|
5891
|
9.8 |
CRITICAL
Network
|
-
|
-
|
The Geeky Bot plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.2.2. This is due to a nopriv AJAX route allowing attacker-controlled model/function dispa…
|
CWE-862
Missing Authorization
|
CVE-2026-5294
|
2026-05-5 13:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5892
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Instagram Feed widget's 'instagram_follow_text' setting in all versions up to, and including, …
|
CWE-79
Cross-site Scripting
|
CVE-2026-5159
|
2026-05-5 13:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5893
|
7.2 |
HIGH
Network
|
-
|
-
|
The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'status' parameter in the wpr_update_form_action_meta AJAX action in all versions up to, and inclu…
|
CWE-79
Cross-site Scripting
|
CVE-2026-4803
|
2026-05-5 13:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5894
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The WP Carousel Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via crafted fancybox `data-caption` attributes in all versions up to, and including, 2.7.10. This is due to the …
|
CWE-79
Cross-site Scripting
|
CVE-2026-4665
|
2026-05-5 13:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5895
|
7.5 |
HIGH
Network
|
-
|
-
|
The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1…
|
CWE-89
SQL Injection
|
CVE-2026-3456
|
2026-05-5 13:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5896
|
6.4 |
MEDIUM
Network
|
-
|
-
|
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Server-Side Request Forgery in versions up to, and including, 3.5.3 via the import_images() fun…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-2948
|
2026-05-5 13:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5897
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0. This is due to insufficient input sanitizati…
|
CWE-79
Cross-site Scripting
|
CVE-2026-6704
|
2026-05-5 12:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5898
|
6.1 |
MEDIUM
Network
|
-
|
-
|
The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing or incorrect nonce validation on the '/wp-admi…
|
CWE-352
Origin Validation Error
|
CVE-2026-6702
|
2026-05-5 12:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5899
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This…
|
CWE-352
Origin Validation Error
|
CVE-2026-6701
|
2026-05-5 12:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
5900
|
4.3 |
MEDIUM
Network
|
-
|
-
|
The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_…
|
CWE-352
Origin Validation Error
|
CVE-2026-6700
|
2026-05-5 12:16 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
