Search Results (363303 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-3533 2 Artbees, Wordpress 2 Jupiter X Core, Wordpress 2026-04-24 8.8 High
The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on import_popup_templates() function as well as insufficient file type validation in the upload_files() function in all versions up to, and including, 4.14.1. This makes it possible for Authenticated attackers with Subscriber-level access and above, to upload files with dangerous types that can lead to Remote Code Execution on servers configured to handle .phar files as executable PHP (e.g., Apache+mod_php), or Stored Cross-Site Scripting via .svg, .dfxp, or .xhtml files upload on any server configuration
CVE-2026-22493 2 Elated-themes, Wordpress 2 Gaspard, Wordpress 2026-04-24 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gaspard gaspard allows PHP Local File Inclusion.This issue affects Gaspard: from n/a through <= 1.3.
CVE-2026-22514 2 Ancorathemes, Wordpress 2 Unica, Wordpress 2026-04-24 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.
CVE-2026-23973 2 Uxper, Wordpress 2 Golo, Wordpress 2026-04-24 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo golo allows Reflected XSS.This issue affects Golo: from n/a through < 1.7.5.
CVE-2026-24362 2 Bdthemes, Wordpress 2 Ultimate Post Kit, Wordpress 2026-04-24 6.4 Medium
Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.
CVE-2026-24370 2 Theme-one, Wordpress 2 The Grid, Wordpress 2026-04-24 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme-one The Grid the-grid allows Stored XSS.This issue affects The Grid: from n/a through < 2.8.0.
CVE-2026-24981 2 Nootheme, Wordpress 2 Visionary Core, Wordpress 2026-04-24 8.8 High
Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.
CVE-2026-24983 2 Upsolution, Wordpress 2 Upsolution Core, Wordpress 2026-04-24 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41.
CVE-2026-25013 2 Whmcsdes, Wordpress 2 Phox Hosting, Wordpress 2026-04-24 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WHMCSdes Phox Hosting phox-host allows Reflected XSS.This issue affects Phox Hosting: from n/a through <= 2.0.8.
CVE-2026-25018 2 Stmcan, Wordpress 2 Naturalife Extensions, Wordpress 2026-04-24 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stmcan NaturaLife Extensions naturalife-extensions allows Reflected XSS.This issue affects NaturaLife Extensions: from n/a through <= 2.1.
CVE-2026-25031 2 Park Of Ideas, Wordpress 2 Tasty Daily, Wordpress 2026-04-24 9.8 Critical
Deserialization of Untrusted Data vulnerability in park_of_ideas Tasty Daily tastydaily allows Object Injection.This issue affects Tasty Daily: from n/a through < 1.27.
CVE-2026-25309 2 Publishpress, Wordpress 2 Publishpress Authors, Wordpress 2026-04-24 7.5 High
Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.
CVE-2026-25347 2 Acato, Wordpress 2 Wp Rest Cache, Wordpress 2026-04-24 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Acato WP REST Cache wp-rest-cache allows Stored XSS.This issue affects WP REST Cache: from n/a through <= 2026.1.0.
CVE-2026-25356 2 Skygroup, Wordpress 2 Yobazar, Wordpress 2026-04-24 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Yobazar yobazar allows Reflected XSS.This issue affects Yobazar: from n/a through < 1.6.7.
CVE-2026-25360 2 Rascals, Wordpress 2 Vex, Wordpress 2026-04-24 8.8 High
Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.
CVE-2025-13997 2 Kingaddons, Wordpress 2 King Addons For Elementor – 80+ Elementor Widgets, 4 000+ Elementor Templates, Woocommerce, Mega Menu, Popup Builder, Wordpress 2026-04-24 5.3 Medium
The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via render_full_form function. This makes it possible for unauthenticated attackers to extract site's Mailchimp, Facebook and Google API keys and secrets. This vulnerability requires the Premium license to be installed
CVE-2026-4612 1 Itsourcecode 1 Free Hotel Reservation System 2026-04-24 7.3 High
A vulnerability has been found in itsourcecode Free Hotel Reservation System 1.0. This affects an unknown part of the file /hotel/admin/mod_users/index.php?view=edit&id=8 of the component Parameter Handler. The manipulation of the argument account_id leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.
CVE-2026-24378 2 Metagauss, Wordpress 2 Eventprime, Wordpress 2026-04-24 9.8 Critical
Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.
CVE-2026-4587 1 Hybridauth 1 Hybridauth 2026-04-24 3.7 Low
A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded yet.
CVE-2026-24373 2 Metagauss, Wordpress 2 Registrationmagic, Wordpress 2026-04-24 8.1 High
Incorrect Privilege Assignment vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Privilege Escalation.This issue affects RegistrationMagic: from n/a through <= 6.0.7.1.