Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2026-22486 Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Respon... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-22487 Missing Authorization vulnerability in baqend Speed Kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through 2.0.2. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-22488 Missing Authorization vulnerability in IdeaBox Creations Dashboard Welcome for Beaver Builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Dashboard Welco... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-22489 Authorization Bypass Through User-Controlled Key vulnerability in Wptexture Image Slider Slideshow allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Slid... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14505 The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) h... | 5.6 | MEDIUM | β | 0 |
| CVE-2025-14436 The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βuser_connection_idβ parameter in all versions up to, and including, 4.0.49 due to insufficient inpu... | 7.2 | HIGH | β | 0 |
| CVE-2026-0732 A vulnerability was found in D-Link DI-8200G 17.12.20A1. This affects an unknown function of the file /upgrade_filter.asp. The manipulation of the argument path results in command injection. The attac... | 6.3 | MEDIUM | β | 0 |
| CVE-2026-22714 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Monaco Skin allows Cross-Site Scripting (XSS).This iss... | N/A | NONE | β | 0 |
| CVE-2026-22630 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22631 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22632 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22633 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22634 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22635 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2026-22636 Rejected reason: Not used | N/A | NONE | β | 0 |
| CVE-2025-14886 The Japanized for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `order` REST API endpoint in all versions up to, and incl... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-40977 Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to β/store-ticketβ, using the βsubjectβ ... | N/A | NONE | β | 0 |
| CVE-2025-13749 The Clearfy Cache β WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is du... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14803 The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscriber... | 6.8 | MEDIUM | β | 0 |
| CVE-2025-14574 The weDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.15 via the `/wp-json/wp/v2/docs/settings` REST API endpoint. This makes it pos... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14718 The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verify... | 5.4 | MEDIUM | β | 0 |
| CVE-2025-14720 The Booking for Appointments and Events Calendar β Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14736 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. This is due to insufficient validation of user-supplied role ... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-14782 The Forminator Forms β Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14893 The IndieWeb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Telephone' parameter in all versions up to, and including, 4.0.5 due to insufficient input sanitization and outp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14980 The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated att... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-15019 The BIALTY - Bulk Image Alt Text (Alt tag, Alt Attribute) with Yoast SEO + WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'bialty_cs_alt' post meta in all versio... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-15055 The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input... | 7.2 | HIGH | β | 0 |
| CVE-2025-15057 The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fh` (fingerprint) parameter in all versions up to, and including, 5.3.3. This is due to insufficient i... | 7.2 | HIGH | β | 0 |
| CVE-2025-70974 Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-0563 The WP Google Street View (with 360Β° virtual tour) & Google maps + Local SEO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpgsv_map' shortcode in all versions up to, and ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-20968 Use after free in DualDAR prior to SMR Jan-2026 Release 1 allows local privileged attackers to execute arbitrary code. | 6.7 | MEDIUM | β | 0 |
| CVE-2026-20969 Improper input validation in SecSettings prior to SMR Jan-2026 Release 1 allows local attacker to access file with system privilege. User interaction is required for triggering this vulnerability. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-20970 Improper access control in SLocation prior to SMR Jan-2026 Release 1 allows local attackers to execute the privileged APIs. | 7.8 | HIGH | β | 0 |
| CVE-2026-20971 Use After Free in PROCA driver prior to SMR Jan-2026 Release 1 allows local attackers to potentially execute arbitrary code. | 7.8 | HIGH | β | 0 |
| CVE-2026-20972 Improper Export of Android Application Components in UwbTest prior to SMR Jan-2026 Release 1 allows local attackers to enable UWB. | 3.3 | LOW | β | 0 |
| CVE-2026-20975 Improper handling of insufficient permission in Samsung Cloud prior to version 5.6.11 allows local attackers to access specific files in arbitrary path. | 5.5 | MEDIUM | β | 0 |
| CVE-2026-20976 Improper input validation in Galaxy Store prior to version 4.6.02 allows local attacker to execute arbitrary script. | 7.8 | HIGH | β | 0 |
| CVE-2025-13628 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler'... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13753 The WP Table Builder β Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all ver... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13934 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capabili... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13935 The Tutor LMS β eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-40978 Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to β/ticket/x/conver... | N/A | NONE | β | 0 |
| CVE-2025-14146 The Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 10.14.10 via the `WPBC_FLEXTIMELINE_NAV` AJAX action. This is due to the... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14657 The Eventin β Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_set... | 7.2 | HIGH | β | 0 |
| CVE-2025-14741 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' fun... | 9.1 | CRITICAL | β | 0 |
| CVE-2025-14937 The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to... | 7.2 | HIGH | β | 0 |
| CVE-2026-21409 Improper authorization vulnerability exists in RICOH Streamline NX 3.5.1 to 24R3. If a man-in-the-middle attack is conducted on the communication between the affected product and its user, and some cr... | N/A | NONE | β | 0 |
| CVE-2026-0627 The AMP for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.1.10. This is due to insufficient sanitization of SVG file... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-20963 Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 8.8 | HIGH | KEV | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.