Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-13959 The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitizati... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-6460 The Display During Conditional Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βmessageβ parameter in all versions up to, and including, 1.2 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1277 The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismi... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-1296 The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-12356 The Tickera β Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1072 The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin s... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1304 The Membership Plugin β Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficien... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-1368 The Video Conferencing with Zoom WordPress plugin before 4.6.6 contains an AJAX handler that has its nonce verification commented out, allowing unauthenticated attackers to generate valid Zoom SDK sig... | 7.5 | HIGH | β | 0 |
| CVE-2026-1639 The Taskbuilder β WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, an... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1906 The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_cust... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2023 The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_pl... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1655 The EventPrime plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization checks in all versions up to, and including, 4.2.8.4. This is due to the save_frontend_... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1831 The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX ... | 2.7 | LOW | β | 0 |
| CVE-2026-1860 The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callbac... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-1938 The YayMail β WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1941 The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input s... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-2127 The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to unauthorized arbitrary shortcode execution in all versions up to, and including, 1.70.4. This is due to a missing capability check o... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-2495 The WPNakama β Team and multi-Client Collaboration, Editorial and Project Management plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the '/wp-json/WPNakama/v1/boards' ... | 7.5 | HIGH | β | 0 |
| CVE-2025-11185 The Complianz β GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-59920 When hours are entered in time@work, version 7.0.5, it performs a query to display the projects assigned to the user. If the query URL is copied and opened in a new browser window, the βIDClientβ para... | N/A | NONE | β | 0 |
| CVE-2025-14799 The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-7630 Improper Restriction of Excessive Authentication Attempts, Improper Authentication vulnerability in Doruk Communication and Automation Industry and Trade Inc. Wispotter allows Password Brute Forcing, ... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-8781 The Bookster β WordPress Appointment Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the βrawβ parameter in all versions up to, and including, 2.1.1 due to insufficient escaping... | 4.9 | MEDIUM | β | 0 |
| CVE-2026-1317 The WP Import β Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the `fil... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-1582 The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling... | 3.7 | LOW | β | 0 |
| CVE-2026-2386 The The Plus Addons for Elementor β Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and inclu... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14340 Cross-site scripting in REST Management Interface in Payara Server <4.1.2.191.54, <5.83.0,Β <6.34.0,Β <7.2026.1 allows an attacker to mislead the administrator to change the admin password via URL Paylo... | N/A | NONE | β | 0 |
| CVE-2026-2464 Path traversal vulnerability in the AMR Printer Management 1.01 Beta web service, which allows remote attackers to read arbitrary files from the underlying Windows system by using specially crafted pa... | N/A | NONE | β | 0 |
| CVE-2025-61982 An arbitrary code execution vulnerability exists in the Code Stream directive functionality of OpenCFD OpenFOAM 2506. A specially crafted OpenFOAM simulation file can lead to arbitrary code execution.... | 7.8 | HIGH | β | 0 |
| CVE-2026-1404 The Ultimate Member β User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the filter p... | 6.1 | MEDIUM | β | 0 |
| CVE-2026-1426 The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcode_check... | 8.8 | HIGH | β | 0 |
| CVE-2025-13602 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accide... | N/A | NONE | β | 0 |
| CVE-2025-13933 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-12500. Reason: This candidate is a reservation duplicate of CVE-2025-12500. Notes: All CVE users should reference C... | N/A | NONE | β | 0 |
| CVE-2025-13965 Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-12500. Reason: This candidate is a reservation duplicate of CVE-2025-12500. Notes: All CVE users should reference C... | N/A | NONE | β | 0 |
| CVE-2026-2230 The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation o... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-2507 When BIG-IP AFM or BIG-IP DDoS is provisioned, undisclosed traffic can cause TMM to terminate.Β Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 7.5 | HIGH | β | 0 |
| CVE-2026-23547 Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMS... | 7.1 | HIGH | β | 0 |
| CVE-2026-20985 Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-23803 Server-Side Request Forgery (SSRF) vulnerability in Burhan Nasir Smart Auto Upload Images smart-auto-upload-images allows Server Side Request Forgery.This issue affects Smart Auto Upload Images: from ... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-8587 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection.This issue affect... | 8.6 | HIGH | β | 0 |
| CVE-2026-23805 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Yoren Chang Media Search Enhanced media-search-enhanced allows SQL Injection.This issue affects Me... | 7.6 | HIGH | β | 0 |
| CVE-2026-24375 Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ulti... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-24999 Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through <= 5.16.... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25003 Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a ... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-61645 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files include... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-61649 Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f1... | N/A | NONE | β | 0 |
| CVE-2019-25349 ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer in the Servername field. Attackers can paste a 257-c... | 7.5 | HIGH | β | 0 |
| CVE-2026-21517 Improper link resolution before file access ('link following') in Windows App for Mac allows an authorized attacker to elevate privileges locally. | 4.7 | MEDIUM | β | 0 |
| CVE-2025-61652 Vulnerability in Wikimedia Foundation DiscussionTools.This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. | N/A | NONE | β | 0 |
| CVE-2025-61653 Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, ... | N/A | NONE | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.