Export limit exceeded: 10239 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 12085 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12085 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40737 | 2 Villatheme, Wordpress | 2 Compe, Wordpress | 2026-04-22 | 5.3 Medium |
| Authorization Bypass Through User-Controlled Key vulnerability in VillaTheme COMPE compe-woo-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects COMPE: from n/a through <= 1.1.4. | ||||
| CVE-2026-40745 | 2 Bdthemes, Wordpress | 2 Element Pack Elementor Addons, Wordpress | 2026-04-22 | 7.6 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2. | ||||
| CVE-2026-4812 | 2 Wordpress, Wpengine | 2 Wordpress, Advanced Custom Fields | 2026-04-22 | 5.3 Medium |
| The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to Missing Authorization to Arbitrary Post/Page Disclosure in versions up to and including 6.7.0. This is due to AJAX field query endpoints accepting user-supplied filter parameters that override field-configured restrictions without proper authorization checks. This makes it possible for unauthenticated attackers with access to a frontend ACF form to enumerate and disclose information about draft/private posts, restricted post types, and other data that should be restricted by field configuration. | ||||
| CVE-2026-3642 | 2 Forfront, Wordpress | 2 E-shot, Wordpress | 2026-04-22 | 5.3 Medium |
| The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshot_form_builder_update_field_data() AJAX handler lacks any capability checks (current_user_can()) or nonce verification (check_ajax_referer()/wp_verify_nonce()). The function is registered via the wp_ajax_ hook, making it accessible to any authenticated user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify form field configurations including mandatory status, field visibility, and form display preferences via the eshot_form_builder_update_field_data AJAX action. | ||||
| CVE-2025-15470 | 2 Designingmedia, Wordpress | 2 Eleganzo, Wordpress | 2026-04-22 | 6.5 Medium |
| The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory. | ||||
| CVE-2026-40734 | 2 Wordpress, Zahlan | 2 Wordpress, Categories Images | 2026-04-22 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1. | ||||
| CVE-2026-1509 | 2 Themefusion, Wordpress | 2 Fusion Builder, Wordpress | 2026-04-22 | 5.4 Medium |
| The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation. | ||||
| CVE-2026-2834 | 2 Tokenoftrust, Wordpress | 2 Age Verification & Identity Verification By Token Of Trust, Wordpress | 2026-04-22 | 7.2 High |
| The Age Verification & Identity Verification by Token of Trust plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘description’ parameter in all versions up to, and including, 3.32.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-40744 | 2 Wordpress, Wpbeaverbuilder | 2 Wordpress, Beaver Builder | 2026-04-22 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Blind SQL Injection.This issue affects Beaver Builder: from n/a through <= 2.10.1.2. | ||||
| CVE-2026-2396 | 2 Kimipooh, Wordpress | 2 List View Google Calendar, Wordpress | 2026-04-22 | 4.4 Medium |
| The List View Google Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event description in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-6080 | 2 Themeum, Wordpress | 2 Tutor Lms – Elearning And Online Course Solution, Wordpress | 2026-04-22 | 6.5 Medium |
| The Tutor LMS plugin for WordPress is vulnerable to SQL Injection in versions up to and including 3.9.8. This is due to insufficient escaping on the 'date' parameter combined with direct interpolation into a SQL fragment before being passed to $wpdb->prepare(). This makes it possible for authenticated attackers with Admin-level access and above to append additional SQL queries and extract sensitive information from the database. | ||||
| CVE-2026-6048 | 2 Dragwyb, Wordpress | 2 Flipbox Addon For Elementor, Wordpress | 2026-04-22 | 6.4 Medium |
| The Flipbox Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flipbox widget's button URL `custom_attributes` field in all versions up to, and including, 2.1.1 due to insufficient validation of custom attribute names. Specifically, the plugin uses `esc_html()` on the attribute name which does not prevent event handler attributes (e.g., `onmouseover`, `onclick`). This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4801 | 2 Godaddy, Wordpress | 2 Page Builder Gutenberg Blocks – Coblocks, Wordpress | 2026-04-22 | 6.4 Medium |
| The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via external iCal feed data in all versions up to, and including, 3.1.16 due to insufficient output escaping of event titles, descriptions, and locations fetched from external iCal feeds in the Events block rendering function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-6443 | 2 Essentialplugin, Wordpress | 2 Accordion And Accordion Slider, Wordpress | 2026-04-22 | 9.8 Critical |
| All plugins by Essentialplugin for WordPress are vulnerable to an injected backdoor in various versions. This is due to the plugin being sold to a malicious threat actor that embedded a backdoor in all of the plugin's they acquired. This makes it possible for the threat actor to maintain a persistent backdoor and inject spam into the affected sites. | ||||
| CVE-2026-6518 | 2 Niteo, Wordpress | 2 Cmp – Coming Soon & Maintenance Plugin By Niteothemes, Wordpress | 2026-04-22 | 8.8 High |
| The CMP – Coming Soon & Maintenance Plugin by NiteoThemes plugin for WordPress is vulnerable to arbitrary file upload and remote code execution in all versions up to, and including, 4.1.16 via the `cmp_theme_update_install` AJAX action. This is due to the function only checking for the `publish_pages` capability (available to Editors and above) instead of `manage_options` (Administrators only), combined with a lack of proper validation on the user-supplied file URL and no verification of the downloaded file's content before extraction. This makes it possible for authenticated attackers, with Administrator-level access and above, to force the server to download and extract a malicious ZIP file from a remote attacker-controlled URL into a web-accessible directory (`wp-content/plugins/cmp-premium-themes/`), resulting in remote code execution. Due to the lack of a nonce for Editors, they are unable to exploit this vulnerability. | ||||
| CVE-2026-6712 | 2 Ryhowa, Wordpress | 2 Website Llms.txt, Wordpress | 2026-04-22 | 4.4 Medium |
| The Website LLMs.txt plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-6675 | 2 Cyberchimps, Wordpress | 2 Responsive Blocks – Page Builder For Blocks & Patterns, Wordpress | 2026-04-22 | 5.3 Medium |
| The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This is due to insufficient authorization checks and missing server-side validation of the recipient email address supplied via a public REST API route. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient of their choosing through the affected WordPress site's mail server, effectively turning the site into an open mail relay. | ||||
| CVE-2026-6674 | 2 Tholstkabelbwde, Wordpress | 2 Plugin: Cms Für Motorrad Werkstätten, Wordpress | 2026-04-22 | 6.5 Medium |
| The Plugin: CMS für Motorrad Werkstätten plugin for WordPress is vulnerable to SQL Injection via the 'arttype' parameter in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-1379 | 2 Wordpress, Zinoui | 2 Wordpress, Http Headers | 2026-04-22 | 4.4 Medium |
| The HTTP Headers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.19.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | ||||
| CVE-2026-1930 | 2 Hanicker, Wordpress | 2 Emailchef, Wordpress | 2026-04-22 | 4.3 Medium |
| The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the page_options_ajax_disconnect() function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete the plugin's settings via the 'emailchef_disconnect' AJAX action. | ||||