Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-3651 The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-p... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3645 The Punnel β Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_co... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3641 The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /web... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3619 The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3617 The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insuff... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3570 The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configurat... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3554 The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to in... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3546 The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is register... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3506 The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is autho... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3478 The Content Syndication Toolkit plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3 via the redux_p AJAX action in the bundled ReduxFramework li... | 7.2 | HIGH | β | 0 |
| CVE-2026-3460 The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wech... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3354 The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Width' setting in all versions up to, and including, 1.1.5. This is due to insufficient input sanitizati... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-3353 The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input saniti... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-3347 The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient ... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-3335 The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to t... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-3334 The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is ... | 8.8 | HIGH | β | 0 |
| CVE-2026-3333 The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-3332 The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_sett... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3331 The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fou... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-3003 The Vagaro Booking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βvagaro_codeβ parameter in all versions up to, and including, 0.3 due to insufficient input sanitiza... | 7.2 | HIGH | β | 0 |
| CVE-2026-2941 The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all ... | 8.8 | HIGH | β | 0 |
| CVE-2026-2837 The Ricerca β advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitizatio... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-2723 The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2720 The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to,... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2503 The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2501 The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2496 The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insuffic... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2468 The Quentn WP plugin for WordPress is vulnerable to SQL Injection via the 'qntn_wp_access' cookie in all versions up to, and including, 1.2.12. This is due to insufficient escaping on the user supplie... | 7.5 | HIGH | β | 0 |
| CVE-2026-2440 The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization... | 7.2 | HIGH | β | 0 |
| CVE-2026-2427 The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sani... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2424 The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sani... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-2375 The App Builder β Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_rol... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2351 The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authent... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-2294 The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_globa... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2290 The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administ... | 3.8 | LOW | β | 0 |
| CVE-2026-2279 The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user sup... | 7.2 | HIGH | β | 0 |
| CVE-2026-2277 The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 ... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-2121 The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input san... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-1935 The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_compa... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1914 The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitizat... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1911 The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_title' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1908 The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1899 The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1891 The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient in... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1889 The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient i... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1886 The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1854 The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization an... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1851 The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1822 The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input saniti... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1806 The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, an... | 6.4 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.