|
1211
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_ticket_content_callback' function in all ver…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2025-14033
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1212
|
7.5 |
HIGH
Network
|
-
|
-
|
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' parameter in all versions up to, and including,…
New
|
CWE-89
SQL Injection
|
CVE-2026-6929
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1213
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-6965
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1214
|
5.5 |
MEDIUM
Network
|
-
|
-
|
The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and inc…
New
|
CWE-79
Cross-site Scripting
|
CVE-2025-14767
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1215
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitiz…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-3004
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1216
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' fu…
New
|
CWE-862
Missing Authorization
|
CVE-2026-2515
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1217
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of…
New
|
CWE-36
Absolute Path Traversal
|
CVE-2026-4782
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1218
|
7.5 |
HIGH
Network
|
-
|
-
|
The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the use…
New
|
CWE-89
SQL Injection
|
CVE-2026-4798
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1219
|
8.8 |
HIGH
Network
|
-
|
-
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This …
New
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-3425
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1220
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() functions in all …
New
|
CWE-862
Missing Authorization
|
CVE-2026-3426
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
