Export limit exceeded: 365200 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (365200 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-4661 | 2 Blendmedia, Wordpress | 2 Wp Cta – Call Now Button, Sticky Button & Call To Action Builder, Wordpress | 2026-07-13 | 7.5 High |
| The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes. | ||||
| CVE-2026-6801 | 2 Postmagthemes, Wordpress | 2 Context Blog, Wordpress | 2026-07-13 | 5.3 Medium |
| The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the context_blog_modal_popup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts. | ||||
| CVE-2026-15481 | 1 Trendnet | 1 Tew-635brm | 2026-07-13 | 8.8 High |
| A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability affects the function ipoa_test of the file /sbin/rc of the component IPoA WAN Connection Setup. Performing a manipulation of the argument ipoa_ipaddr results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor explains: "We are unable to confirm if the vulnerability exists. This item has been EOL since 2011. We will make an official announcement of possible vulnerabilities, and recommend users to switch devices." This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2026-1359 | 2 Genolve, Wordpress | 2 Genolve Ai Business Graphics, Ai Images, Wordpress | 2026-07-13 | 8.8 High |
| The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary WordPress options, including enabling user registration and setting the default role to administrator, resulting in privilege escalation. | ||||
| CVE-2026-12126 | 2 Wclovers, Wordpress | 2 Wcfm Marketplace – Multivendor Marketplace For Woocommerce, Wordpress | 2026-07-13 | 6.4 Medium |
| The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard. | ||||
| CVE-2026-10041 | 2 Wclovers, Wordpress | 2 Wcfm – Frontend Manager For Woocommerce, Wordpress | 2026-07-13 | 4.3 Medium |
| The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors. | ||||
| CVE-2026-57371 | 2 Denishua, Wordpress | 2 Wpjam Basic, Wordpress | 2026-07-13 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0. | ||||
| CVE-2026-57379 | 2 Wordpress, Wppool | 2 Wordpress, Formychat | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3. | ||||
| CVE-2026-57386 | 2 Kodezen, Wordpress | 2 Ablocks, Wordpress | 2026-07-13 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in Kodezen LLC aBlocks ablocks allows Privilege Escalation.This issue affects aBlocks: from n/a through < 2.9.1. | ||||
| CVE-2026-9492 | 1 Gigabyte | 1 Mbstorage | 2026-07-13 | 7.8 High |
| The MBStorage DRAM lighting control module within Gigabyte Control Center (GCC) developed by GIGABYTE Technology has an Improper Access Control vulnerability. Authenticated local attackers can send specific IOCTL commands through the driver MyPortIO_x64.sys bundled with the module, thereby arbitrarily reading and writing physical memory and obtaining kernel-level privileges. | ||||
| CVE-2026-57392 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2026-07-13 | 6.5 Medium |
| Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5. | ||||
| CVE-2026-57399 | 2 Proxy & Vpn Blocker, Wordpress | 2 Proxy & Vpn Blocker, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.8. | ||||
| CVE-2026-57405 | 2 Themehunk, Wordpress | 2 Open Shop, Wordpress | 2026-07-13 | 7.1 High |
| Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1. | ||||
| CVE-2026-15541 | 1 Will-moss | 1 Isaiah | 2026-07-13 | 7.3 High |
| A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance. | ||||
| CVE-2026-14453 | 1 Centreon | 1 Infra Monitoring | 2026-07-13 | 9.6 Critical |
| This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product. | ||||
| CVE-2026-57411 | 2 Aman, Wordpress | 2 Cf7 Views – Complete Entry Management For Contact Form 7, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views – Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views – Complete Entry Management for Contact Form 7: from n/a through <= 3.2.2. | ||||
| CVE-2026-57365 | 2 Hitesh Chandwani, Wordpress | 2 Recaptcha (v2 & V3) For Asgaros Forum, Wordpress | 2026-07-13 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 & v3) for Asgaros Forum: from n/a through <= 1.1.0. | ||||
| CVE-2026-57364 | 2 Wordpress, Wpdeveloper | 2 Wordpress, Better Payment – Instant Payments, Donations, Fundraising With Subscriptions & More | 2026-07-13 | 6.5 Medium |
| Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More: from n/a through <= 2.2.0. | ||||
| CVE-2026-57378 | 2 Phil Kurth, Wordpress | 2 Advanced Forms, Wordpress | 2026-07-13 | 7.5 High |
| Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7. | ||||
| CVE-2026-57417 | 2 Rextheme, Wordpress | 2 Cart Lift, Wordpress | 2026-07-13 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme Cart Lift cart-lift allows Stored XSS.This issue affects Cart Lift: from n/a through <= 3.1.57. | ||||