57731 | 2026-07-02 | 6.5 Medium | ||
| Contributor Broken Access Control in Flatsome <= 3.20.5 versions. | ||||
| CVE-2026-57730 | 2026-07-02 | 4.3 Medium | ||
| Subscriber Broken Access Control in Flatsome <= 3.20.5 versions. | ||||
| CVE-2026-57689 | 2026-07-02 | 4.3 Medium | ||
| Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions. | ||||
| CVE-2026-57688 | 2026-07-02 | 8.2 High | ||
| Unauthenticated Broken Access Control in POS Entegratör <= 3.7.103 versions. | ||||
| CVE-2026-57685 | 2026-07-02 | 4.3 Medium | ||
| Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme <= 3.2.8 versions. | ||||
| CVE-2026-57669 | 2026-07-02 | 6.5 Medium | ||
| Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions. | ||||
| CVE-2026-57355 | 2026-07-02 | 6.5 Medium | ||
| Subscriber Broken Access Control in Classified Listing <= 5.4.2 versions. | ||||
| CVE-2026-57353 | 2026-07-02 | 6.5 Medium | ||
| Subscriber Broken Access Control in Link Whisper Premium <= 2.9.0 versions. | ||||
| CVE-2026-39448 | 2026-07-02 | 7.5 High | ||
| Unauthenticated Broken Access Control in NOWPayments for WooCommerce <= 1.4.0 versions. | ||||
| CVE-2026-27433 | 2026-07-02 | 6.5 Medium | ||
| Unauthenticated Broken Access Control in Motors <= 5.6.80 versions. | ||||
| CVE-2026-13459 | 2 Jetmonsters, Wordpress | 2 Jetformbuilder, Wordpress | 2026-07-02 | 5.3 Medium |
| The JetFormBuilder — Dynamic Blocks Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to retrieve every distinct value stored under any arbitrary wp_postmeta key on the site — including WooCommerce billing PII such as _billing_email, _billing_phone, and _billing_address fields, order totals, attachment paths, and any third-party plugin credentials or tokens stored in post meta — provided at least one published JetFormBuilder form with a get_from_db generator field exists on the site. Exploitation requires that the target site has at least one published jet-form-builder post containing a field whose generator_function is set to get_from_db; an attacker must supply a matching form ID, field name, and generator ID in the request, but all of these can be discovered by browsing the site's public forms. | ||||
| CVE-2026-12134 | 2 Beardev, Wordpress | 2 Joomsport – For Sports: Team & League, Football, Hockey & More, Wordpress | 2026-07-02 | 4.3 Medium |
| The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.7.8. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary season groups or modify existing group names, participants, and round-type options. Exploitation requires obtaining the joomsportajaxnonce, which is exposed on frontend pages that render a JoomSport shortcode. | ||||
| CVE-2026-12472 | 2 Themeum, Wordpress | 2 Kirki – Freeform Page Builder, Website Builder & Customizer, Wordpress | 2026-07-02 | 5.3 Medium |
| The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to send arbitrary HTML-injected emails — including phishing messages embedding a real, valid WordPress password-reset URL for the targeted user — to any registered user via the site's own mail server, abusing its SPF/DKIM reputation. The attacker-controlled emailSubject parameter is passed to wp_mail() with only sanitize_text_field() applied, while emailBody 'text' items are concatenated raw into the HTML email body with no escaping, and 'chip' items can include the genuine WordPress password-reset link for the targeted account. | ||||
| CVE-2026-55628 | 1 Imagemagick | 1 Imagemagick | 2026-07-02 | 5.5 Medium |
| In versions prior to 7.1.2-26he, the `-concatenate` operation is missing policy checks, potentially resulting in both reading and writing to paths disallowed by the security policy. This issue has been fixed in version 7.1.2-26. | ||||
| CVE-2026-12122 | 2026-07-02 | 5.3 Medium | ||
| The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID. | ||||