Vulnerabilites CVE
Base de donnees CVE enrichie avec CISA KEV et NVD
| CVE ID | CVSS | Severite | KEV | Observations |
|---|---|---|---|---|
| CVE-2026-1163 An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to co... | N/A | NONE | — | 0 |
| CVE-2026-5726 ASDA-Soft Stack-based Buffer Overflow Vulnerability | 7.8 | HIGH | — | 0 |
| CVE-2026-2988 The Blubrry PowerPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'powerpress' and 'podcast' shortcodes in versions up to, and including, 11.15.15 due to insufficient in... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4379 The LightPress Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `group` attribute in the `[gallery]` shortcode in all versions up to, and including, 2.3.4. This is du... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3513 The TableOn – WordPress Posts Table Filterable plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tableon_button' shortcode in all versions up to and including 1.0.4.4. This is... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3600 The Investi plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'investi-announcements-accordion' shortcode's 'maximum-num-years' attribute in all versions up to, and including, ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3646 The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4003 The Users manager – PN plugin for WordPress is vulnerable to Privilege Escalation via Arbitrary User Meta Update in all versions up to and including 1.1.15. This is due to a flawed authorization logic... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-4299 The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeat_received() fu... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4333 The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'skin' attribute of the learn_press_courses shortcode in all versions up to and includin... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4341 The Prime Slider – Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'follow_us_text' setting of the Mount widget in all versions up to, and including, 4.1... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-33273 Unrestricted upload of file with dangerous type issue exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, an arbitrary file may be created by an administrator of the produc... | N/A | NONE | — | 0 |
| CVE-2026-3311 The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Progress Ba... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5082 Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generate_session_id function will attempt to read bytes from the /dev/urandom device, bu... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5083 Ado::Sessions versions through 0.935 for Perl generates insecure session ids. The session id is generated from a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PI... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-1794 The AM LottiePlayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via uploaded SVG files in all versions up to, and including, 3.6.0 due to insufficient input sanitization and outp... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-3142 The Pinterest Site Verification plugin using Meta Tag plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_var' parameter in versions up to, and including, 1.8 due to insuff... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3477 The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfm_user_request_action_callback() function, registered via the wp_a... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-3480 The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an admin_post action hook 'wp-blockade-shortcode-render' th... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-3535 The DSGVO Google Web Fonts GDPR plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the `DSGVOGWPdownloadGoogleFonts()` function in all versions up to, a... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-3594 The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API ... | 5.3 | MEDIUM | — | 0 |
| CVE-2019-25611 MiniFtp contains a buffer overflow vulnerability in the parseconf_load_setting function that allows local attackers to execute arbitrary code by supplying oversized configuration values. Attackers can... | 8.4 | HIGH | — | 0 |
| CVE-2026-4550 A vulnerability has been found in code-projects Simple Gym Management System up to 1.0. This affects an unknown part of the file /gym/func.php. Such manipulation of the argument Trainer_id/fname leads... | 4.7 | MEDIUM | — | 0 |
| CVE-2026-33292 WWBN AVideo is an open source video platform. Prior to version 26.0, the HLS streaming endpoint (`view/hls.php`) is vulnerable to a path traversal attack that allows an unauthenticated attacker to str... | 7.5 | HIGH | — | 0 |
| CVE-2026-3618 The Columns by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute of the [print_clmns] shortcode in all versions up to and including 1.0.3. ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-3781 The Attendance Manager plugin for WordPress is vulnerable to SQL Injection via the 'attmgr_off' parameter in all versions up to, and including, 0.6.2. This is due to insufficient escaping on the user ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-4141 The Quran Translations plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation in the quran_playlist_options... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4808 The Gerador de Certificados – DevApps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the moveUploadedFile() function in all versions up to, and inc... | 7.2 | HIGH | — | 0 |
| CVE-2026-5167 The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. T... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5169 The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Form Header' field in versions up to and including 1.0. This is due to insufficient input ... | 4.4 | MEDIUM | — | 0 |
| CVE-2026-5506 The Wavr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wave` shortcode in all versions up to, and including, 0.2.6. This is due to insufficient input sanitization... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-5508 The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `wowpress` shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sani... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-4654 The Awesome Support – WordPress HelpDesk & Support Plugin plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 6.3.7. This is due to the wpas_get_ti... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-4655 The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the SVG Image Widget in versions up to and including 8.4.2. This is due to insufficient inpu... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1396 The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to in... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-25776 Movable Type provided by Six Apart Ltd. contains a code injection vulnerability which may allow an attacker to execute arbitrary Perl script. | N/A | NONE | — | 0 |
| CVE-2026-33088 Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement. | N/A | NONE | — | 0 |
| CVE-2026-39464 Server-Side Request Forgery (SSRF) vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Server Side Request Forgery.This issue affects Comin... | N/A | NONE | — | 0 |
| CVE-2026-39466 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPMU DEV - Your All-in-One WordPress Platform Broken Link Checker broken-link-checker allows Blind... | N/A | NONE | — | 0 |
| CVE-2026-39469 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Softaculous PageLayer pagelayer allows Retrieve Embedded Sensitive Data.This issue affects PageLayer: from n... | N/A | NONE | — | 0 |
| CVE-2026-39473 Insertion of Sensitive Information Into Sent Data vulnerability in Pär Thernström Simple History simple-history allows Retrieve Embedded Sensitive Data.This issue affects Simple History: from n/a thro... | N/A | NONE | — | 0 |
| CVE-2026-39475 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Blind SQL Injection.This issue affects User Fee... | N/A | NONE | — | 0 |
| CVE-2026-39476 Missing Authorization vulnerability in Syed Balkhi User Feedback userfeedback-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Feedback: from n/a th... | N/A | NONE | — | 0 |
| CVE-2026-39477 Missing Authorization vulnerability in Brainstorm Force CartFlows cartflows allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CartFlows: from n/a through <= 2.... | N/A | NONE | — | 0 |
| CVE-2026-39479 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Brainstorm Force OttoKit suretriggers allows Blind SQL Injection.This issue affects OttoKit: from ... | N/A | NONE | — | 0 |
| CVE-2026-39482 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Post Expirator post-expirator allows DOM-Based XSS.This issue affects Post Expirator:... | N/A | NONE | — | 0 |
| CVE-2026-39483 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hidekazu Ishikawa VK All in One Expansion Unit vk-all-in-one-expansion-unit allows Stored XSS.This... | N/A | NONE | — | 0 |
| CVE-2026-39484 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in John Darrel Hide My WP Ghost hide-my-wp allows Phishing.This issue affects Hide My WP Ghost: from n/a through < 7.0.00. | N/A | NONE | — | 0 |
| CVE-2026-39486 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WP Chill Download Monitor download-monitor allows Blind SQL Injection.This issue affects Download ... | N/A | NONE | — | 0 |
| CVE-2026-39488 Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2. | N/A | NONE | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.