|
1991
|
7.5 |
HIGH
Network
|
-
|
-
|
The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'sortf' parameter in all versions up to, and including,…
|
CWE-89
SQL Injection
|
CVE-2026-6929
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1992
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by…
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-6965
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1993
|
5.5 |
MEDIUM
Network
|
-
|
-
|
The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and inc…
|
CWE-79
Cross-site Scripting
|
CVE-2025-14767
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1994
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitiz…
|
CWE-79
Cross-site Scripting
|
CVE-2026-3004
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1995
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' fu…
|
CWE-862
Missing Authorization
|
CVE-2026-2515
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1996
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of…
|
CWE-36
Absolute Path Traversal
|
CVE-2026-4782
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1997
|
7.5 |
HIGH
Network
|
-
|
-
|
The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the use…
|
CWE-89
SQL Injection
|
CVE-2026-4798
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1998
|
8.8 |
HIGH
Network
|
-
|
-
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This …
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-3425
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1999
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() functions in all …
|
CWE-862
Missing Authorization
|
CVE-2026-3426
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2000
|
7.2 |
HIGH
Network
|
-
|
-
|
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elemen…
|
CWE-79
Cross-site Scripting
|
CVE-2026-6177
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
