|
1051
|
4.4 |
MEDIUM
Network
|
-
|
-
|
The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attacker…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-6812
|
2026-05-6 04:16 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1052
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sg_content_number_prefix' param…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-6916
|
2026-05-6 04:16 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1053
|
7.2 |
HIGH
Network
|
-
|
-
|
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output esc…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-5112
|
2026-05-6 04:16 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1054
|
7.2 |
HIGH
Network
|
-
|
-
|
The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation me…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-5113
|
2026-05-6 04:16 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1055
|
7.2 |
HIGH
Network
|
-
|
-
|
The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 12.5.0.1 via the scan_video. This makes …
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-7049
|
2026-05-6 04:15 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1056
|
8.1 |
HIGH
Network
|
-
|
-
|
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the atta…
Update
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-7647
|
2026-05-6 04:15 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1057
|
6.3 |
MEDIUM
Network
|
-
|
-
|
A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMu…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-7605
|
2026-05-6 04:15 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1058
|
7.2 |
HIGH
Network
|
-
|
-
|
The Royal Elementor Addons plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 1.7.1057. This is due to insufficient validation of user-supplied URLs i…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-6229
|
2026-05-6 04:15 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1059
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 2.1.2. This is due to a logical short-circ…
Update
|
CWE-285
Improper Authorization
|
CVE-2026-6449
|
2026-05-6 04:15 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1060
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Geo Mashup plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'geo_mashup_null_fields' parameter in all versions up to, and including, 1.13.19 due to insufficient escapi…
Update
|
CWE-89
SQL Injection
|
CVE-2026-6457
|
2026-05-6 04:15 |
2026-05-2 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
