|
1801
|
5.5 |
MEDIUM
Network
|
-
|
-
|
The WPC Badge Management for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' attribute of the `wpcbm_best_seller` shortcode in all versions up to, and inc…
|
CWE-79
Cross-site Scripting
|
CVE-2025-14767
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1802
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Snow Monkey Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-slick' attribute in all versions up to, and including, 24.1.11 due to insufficient input sanitiz…
|
CWE-79
Cross-site Scripting
|
CVE-2026-3004
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1803
|
5.3 |
MEDIUM
Network
|
-
|
-
|
The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handle_ajax_action' fu…
|
CWE-862
Missing Authorization
|
CVE-2026-2515
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1804
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The Avada Builder plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.15.2 via the 'fusion_get_svg_from_file' function with the 'custom_svg' parameter of…
|
CWE-36
Absolute Path Traversal
|
CVE-2026-4782
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1805
|
7.5 |
HIGH
Network
|
-
|
-
|
The Avada Builder plugin for WordPress is vulnerable to time-based SQL Injection via the ‘product_order’ parameter in all versions up to, and including, 3.15.1 due to insufficient escaping on the use…
|
CWE-89
SQL Injection
|
CVE-2026-4798
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1806
|
8.8 |
HIGH
Network
|
-
|
-
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This …
|
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
|
CVE-2026-3425
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1807
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() functions in all …
|
CWE-862
Missing Authorization
|
CVE-2026-3426
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1808
|
7.2 |
HIGH
Network
|
-
|
-
|
The Custom Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 2.5.4. This is due to insufficient output escaping in the CTF_Display_Elemen…
|
CWE-79
Cross-site Scripting
|
CVE-2026-6177
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1809
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properl…
|
CWE-862
Missing Authorization
|
CVE-2026-4607
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1810
|
6.5 |
MEDIUM
Network
|
-
|
-
|
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to blind SQL Injection via the 'rid' parameter in all versions up to, and including, 5.9.8.4 due to insuffic…
|
CWE-89
SQL Injection
|
CVE-2026-4608
|
2026-05-13 23:43 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
