Export limit exceeded: 12537 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12537 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-42731 | 2 Miniorange, Wordpress | 2 Otp Verification, Wordpress | 2026-05-30 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in miniOrange miniorange otp verification miniorange-otp-verification allows Privilege Escalation.This issue affects miniorange otp verification: from n/a through <= 5.4.9. | ||||
| CVE-2026-42726 | 2 Strategy11, Wordpress | 2 Awp Classifieds, Wordpress | 2026-05-30 | 6.5 Medium |
| Missing Authorization vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AWP Classifieds: from n/a through <= 4.4.5. | ||||
| CVE-2026-42730 | 2 Stylemixthemes, Wordpress | 2 Masterstudy Lms, Wordpress | 2026-05-30 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Blind SQL Injection.This issue affects MasterStudy LMS: from n/a through <= 3.7.29. | ||||
| CVE-2026-42735 | 2 Iqonic, Wordpress | 2 Kivicare, Wordpress | 2026-05-30 | 8.2 High |
| Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0. | ||||
| CVE-2026-42736 | 2 Wordplus, Wordpress | 2 Better Messages, Wordpress | 2026-05-30 | 7.5 High |
| Authorization Bypass Through User-Controlled Key vulnerability in wordplus BP Better Messages bp-better-messages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Better Messages: from n/a through <= 2.14.16. | ||||
| CVE-2026-42737 | 2 Vikwp, Wordpress | 2 Vikbooking Hotel Booking Engine & Pms, Wordpress | 2026-05-30 | 8.6 High |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows Path Traversal.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | ||||
| CVE-2026-42757 | 2 Saleswonder, Wordpress | 2 Webinarignition, Wordpress | 2026-05-30 | 9.9 Critical |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Path Traversal.This issue affects WebinarIgnition: from n/a through < 4.08.253. | ||||
| CVE-2026-42758 | 2 Saleswonder, Wordpress | 2 Webinarignition, Wordpress | 2026-05-30 | 9.8 Critical |
| Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through < 4.08.253. | ||||
| CVE-2026-42762 | 2 Vikwp, Wordpress | 2 Vikbooking Hotel Booking Engine & Pms, Wordpress | 2026-05-30 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking allows DOM-Based XSS.This issue affects VikBooking Hotel Booking Engine & PMS: from n/a through <= 1.8.9. | ||||
| CVE-2026-49059 | 2 Facebook, Wordpress | 2 Facebook For Woocommerce, Wordpress | 2026-05-30 | 4.7 Medium |
| URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Facebook Facebook for WooCommerce allows Phishing. This issue affects Facebook for WooCommerce: from n/a through 3.7.0. | ||||
| CVE-2026-49052 | 2 Wordpress, Wpmet | 2 Wordpress, Elementskit Elementor Addons | 2026-05-30 | 4.3 Medium |
| Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | ||||
| CVE-2026-49053 | 2 Wordpress, Wpmet | 2 Wordpress, Elementskit Elementor Addons | 2026-05-30 | 5.3 Medium |
| Missing Authorization vulnerability in Wpmet ElementsKit Elementor addons Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementsKit Elementor addons Lite: from n/a through 3.9.6. | ||||
| CVE-2026-7862 | 2 Eupago, Wordpress | 2 Eupago Gateway Woocommerce, Wordpress | 2026-05-30 | 8.6 High |
| The Eupago Gateway For Woocommerce WordPress plugin before 4.7.2 does not properly restrict access to its refund request handler, allowing unauthenticated attackers to initiate refunds against any WooCommerce order using the merchant's payment gateway credentials, and for applicable payment methods, to redirect refunded funds to an attacker-controlled bank account. | ||||
| CVE-2026-9618 | 2 Peachpay, Wordpress | 2 Peachpay - Payments & Express Checkout For Woocommerce (supports Stripe, Paypal, Square, Authorizenet), Wordpress | 2026-05-30 | 4.3 Medium |
| The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net, NMI) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay_stripe_handle_admin_actions function. This makes it possible for unauthenticated attackers to permanently delete all stored Stripe credentials — including publishable keys, secret keys, webhook secrets, and Apple Pay configuration — from the WordPress database, disabling Stripe payment processing for the store via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-8809 | 2 Hwk-fr, Wordpress | 2 Advanced Custom Fields, Wordpress | 2026-05-30 | 9.8 Critical |
| The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation via Validation Bypass in all versions up to and including 0.9.2.5. The vulnerability exists due to the after_validate_save_post() function unconditionally trusting the attacker-controlled _acf_post_id POST parameter — with no authentication or integrity verification — to select a cleanup branch that silently discards all validation errors not prefixed with acfe:. This makes it possible for unauthenticated attackers to suppress both the role allow-list validation error added by acfe_field_user_roles::validate_front_value() and the administrator-role capability guard error added by acfe_module_form_action_user::validate_action(), causing wp_insert_user() to execute with an attacker-supplied administrator role argument and resulting in the creation of a new administrator-level user account. Exploitation requires the target site to expose a public ACFE frontend form configured with a Create User action that maps a role field. | ||||
| CVE-2026-2128 | 2 Cloudways, Wordpress | 2 Breeze, Wordpress | 2026-05-30 | 5.3 Medium |
| The Breeze plugin for WordPress is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor in all versions up to, and including, 2.5.2 This is due to improper verification of the `wordpress_logged_in_` cookie in the `inc/cache/execute-cache.php` file when the "Cache Logged-in Users" setting is enabled. The plugin parses the username directly from the cookie value (e.g., `username|hash`) using `substr()` to retrieve the corresponding cache file but fails to verify the session's cryptographic signature or validity with WordPress core. This makes it possible for unauthenticated attackers to supply a crafted cookie (e.g., `wordpress_logged_in_fake=admin|fake`) to trick the plugin into serving the cached HTML content generated for an administrator, leading to the disclosure of sensitive information such as private posts (including their full content), the Admin Bar, WordPress nonces, and other data visible only to logged-in administrators or other users. | ||||
| CVE-2026-9243 | 2 Posimyththemes, Wordpress | 2 The Plus Addons For Elementor – Addons For Elementor, Page Templates, Widgets, Mega Menu, Woocommerce, Wordpress | 2026-05-30 | 6.4 Medium |
| The Plus Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'carousel_direction' parameter of the Carousel Anything widget in versions up to, and including, 6.4.15 This is due to insufficient output escaping in the render() function, where the carousel_direction value is placed into an unquoted HTML attribute (dir=) allowing attribute injection despite the use of esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | ||||
| CVE-2026-4290 | 2 Wordpress, Wp Travel | 2 Wordpress, Wp Travel | 2026-05-30 | 9.1 Critical |
| The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/{user_id} REST API endpoint in all versions up to, and including, 10.6.0. This is due to the check_permission() callback unconditionally returning true and the Database::delete() method passing the user ID directly to wp_delete_user() without any role validation. This makes it possible for unauthenticated attackers to delete arbitrary user accounts, including those of administrators. | ||||
| CVE-2026-3279 | 2 Clorith, Wordpress | 2 Enable Jquery Migrate Helper, Wordpress | 2026-05-29 | 6.5 Medium |
| The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions up to, and including, 1.4.1. This is due to the function only verifying a nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to downgrade the site-wide jQuery version from 3.7.1 to the legacy 1.12.4-wp release, which has knowns security vulnerabilities. | ||||
| CVE-2026-8832 | 2 Smub, Wordpress | 2 Wpcode – Insert Headers And Footers + Custom Code Snippets – Wordpress Code Manager, Wordpress | 2026-05-29 | 8.8 High |
| The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capability_type or capability restrictions in the wpcode_register_post_type() function, allowing WordPress core to fall back to standard post capabilities for all creation paths including XML-RPC. This makes it possible for authenticated attackers, with author-level access and above, to create and publish executable PHP snippet posts via XML-RPC wp.newPost, which are then executed server-side via eval() in the run_eval() function when the snippet is rendered through the [wpcode] shortcode. | ||||