Export limit exceeded: 12316 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (12316 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-28079 | 2 Axiomthemes, Wordpress | 2 Conquerors, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Conquerors conquerors allows PHP Local File Inclusion.This issue affects Conquerors: from n/a through <= 1.2.13. | ||||
| CVE-2026-28081 | 2 Themerex, Wordpress | 2 Windsor, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0. | ||||
| CVE-2026-28084 | 2 Themerex, Wordpress | 2 Bazinga, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bazinga bazinga allows PHP Local File Inclusion.This issue affects Bazinga: from n/a through <= 1.1.9. | ||||
| CVE-2026-28088 | 2 Themerex, Wordpress | 2 Aqualots, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6. | ||||
| CVE-2026-28127 | 2 E-plugins, Wordpress | 2 Lawyer Directory, Wordpress | 2026-04-22 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Lawyer Directory lawyer-directory allows Reflected XSS.This issue affects Lawyer Directory: from n/a through <= 1.3.2. | ||||
| CVE-2026-28125 | 2 Ancorathemes, Wordpress | 2 Midi, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Midi midi allows PHP Local File Inclusion.This issue affects Midi: from n/a through <= 1.14. | ||||
| CVE-2026-28089 | 2 Themerex, Wordpress | 2 Daiquiri, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Daiquiri daiquiri allows PHP Local File Inclusion.This issue affects Daiquiri: from n/a through <= 1.2.4. | ||||
| CVE-2026-28090 | 2 Themerex, Wordpress | 2 Gamezone, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gamezone gamezone allows PHP Local File Inclusion.This issue affects Gamezone: from n/a through <= 1.1.11. | ||||
| CVE-2026-28124 | 2 Ancorathemes, Wordpress | 2 Notarius, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Notarius notarius allows PHP Local File Inclusion.This issue affects Notarius: from n/a through <= 1.9. | ||||
| CVE-2026-28092 | 2 Themerex, Wordpress | 2 Sounder, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Sounder sounder allows PHP Local File Inclusion.This issue affects Sounder: from n/a through <= 1.3.11. | ||||
| CVE-2026-28093 | 2 Themerex, Wordpress | 2 Ozisti, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through <= 1.1.10. | ||||
| CVE-2026-28094 | 2 Themerex, Wordpress | 2 Rexcoin, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX RexCoin rexcoin allows PHP Local File Inclusion.This issue affects RexCoin: from n/a through <= 1.2.6. | ||||
| CVE-2026-28095 | 2 Themerex, Wordpress | 2 Marcell, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Marcell marcell allows PHP Local File Inclusion.This issue affects Marcell: from n/a through <= 1.2.14. | ||||
| CVE-2026-28096 | 2 Themerex, Wordpress | 2 Wealthco, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX WealthCo wealthco allows PHP Local File Inclusion.This issue affects WealthCo: from n/a through <= 2.18. | ||||
| CVE-2026-2724 | 2 Unitecms, Wordpress | 2 Unlimited Elements For Elementor, Wordpress | 2026-04-22 | 7.2 High |
| The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form entry fields in all versions up to, and including, 2.0.5. This is due to insufficient input sanitization and output escaping on form submission data displayed in the admin Form Entries Trash view. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the trashed form entries. | ||||
| CVE-2026-28058 | 2 Themerex, Wordpress | 2 Dixon, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Dixon dixon allows PHP Local File Inclusion.This issue affects Dixon: from n/a through <= 1.4.2.1. | ||||
| CVE-2026-28045 | 2 Themerex, Wordpress | 2 N7 | Golf Club Sports & Events, Wordpress | 2026-04-22 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through <= 2.16.0. | ||||
| CVE-2026-2707 | 2 Boldgrid, Wordpress | 2 Weforms – Easy Drag & Drop Contact Form Builder For Wordpress, Wordpress | 2026-04-22 | 6.4 Medium |
| The weForms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API entry submission endpoint in all versions up to, and including, 1.6.27. This is due to inconsistent input sanitization between the frontend AJAX handler and the REST API endpoint. When entries are submitted via the REST API (`/wp-json/weforms/v1/forms/{id}/entries/`), the `prepare_entry()` method in `class-abstract-fields.php` receives the WP_REST_Request object as `$args`, bypassing the `weforms_clean()` fallback that sanitizes `$_POST` data for frontend submissions. The base field handler only applies `trim()` to the value. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts into form entry hidden field values via the REST API that execute when an administrator views the form entries page, where data is rendered using a Vue.js `v-html` directive without escaping. | ||||
| CVE-2026-2413 | 2 Elemntor, Wordpress | 2 Ally – Web Accessibility & Usability, Wordpress | 2026-04-22 | 7.5 High |
| The Ally – Web Accessibility & Usability plugin for WordPress is vulnerable to SQL Injection via the URL path in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user-supplied URL parameter in the `get_global_remediations()` method, where it is directly concatenated into an SQL JOIN clause without proper sanitization for SQL context. While `esc_url_raw()` is applied for URL safety, it does not prevent SQL metacharacters (single quotes, parentheses) from being injected. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via time-based blind SQL injection techniques. The Remediation module must be active, which requires the plugin to be connected to an Elementor account. | ||||
| CVE-2026-1919 | 2 Arraytics, Wordpress | 2 Booktics – Booking Calendar For Appointments And Service Businesses, Wordpress | 2026-04-22 | 5.3 Medium |
| The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to query sensitive data. | ||||