Search

Search Results (365163 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-11915 1 Drupal 1 Brute Force Attack Protection 2026-07-13 N/A
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions: *.*.
CVE-2026-11914 1 Drupal 1 Composer 2026-07-13 N/A
vulnerability in Drupal Composer allows . This issue affects Composer versions: *.*.
CVE-2026-11913 1 Drupal 1 Mother May I 2026-07-13 N/A
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions: *.*.
CVE-2026-20744 1 Hydro-québec 1 Le Circuit Electrique Charging Station Backend 2026-07-13 9.8 Critical
The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation.
CVE-2026-42952 1 Hydro-québec 1 Le Circuit Electrique Charging Station Backend 2026-07-13 7.5 High
Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack.
CVE-2026-44383 1 Hydro-québec 1 Le Circuit Electrique Charging Station Backend 2026-07-13 7.5 High
Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend.
CVE-2026-13756 2 Wordpress, Wp Grid Builder 2 Wordpress, Wp Grid Builder 2026-07-13 8.8 High
The WP Grid Builder plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.3.3. This is due to missing authorization and meta key validation in the `update()` handler for the `/wp-json/wpgb/v2/metadata` REST endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to Administrator by updating their own `wp_capabilities` user meta with a crafted nested array payload.
CVE-2026-8678 2 Richardperdaan, Wordpress 2 Myparcel, Wordpress 2026-07-13 4.3 Medium
The MyParcel plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.25.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view and modify shipment options — including carrier, delivery type, package type, number of labels, weight, signature requirement, and insurance — on any arbitrary order.
CVE-2026-13262 2 Ahmadmj, Wordpress 2 Majestic Support – The Leading-edge Help Desk & Customer Support Plugin, Wordpress 2026-07-13 6.5 Medium
The Majestic Support – The Leading-Edge Help Desk & Customer Support Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'val' parameter in all versions up to, and including, 1.1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a valid 'get-smart-reply' nonce, which any Subscriber-level user can obtain by creating a ticket via the public frontend and visiting the resulting ticket detail page, making this effectively exploitable by any authenticated user.
CVE-2026-3367 2 Lustmored, Wordpress 2 Lockme Calendars Integration, Wordpress 2026-07-13 4.4 Medium
The Lockme OAuth2 calendars integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'App ID' setting in all versions up to, and including, 2.11.0. This is due to insufficient input sanitization and output escaping. The register_setting() call on line 197 lacks a sanitize callback, allowing unsanitized data to be stored via update_option(). When the settings page is rendered, the stored value is echoed directly into an HTML input's value attribute without esc_attr() on line 212. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in the settings page that will execute whenever a user accesses the plugin settings page. Multiple fields are affected: App ID (client_id), App Secret (client_secret), Bookings ID prefix (id_prefix), and API domain (api_domain). This vulnerability is particularly impactful in WordPress multisite installations where administrators of individual sites should not be able to execute JavaScript affecting other users.
CVE-2026-12426 2 Supercleanse, Wordpress 2 Members – Membership & User Role Editor Plugin, Wordpress 2026-07-13 5.3 Medium
The Members – Membership & User Role Editor Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.2.22 via the members_filter_protected_posts_for_rest. This makes it possible for unauthenticated attackers to extract determine the existence and exact count of access-restricted posts, and use per-page pagination as a boolean oracle to infer keywords and content contained within those hidden restricted posts.
CVE-2026-7544 2 2coders, Wordpress 2 Mux Video Uploader, Wordpress 2026-07-13 4.3 Medium
The Mux Video Uploader plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 via the muxvideo_enqueue_settings_script. This makes it possible for authenticated attackers, with subscriber-level access and above, to extract sensitive data including Mux API credentials.
CVE-2026-13353 2 Smackcoders, Wordpress 2 Wp Ultimate Csv Importer – Wordpress Import & Export For Csv, Xml & Excel, Wordpress 2026-07-13 8.8 High
The WP Ultimate CSV Importer – WordPress Import & Export for CSV, XML & Excel plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 8.0.1 via the 'MappedFields' parameter. This is due to missing capability checks on the AJAX handlers for install_addon, saveMappedFields, and StartImport, combined with the plugin nonce being exposed to any authenticated user who can load an admin page, allowing a Subscriber to install the Import WooCommerce add-on, persist attacker-controlled PHP expressions in the MappedFields parameter, and trigger evaluation via eval() in ImportHelpers::get_meta_values(). This makes it possible for authenticated attackers, with subscriber-level access and above, to execute code on the server.
CVE-2026-2354 2 Wordpress, Wpmessiah 2 Wordpress, Swiss Toolkit For Wp 2026-07-13 8.8 High
The Swiss Toolkit For WP plugin for WordPress is vulnerable to arbitrary file upload due to a flawed file type validation bypass in the `upload_extension_files()` function in all versions up to, and including, 1.4.6. The `upload_extension_files()` function hooks into WordPress's `wp_check_filetype_and_ext` filter and uses `strpos()` to check if a filename contains a configured extension string, rather than verifying the actual file extension. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files (including PHP) on the affected site's server which may make remote code execution possible, granted the "Enhanced Multi-Format Image Support" feature is enabled with at least one extension (e.g., avif) in the allowed formats.
CVE-2026-6803 2 Wordpress, Wupsales 2 Wordpress, Ai Copilot – Content Generator 2026-07-13 5.3 Medium
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wp_ajax_ and wp_ajax_nopriv_ hooks, as the base controller's getPermissions() returns an empty array and neither removeGroup nor clear are added to getNoncedMethods(), causing the authorization gate to unconditionally return true for these actions. This makes it possible for unauthenticated attackers to delete specific records by ID or delete all records from any module's database table by unauthenticated attackers.
CVE-2026-57391 2 Tangible, Wordpress 2 Loops & Logic, Wordpress 2026-07-13 6.5 Medium
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tangible Loops & Logic tangible-loops-and-logic allows Stored XSS.This issue affects Loops & Logic: from n/a through <= 4.2.3.
CVE-2026-57713 2 Marcus (aka @msykes), Wordpress 2 Events Manager, Wordpress 2026-07-13 8.8 High
Deserialization of Untrusted Data vulnerability in Marcus (aka @msykes) Events Manager events-manager allows Object Injection.This issue affects Events Manager: from n/a through <= 7.3.6.
CVE-2026-15539 1 Sourcecodester 1 Online Book Store System 2026-07-13 4.7 Medium
A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
CVE-2026-14165 1 Dassault Systèmes 1 Tuleap Enterprise Edition 2026-07-13 7.5 High
An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization.
CVE-2026-57829 2026-07-13 N/A
The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS.