Export limit exceeded: 364073 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (364073 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-1382 2 Freshlabs, Wordpress 2 Fresh Podcaster, Wordpress 2026-07-13 6.4 Medium
The fresh Podcaster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'freshpodcaster' shortcode in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-4661 2 Blendmedia, Wordpress 2 Wp Cta – Call Now Button, Sticky Button & Call To Action Builder, Wordpress 2026-07-13 7.5 High
The WP CTA – Sticky CTA Builder, Generate Leads, Promote Sales plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'fildname' parameter in all versions up to, and including, 2.2.2. This is due to insufficient escaping of user-supplied column names in the ajaxCheck() method and lack of preparation in the $wpdb->update() call. The vulnerability is compounded by the complete absence of authorization checks and the endpoint being registered for unauthenticated users via wp_ajax_nopriv_. This makes it possible for unauthenticated attackers to inject arbitrary SQL queries and extract sensitive information from the database via time-based blind SQL injection techniques, including administrator password hashes.
CVE-2026-15010 2 Robin-w, Wordpress 2 Bbp Style Pack, Wordpress 2026-07-13 6.4 Medium
The bbp Style Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.4.5 via the Topic Form Additional Fields feature. This is due to insufficient input sanitization in bsp_topic_fields_form_save() (which writes $_POST['bsp_topic_fields_label{n}'] directly to post meta via update_post_meta() with no filtering) and missing output escaping in bsp_topic_content_append_topic_fields() (which concatenates the stored meta value into an HTML <span> and echoes it via apply_filters/echo without esc_html()). This makes it possible for authenticated attackers, with Subscriber-level access and above (who have bbPress topic-creation privileges), to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, including unauthenticated visitors.
CVE-2026-1359 2 Genolve, Wordpress 2 Genolve Ai Business Graphics, Ai Images, Wordpress 2026-07-13 8.8 High
The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the genolve_setOpt() function in all versions up to, and including, 5.0.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to update arbitrary WordPress options, including enabling user registration and setting the default role to administrator, resulting in privilege escalation.
CVE-2026-57828 1 Phoca 1 Phoca Download Extension For Joomla 2026-07-13 N/A
The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload that allows registered users uploading executable files and leads to full RCE.
CVE-2026-57827 1 Rsjoomla 1 Rsfiles Extension For Joomla 2026-07-13 N/A
The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that allows uploading executable files and leads to full RCE.
CVE-2026-15516 2 Maccms Pro, Magicblack 2 Maccms Pro, Maccms Pro 2026-07-13 5.6 Medium
A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. Upgrading to version 2022.1000.3025 is recommended to address this issue. Upgrading the affected component is recommended.
CVE-2026-9492 1 Gigabyte 1 Mbstorage 2026-07-13 7.8 High
The MBStorage DRAM lighting control module within Gigabyte Control Center (GCC) developed by GIGABYTE Technology has an Improper Access Control vulnerability. Authenticated local attackers can send specific IOCTL commands through the driver MyPortIO_x64.sys bundled with the module, thereby arbitrarily reading and writing physical memory and obtaining kernel-level privileges.
CVE-2026-15541 1 Will-moss 1 Isaiah 2026-07-13 7.3 High
A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance.
CVE-2026-14453 1 Centreon 1 Infra Monitoring 2026-07-13 9.6 Critical
This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product.
CVE-2026-57365 2 Hitesh Chandwani, Wordpress 2 Recaptcha (v2 & V3) For Asgaros Forum, Wordpress 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 &amp; v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 &amp; v3) for Asgaros Forum: from n/a through <= 1.1.0.
CVE-2026-57364 2 Wordpress, Wpdeveloper 2 Wordpress, Better Payment – Instant Payments, Donations, Fundraising With Subscriptions & More 2026-07-13 6.5 Medium
Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions &amp; More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment – Instant Payments, Donations, Fundraising with Subscriptions &amp; More: from n/a through <= 2.2.0.
CVE-2026-57378 2 Phil Kurth, Wordpress 2 Advanced Forms, Wordpress 2026-07-13 7.5 High
Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7.
CVE-2026-57379 2 Wordpress, Wppool 2 Wordpress, Formychat 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3.
CVE-2026-57399 2 Proxy & Vpn Blocker, Wordpress 2 Proxy & Vpn Blocker, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy &amp; VPN Blocker Proxy &amp; VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy &amp; VPN Blocker: from n/a through <= 3.5.8.
CVE-2026-57403 2 Milan Petrovic, Wordpress 2 Gd Security Headers, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Milan Petrovic GD Security Headers gd-security-headers allows Reflected XSS.This issue affects GD Security Headers: from n/a through <= 1.8.
CVE-2026-57405 2 Themehunk, Wordpress 2 Open Shop, Wordpress 2026-07-13 7.1 High
Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1.
CVE-2026-57406 2 Roxnor, Wordpress 2 Fundengine, Wordpress 2026-07-13 6.5 Medium
Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6.
CVE-2026-57408 2 Peachpayments, Wordpress 2 Peach Payments Gateway, Wordpress 2026-07-13 6.5 Medium
Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 4.0.2.
CVE-2026-57411 2 Aman, Wordpress 2 Cf7 Views – Complete Entry Management For Contact Form 7, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views &#8211; Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views &#8211; Complete Entry Management for Contact Form 7: from n/a through <= 3.2.2.