Export limit exceeded: 13021 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (13021 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22413 | 2 Mikado-themes, Wordpress | 2 Malgré, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgré malgre allows PHP Local File Inclusion.This issue affects Malgré: from n/a through <= 1.0.3. | ||||
| CVE-2026-2628 | 2 Cyberlord92, Wordpress | 2 All-in-one Microsoft 365 & Entra Id / Azure Ad Sso Login, Wordpress | 2026-04-22 | 9.8 Critical |
| The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators. | ||||
| CVE-2026-3180 | 2 Contest-gallery, Wordpress | 2 Contest Gallery – Upload & Vote Photos, Media, Sell With Paypal & Stripe, Wordpress | 2026-04-22 | 7.5 High |
| The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to blind SQL Injection via the ‘cgLostPasswordEmail’ and the ’cgl_mail’ parameter in all versions up to, and including, 28.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The vulnerability's ’cgLostPasswordEmail’ parameter was patched in version 28.1.4, and the ’cgl_mail’ parameter was patched in version 28.1.5. | ||||
| CVE-2026-22423 | 2 Select-themes, Wordpress | 2 Setsail, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 1.8. | ||||
| CVE-2026-22425 | 2 Elated-themes, Wordpress | 2 Sweet Jane, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Sweet Jane sweetjane allows PHP Local File Inclusion.This issue affects Sweet Jane: from n/a through <= 1.2. | ||||
| CVE-2026-22433 | 2 Ancorathemes, Wordpress | 2 Cloudme, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CloudMe cloudme allows PHP Local File Inclusion.This issue affects CloudMe: from n/a through <= 1.2.2. | ||||
| CVE-2026-22435 | 2 Ancorathemes, Wordpress | 2 Electroserv, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ElectroServ electroserv allows PHP Local File Inclusion.This issue affects ElectroServ: from n/a through <= 1.3.2. | ||||
| CVE-2026-22436 | 2 Elated-themes, Wordpress | 2 Helvig, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Helvig helvig allows PHP Local File Inclusion.This issue affects Helvig: from n/a through <= 1.0. | ||||
| CVE-2026-22441 | 2 Elated-themes, Wordpress | 2 Zentrum, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Zentrum zentrum allows PHP Local File Inclusion.This issue affects Zentrum: from n/a through <= 1.0. | ||||
| CVE-2026-1492 | 2 Wordpress, Wpeverest | 2 Wordpress, User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | 2026-04-22 | 9.8 Critical |
| The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration. | ||||
| CVE-2026-2732 | 2 Shortpixel, Wordpress | 2 Enable Media Replace, Wordpress | 2026-04-22 | 5.4 Medium |
| The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment. | ||||
| CVE-2026-1566 | 2 Latepoint, Wordpress | 2 Latepoint – Calendar Booking Plugin For Appointments And Events, Wordpress | 2026-04-22 | 8.8 High |
| The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password. | ||||
| CVE-2026-22440 | 2 Foreverpinetree, Wordpress | 2 Thecs, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thecs thecs allows Reflected XSS.This issue affects Thecs: from n/a through <= 1.4.7. | ||||
| CVE-2026-27341 | 2 Mikado-themes, Wordpress | 2 Topscorer - Sports Wordpress Theme, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2. | ||||
| CVE-2026-27334 | 2 Dan Fisher, Wordpress | 2 Alchemists, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dan_fisher Alchemists alchemists allows PHP Local File Inclusion.This issue affects Alchemists: from n/a through <= 4.6.0. | ||||
| CVE-2026-27369 | 2 Boldthemes, Wordpress | 2 Celeste, Wordpress | 2026-04-22 | 8.1 High |
| Deserialization of Untrusted Data vulnerability in BoldThemes Celeste celeste allows Object Injection.This issue affects Celeste: from n/a through <= 1.3.6. | ||||
| CVE-2026-27332 | 2 Skygroup, Wordpress | 2 Agrofood, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Agrofood agrofood allows Reflected XSS.This issue affects Agrofood: from n/a through < 1.4.0. | ||||
| CVE-2026-27382 | 2 Radiustheme, Wordpress | 2 Metro, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13. | ||||
| CVE-2026-27383 | 2 Radiustheme, Wordpress | 2 Metro, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through <= 2.13. | ||||
| CVE-2026-27385 | 2 Designthemes, Wordpress | 2 Designthemes Portfolio, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio designthemes-portfolio allows Reflected XSS.This issue affects DesignThemes Portfolio: from n/a through <= 1.3. | ||||