Export limit exceeded: 360766 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 13251 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13251 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32513 | 2 Miguel Useche, Wordpress | 2 Js Archive List, Wordpress | 2026-04-24 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in Miguel Useche JS Archive List jquery-archive-list-widget allows Object Injection.This issue affects JS Archive List: from n/a through <= 6.1.7. | ||||
| CVE-2026-32498 | 2 Metagauss, Wordpress | 2 Registrationmagic, Wordpress | 2026-04-24 | 7.5 High |
| Missing Authorization vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RegistrationMagic: from n/a through <= 6.0.7.6. | ||||
| CVE-2026-32516 | 2 Kamleshyadav, Wordpress | 2 Miraculous Core Plugin, Wordpress | 2026-04-24 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2. | ||||
| CVE-2026-32519 | 2 Bitapps, Wordpress | 2 Bit Smtp, Wordpress | 2026-04-24 | 9 Critical |
| Incorrect Privilege Assignment vulnerability in Bit Apps Bit SMTP bit-smtp allows Privilege Escalation.This issue affects Bit SMTP: from n/a through <= 1.2.2. | ||||
| CVE-2026-32521 | 2 Northern Beaches Websites, Wordpress | 2 Wp Custom Admin Interface, Wordpress | 2026-04-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows DOM-Based XSS.This issue affects WP Custom Admin Interface: from n/a through <= 7.42. | ||||
| CVE-2026-32494 | 2 Ays-pro, Wordpress | 2 Image Slider, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ays Pro Image Slider by Ays ays-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slider by Ays: from n/a through <= 2.7.1. | ||||
| CVE-2026-32525 | 2 Jetmonsters, Wordpress | 2 Jetformbuilder, Wordpress | 2026-04-24 | 9.9 Critical |
| Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters JetFormBuilder jetformbuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through <= 3.5.6.1. | ||||
| CVE-2026-32491 | 2 Jgwhite33, Wordpress | 2 Wp Review Slider, Wordpress | 2026-04-24 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9. | ||||
| CVE-2026-32529 | 2 Don-themes, Wordpress | 2 Molla, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Molla molla allows Reflected XSS.This issue affects Molla: from n/a through < 1.5.19. | ||||
| CVE-2026-32530 | 2 Wordpress, Wpfunnels | 2 Wordpress, Creator Lms | 2026-04-24 | 8.8 High |
| Incorrect Privilege Assignment vulnerability in WPFunnels Creator LMS creatorlms allows Privilege Escalation.This issue affects Creator LMS: from n/a through <= 1.1.18. | ||||
| CVE-2026-32532 | 2 Themehunk, Wordpress | 2 Contact Form & Lead Form Elementor Builder, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Stored XSS.This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. | ||||
| CVE-2026-32534 | 2 Joomsky, Wordpress | 2 Js Help Desk, Wordpress | 2026-04-24 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.3. | ||||
| CVE-2026-32538 | 2 Noor Alam, Wordpress | 2 Smtp Mailer, Wordpress | 2026-04-24 | 7.5 High |
| Insertion of Sensitive Information Into Sent Data vulnerability in Noor Alam SMTP Mailer smtp-mailer allows Retrieve Embedded Sensitive Data.This issue affects SMTP Mailer: from n/a through <= 1.1.24. | ||||
| CVE-2026-27095 | 2 Mage-people, Wordpress | 2 Bus Ticket Booking With Seat Reservation, Wordpress | 2026-04-24 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in magepeopleteam Bus Ticket Booking with Seat Reservation bus-ticket-booking-with-seat-reservation allows Object Injection.This issue affects Bus Ticket Booking with Seat Reservation: from n/a through <= 5.6.0. | ||||
| CVE-2026-27087 | 2 G5theme, Wordpress | 2 Wolverine Framework, Wordpress | 2026-04-24 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Wolverine Framework wolverine-framework allows Reflected XSS.This issue affects Wolverine Framework: from n/a through <= 1.9. | ||||
| CVE-2026-27083 | 2 Themerex, Wordpress | 2 Work & Travel Company, Wordpress | 2026-04-24 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through <= 1.2. | ||||
| CVE-2026-27080 | 2 Mikado-themes, Wordpress | 2 Deston, Wordpress | 2026-04-24 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Deston deston allows PHP Local File Inclusion.This issue affects Deston: from n/a through <= 1.0. | ||||
| CVE-2026-4484 | 2 Masteriyo, Wordpress | 2 Masteriyo Lms – Online Course Builder For Elearning, Lms & Education, Wordpress | 2026-04-24 | 8.8 High |
| The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepare_object_for_database' function. This makes it possible for authenticated attackers, with Student-level access and above, to elevate their privileges to that of an administrator. | ||||
| CVE-2026-27049 | 2 Nootheme, Wordpress | 2 Jobica Core, Wordpress | 2026-04-24 | 9.8 Critical |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2. | ||||
| CVE-2026-4335 | 2 Shortpixel, Wordpress | 2 Shortpixel Image Optimizer – Optimize Images, Convert Webp & Avif, Wordpress | 2026-04-24 | 5.4 Medium |
| The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author can craft an attachment title that breaks out of the HTML attribute and injects arbitrary JavaScript event handlers. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts that execute whenever a higher-privileged user (such as an administrator) opens the ShortPixel AI editor popup (Background Removal or Image Upscale) for the poisoned attachment. | ||||