Search

Search Results (364628 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12126 2 Wclovers, Wordpress 2 Wcfm Marketplace – Multivendor Marketplace For Woocommerce, Wordpress 2026-07-13 6.4 Medium
The WCFM Marketplace – Multivendor Marketplace for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Attachment 'post_title' in all versions up to, and including, 3.7.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Vendor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. An attacker can plant the payload by uploading a media attachment with a crafted title via the WordPress REST API (/wp-json/wp/v2/media), without ever invoking the AJAX endpoint themselves, as the unescaped title is later emitted inside DataTables JSON and inserted as innerHTML upon any privileged user loading the media dashboard.
CVE-2026-10041 2 Wclovers, Wordpress 2 Wcfm – Frontend Manager For Woocommerce, Wordpress 2026-07-13 4.3 Medium
The WCFM – Frontend Manager for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.27 via the wcfm_product_archive due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to archive arbitrary vendors' products, toggle the featured status on arbitrary listings, mark arbitrary WooCommerce orders as completed, and permanently delete arbitrary enquiries and bulk messages belonging to other vendors.
CVE-2026-57371 2 Denishua, Wordpress 2 Wpjam Basic, Wordpress 2026-07-13 8.8 High
Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0.
CVE-2026-57379 2 Wordpress, Wppool 2 Wordpress, Formychat 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through <= 2.15.3.
CVE-2026-57386 2 Kodezen, Wordpress 2 Ablocks, Wordpress 2026-07-13 8.8 High
Incorrect Privilege Assignment vulnerability in Kodezen LLC aBlocks ablocks allows Privilege Escalation.This issue affects aBlocks: from n/a through < 2.9.1.
CVE-2026-9492 1 Gigabyte 1 Mbstorage 2026-07-13 7.8 High
The MBStorage DRAM lighting control module within Gigabyte Control Center (GCC) developed by GIGABYTE Technology has an Improper Access Control vulnerability. Authenticated local attackers can send specific IOCTL commands through the driver MyPortIO_x64.sys bundled with the module, thereby arbitrarily reading and writing physical memory and obtaining kernel-level privileges.
CVE-2026-57392 2 Themefic, Wordpress 2 Tourfic, Wordpress 2026-07-13 6.5 Medium
Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.22.5.
CVE-2026-57399 2 Proxy & Vpn Blocker, Wordpress 2 Proxy & Vpn Blocker, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proxy &amp; VPN Blocker Proxy &amp; VPN Blocker proxy-vpn-blocker allows Stored XSS.This issue affects Proxy &amp; VPN Blocker: from n/a through <= 3.5.8.
CVE-2026-57405 2 Themehunk, Wordpress 2 Open Shop, Wordpress 2026-07-13 7.1 High
Missing Authorization vulnerability in themehunk Open Shop open-shop allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Open Shop: from n/a through <= 1.7.1.
CVE-2026-15541 1 Will-moss 1 Isaiah 2026-07-13 7.3 High
A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance.
CVE-2026-14453 1 Centreon 1 Infra Monitoring 2026-07-13 9.6 Critical
This vulnerability is a critical Server-Side Template Injection (SSTI) in Centreon's centreon-open-tickets module that leads to Remote Code Execution. The message_confirm field is stored without sanitization and rendered via Smarty with no security policy enabled, allowing any authenticated user, to inject and execute arbitrary code on the server. This results in disclosure of environment secrets and could impact platform availability of Centreon Infra Monitoring product.
CVE-2026-57411 2 Aman, Wordpress 2 Cf7 Views – Complete Entry Management For Contact Form 7, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman CF7 Views &#8211; Complete Entry Management for Contact Form 7 cf7-views allows DOM-Based XSS.This issue affects CF7 Views &#8211; Complete Entry Management for Contact Form 7: from n/a through <= 3.2.2.
CVE-2026-57365 2 Hitesh Chandwani, Wordpress 2 Recaptcha (v2 & V3) For Asgaros Forum, Wordpress 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 &amp; v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 &amp; v3) for Asgaros Forum: from n/a through <= 1.1.0.
CVE-2026-57364 2 Wordpress, Wpdeveloper 2 Wordpress, Better Payment – Instant Payments, Donations, Fundraising With Subscriptions & More 2026-07-13 6.5 Medium
Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment – Instant Payments, Donations, Fundraising with Subscriptions &amp; More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment – Instant Payments, Donations, Fundraising with Subscriptions &amp; More: from n/a through <= 2.2.0.
CVE-2026-57378 2 Phil Kurth, Wordpress 2 Advanced Forms, Wordpress 2026-07-13 7.5 High
Missing Authorization vulnerability in Phil Kurth Advanced Forms advanced-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Forms: from n/a through <= 1.9.3.7.
CVE-2026-57417 2 Rextheme, Wordpress 2 Cart Lift, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RexTheme Cart Lift cart-lift allows Stored XSS.This issue affects Cart Lift: from n/a through <= 3.1.57.
CVE-2026-57423 2 Kofimokome, Wordpress 2 Message Filter For Contact Form 7, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kofi Mokome Message Filter for Contact Form 7 cf7-message-filter allows Reflected XSS.This issue affects Message Filter for Contact Form 7: from n/a through <= 1.6.3.8.
CVE-2026-57406 2 Roxnor, Wordpress 2 Fundengine, Wordpress 2026-07-13 6.5 Medium
Missing Authorization vulnerability in Roxnor FundEngine wp-fundraising-donation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FundEngine: from n/a through <= 1.7.6.
CVE-2026-57695 2 Dan Rossiter, Wordpress 2 Document Gallery, Wordpress 2026-07-13 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dan Rossiter Document Gallery document-gallery allows Reflected XSS.This issue affects Document Gallery: from n/a through <= 5.1.0.
CVE-2026-57424 2 Knitpay, Wordpress 2 Razorpay Payment Links For Woocommerce, Wordpress 2026-07-13 6.5 Medium
Missing Authorization vulnerability in knitpay Razorpay Payment Links for WooCommerce rzp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Razorpay Payment Links for WooCommerce: from n/a through <= 2.1.4.