Export limit exceeded: 346028 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (346028 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-11008 | 2 Ce21, Wordpress | 2 Ce21-suite, Wordpress | 2026-04-22 | 9.8 Critical |
| The CE21 Suite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.3.1 via the log file. This makes it possible for unauthenticated attackers to extract sensitive data including authentication credentials, which can be used to log in as other users as long as they have used the plugin's custom authentication feature before. This may include administrators, which makes a complete site takeover possible. | ||||
| CVE-2025-11890 | 3 Beycanpress, Woocommerce, Wordpress | 3 Crypto Payment Gateway With Payeer For Woocommerce, Woocommerce, Wordpress | 2026-04-22 | 7.5 High |
| The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a payments status through server-side validation though the /wc-api/bp-payeer-gateway-callback endpoint. This makes it possible for unauthenticated attackers to update unpaid order statuses to paid resulting in a loss of revenue. | ||||
| CVE-2025-11724 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 8.8 High |
| The EM Beer Manager plugin for WordPress is vulnerable to arbitrary file upload leading to remote code execution in all versions up to, and including, 3.2.3. This is due to missing file type validation in the EMBM_Admin_Untappd_Import_image() function and missing authorization checks on the wp_ajax_embm-untappd-import action. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files including PHP files and execute code on the server granted they can provide a mock HTTP server that responds with specific JSON data. | ||||
| CVE-2026-6834 | 1 Aenrich | 1 A+hrd | 2026-04-22 | 6.5 Medium |
| The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method. | ||||
| CVE-2026-6835 | 1 Aenrich | 1 A+hcm | 2026-04-22 | 6.1 Medium |
| The a+HCM developed by aEnrich has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload arbitrary files to any path, including HTML documents, which may result in a XSS-like effect. | ||||
| CVE-2026-40451 | 1 Deepl | 1 Chrome Browser Extension | 2026-04-22 | N/A |
| DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user. | ||||
| CVE-2026-40450 | 1 Samsung Open Source | 1 One | 2026-04-22 | 6.6 Medium |
| Integer overflow in output tensor copy size calculation in Samsung Open Source ONE could cause incorrect copy length and memory corruption for oversized tensors. Affected version is prior to commit 1.30.0. | ||||
| CVE-2026-41664 | 1 Samsung Open Source | 1 One | 2026-04-22 | 6.6 Medium |
| Integer overflow in memory copy size calculation in Samsung Open Source ONE could lead to invalid memory operations with large tensor shapes. Affected version is prior to commit 1.30.0. | ||||
| CVE-2026-41665 | 1 Samsung Open Source | 1 One | 2026-04-22 | 6.1 Medium |
| Integer overflow in scratch buffer initialization size calculation in Samsung Open Source ONE cause incorrect memory initialization for large intermediate tensors. Affected version is prior to commit 1.30.0. | ||||
| CVE-2026-41666 | 1 Samsung Open Source | 1 One | 2026-04-22 | 6.6 Medium |
| Integer overflow in tensor copy size calculation in Samsung Open Source ONE could lead to out of bounds access during loop state propagation. Affected version is prior to commit 1.30.0. | ||||
| CVE-2026-41667 | 1 Samsung Open Source | 1 One | 2026-04-22 | 6.6 Medium |
| Integer overflow in constant tensor data size calculation in Samsung Open Source ONE could cause incorrect buffer sizing for large constant nodes. Affected version is prior to commit 1.30.0. | ||||
| CVE-2026-6839 | 1 Samsung Open Source | 1 One | 2026-04-22 | 6.6 Medium |
| Improper validation of STRING tensor offsets could allows malformed string metadata to trigger out of bounds access during constant tensor import in Samsung Open Source ONE Affected version is prior to commit 1.30.0. | ||||
| CVE-2025-12193 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 6.1 Medium |
| The Mang Board WP plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'mp' parameter in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | ||||
| CVE-2025-11980 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 4.9 Medium |
| The Quick Featured Images plugin for WordPress is vulnerable to SQL Injection via the 'delete_orphaned' function in all versions up to, and including, 13.7.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, granted they can convince an author-level user or higher to add a malicious custom field value. | ||||
| CVE-2025-11448 | 2 Smub, Wordpress | 2 Gallery Plugin For Wordpress, Wordpress | 2026-04-22 | 4.3 Medium |
| The Gallery Plugin for WordPress – Envira Photo Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/envira-convert/v1/bulk-convert' REST API endpoint in all versions up to, and including, 1.11.0. This makes it possible for authenticated attackers, with contributor-level access and above, to convert galleries to Envira galleries. | ||||
| CVE-2025-11988 | 2 Odude, Wordpress | 2 Crypto Tool, Wordpress | 2026-04-22 | 5.3 Medium |
| The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts. | ||||
| CVE-2025-11886 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 4.3 Medium |
| The CTL Arcade Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the 'ctl_arcade_lite_page_manage_games' page. This makes it possible for unauthenticated attackers to deactivate and activate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2025-11451 | 2 Miunosoft, Wordpress | 2 Auto Amazon Links Amazon Associates Affiliate Plugin, Wordpress | 2026-04-22 | 7.5 High |
| The Auto Amazon Links – Amazon Associates Affiliate Plugin plugin for WordPress is vulnerable to arbitrary files reads in all versions up to, and including, 5.4.3 via the '/wp-json/wp/v2/aal_ajax_unit_loading' RST API endpoint. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | ||||
| CVE-2025-11997 | 3 Elementor, Ngothoai, Wordpress | 3 Elementor, Document Pro Elementor, Wordpress | 2026-04-22 | 5.3 Medium |
| The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wp_localize_script without proper access restrictions. This makes it possible for unauthenticated attackers to view sensitive API keys in the page source, which could be leveraged to make unauthorized API calls to the configured Algolia search service. | ||||
| CVE-2025-12020 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 4.9 Medium |
| The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||