Search Results (85520 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-47261 1 Bytecodealliance 1 Wasmtime 2026-06-16 7.5 High
Wasmtime is a runtime for WebAssembly. In versions prior to 24.0.9, 36.0.10, and 44.0.2, when a filesystem preopen is given DirPerms::all() and FilePerms::READ without FilePerms::WRITE, this access control mechanism can be bypassed via the wasip2 descriptor.open-at or wasip1 path_open interfaces by opening a file with only the OpenFlags::TRUNCATE oflag. The root cause is that the clause handling OpenFlags::TRUNCATE in crates/wasi/src/filesystem.rs (Dir::open_at, lines 967–969) did not set open_mode |= OpenMode::WRITE;, which is later used for the access control check against FilePerms to determine whether opening the file is permitted; the single-line fix adds that missing assignment, after which the affected calls correctly fail with error-code.not-permitted and ERRNO_PERM respectively. Only wasmtime-wasi embeddings that combine DirPerms::MUTATE with FilePerms::READ are affected by this bug. In particular, the Wasmtime project's wasmtime-cli's use of wasmtime-wasi is not affected, because it always sets FilePerms::all() for all preopens. This issue has been fixed in versions 24.0.9, 36.0.10 and44.0.2.
CVE-2025-59133 2 Projectopia, Wordpress 2 Projectopia, Wordpress 2026-06-16 7.5 High
Custom role Insecure Direct Object References (IDOR) in Projectopia <= 5.1.25.2 versions.
CVE-2026-27089 2 Magepeople, Wordpress 2 Wptravelly, Wordpress 2026-06-16 7.5 High
Unauthenticated Bypass Vulnerability in WpTravelly <= 2.1.7 versions.
CVE-2026-39490 2 Artbees, Wordpress 2 Jupiter X Core, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Access Control in JupiterX Core <= 4.14.1 versions.
CVE-2026-39581 2 Activity-log.com, Wordpress 2 Wp Sessions Time Monitoring Full Automatic, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in WP Sessions Time Monitoring Full Automatic <= 1.1.4 versions.
CVE-2026-48885 2 Groundhogg, Wordpress 2 Hollerbox, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in HollerBox <= 2.3.10.1 versions.
CVE-2026-48882 2 Codepeople, Wordpress 2 Wp Time Slots Booking Form, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in WP Time Slots Booking Form <= 1.2.50 versions.
CVE-2026-49056 2 Webtoffee, Wordpress 2 Woocommerce Pdf Invoices, Packing Slips, Delivery Notes And Shipping Labels, Wordpress 2026-06-16 7.5 High
Unauthenticated Sensitive Data Exposure in WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shipping Labels <= 4.9.4 versions.
CVE-2026-49068 2 Relywp, Wordpress 2 Coupon Affiliates, Wordpress 2026-06-16 7.5 High
Subscriber Sensitive Data Exposure in Coupon Affiliates <= 7.8.1 versions.
CVE-2026-49083 2 Latepoint, Wordpress 2 Latepoint, Wordpress 2026-06-16 7.5 High
Contributor Privilege Escalation in LatePoint <= 5.5.1 versions.
CVE-2016-20075 2 Etoilewebdesign, Wordpress 2 Ultimate Product Catalog, Wordpress 2026-06-16 8.8 High
WordPress Ultimate Product Catalog 3.8.6 contains an arbitrary file upload vulnerability that allows authenticated users with contributor, editor, author, or administrator roles to upload malicious files by exploiting the custom fields functionality. Attackers can upload PHP shells through the Products tab custom file field and access them via the upcp-product-file-uploads directory to execute arbitrary code on the server.
CVE-2026-48964 2 Elextensions, Wordpress 2 Elex Wordpress Helpdesk & Customer Ticketing System, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.6 versions.
CVE-2026-48970 2 Really-simple-plugins, Wordpress 2 Really Simple Ssl, Wordpress 2026-06-16 8.1 High
Unauthenticated Broken Authentication in Really Simple SSL <= 9.5.10 versions.
CVE-2026-49065 2 Hippooo, Wordpress 2 Hippoo Mobile App For Woocommerce, Wordpress 2026-06-16 8.2 High
Unauthenticated Broken Access Control in Hippoo Mobile App for WooCommerce <= 1.9.5 versions.
CVE-2026-52697 2 Taskbuilder, Wordpress 2 Taskbuilder, Wordpress 2026-06-16 8.5 High
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
CVE-2026-34886 2 Wordpress, Wp.insider 2 Wordpress, Simple Membership 2026-06-16 7.5 High
Unauthenticated Broken Access Control in Simple Membership <= 4.7.1 versions.
CVE-2026-40781 2 Reviewx, Wordpress 2 Reviewx, Wordpress 2026-06-16 7.5 High
Unauthenticated Broken Authentication in ReviewX <= 2.3.6 versions.
CVE-2026-40787 2 Expresstech, Wordpress 2 Quiz And Survey Master, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Quiz And Survey Master <= 11.0.0 versions.
CVE-2026-40788 2 Quantumcloud, Wordpress 2 Chatbot, Wordpress 2026-06-16 7.1 High
Subscriber Broken Access Control in ChatBot <= 7.9.7 versions.
CVE-2026-40791 2 Codepeople, Wordpress 2 Wp Time Slots Booking Form, Wordpress 2026-06-16 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WP Time Slots Booking Form <= 1.2.46 versions.