Export limit exceeded: 345077 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (345077 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22420 | 2 Ancorathemes, Wordpress | 2 Horizon, Wordpress | 2026-04-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Horizon horizon allows PHP Local File Inclusion.This issue affects Horizon: from n/a through <= 1.1. | ||||
| CVE-2026-22421 | 2 Ancorathemes, Wordpress | 2 Quantum, Wordpress | 2026-04-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Quantum quantum allows PHP Local File Inclusion.This issue affects Quantum: from n/a through <= 1.0. | ||||
| CVE-2026-22432 | 2 Ancorathemes, Wordpress | 2 Woopy, Wordpress | 2026-04-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Woopy woopy allows PHP Local File Inclusion.This issue affects Woopy: from n/a through <= 1.2. | ||||
| CVE-2026-22435 | 2 Ancorathemes, Wordpress | 2 Electroserv, Wordpress | 2026-04-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ElectroServ electroserv allows PHP Local File Inclusion.This issue affects ElectroServ: from n/a through <= 1.3.2. | ||||
| CVE-2026-22454 | 2 Themerex, Wordpress | 2 Solaris, Wordpress | 2026-04-16 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5. | ||||
| CVE-2026-22455 | 2 Foreverpinetree, Wordpress | 2 Thebe, Wordpress | 2026-04-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thebe thebe allows Reflected XSS.This issue affects Thebe: from n/a through <= 1.3.0. | ||||
| CVE-2026-22465 | 2 Seventhqueen, Wordpress | 2 Buddyapp, Wordpress | 2026-04-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2. | ||||
| CVE-2026-22467 | 2 Mwtemplates, Wordpress | 2 Deepdigital, Wordpress | 2026-04-16 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mwtemplates DeepDigital deepdigital allows Reflected XSS.This issue affects DeepDigital: from n/a through <= 1.0.2. | ||||
| CVE-2026-22473 | 2 Designthemes, Wordpress | 2 Dental Clinic, Wordpress | 2026-04-16 | 8.8 High |
| Deserialization of Untrusted Data vulnerability in designthemes Dental Clinic dental allows Object Injection.This issue affects Dental Clinic: from n/a through <= 3.7. | ||||
| CVE-2026-22477 | 2 Ancorathemes, Wordpress | 2 Felizia, Wordpress | 2026-04-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4. | ||||
| CVE-2026-22497 | 2 Ancorathemes, Wordpress | 2 Jardi, Wordpress | 2026-04-16 | 9.8 Critical |
| Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2. | ||||
| CVE-2026-22615 | 1 Eaton | 1 Ipp Software | 2026-04-16 | 6 Medium |
| Due to improper input validation in one of the Eaton Intelligent Power Protector (IPP) XML, it is possible for an attacker with admin privileges and access to the local system to inject malicious code resulting in arbitrary command execution. This security issue has been fixed in the latest version of Eaton IPP software which is available on the Eaton download centre. | ||||
| CVE-2023-5872 | 1 Wago | 1 Smart Designer | 2026-04-16 | 4.3 Medium |
| In Wago Smart Designer in versions up to 2.33.1 a low privileged remote attacker may enumerate projects and usernames through iterative requests to an specific endpoint. | ||||
| CVE-2026-4916 | 1 Gitlab | 1 Gitlab | 2026-04-16 | 2.7 Low |
| GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.2 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that could have allowed an authenticated user with custom role permissions to demote or remove higher-privileged group members due to improper authorization checks on member management operations. | ||||
| CVE-2026-3599 | 2 Imprintnext, Wordpress | 2 Riaxe Product Customizer, Wordpress | 2026-04-16 | 7.5 High |
| The Riaxe Product Customizer plugin for WordPress is vulnerable to SQL Injection via the 'options' parameter keys within 'product_data' of the /wp-json/InkXEProductDesignerLite/add-item-to-cart REST API endpoint in all versions up to, and including, 2.1.2. This is due to insufficient escaping on the user-supplied parameter and insufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | ||||
| CVE-2026-3596 | 2 Imprintnext, Wordpress | 2 Riaxe Product Customizer, Wordpress | 2026-04-16 | 9.8 Critical |
| The Riaxe Product Customizer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.2. The plugin registers an unauthenticated AJAX action ('wp_ajax_nopriv_install-imprint') that maps to the ink_pd_add_option() function. This function reads 'option' and 'opt_value' from $_POST, then calls delete_option() followed by add_option() using these attacker-controlled values without any nonce verification, capability checks, or option name allowlist. This makes it possible for unauthenticated attackers to update arbitrary WordPress options, which can be leveraged for privilege escalation by enabling user registration and setting the default user role to administrator. | ||||
| CVE-2025-14868 | 2 Shahinurislam, Wordpress | 2 Career Section, Wordpress | 2026-04-16 | 8.8 High |
| The Career Section plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Path Traversal and Arbitrary File Deletion in all versions up to, and including, 1.6. This is due to missing nonce validation and insufficient file path validation on the delete action in the 'appform_options_page_html' function. This makes it possible for unauthenticated attackers to delete arbitrary files on the server via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. | ||||
| CVE-2026-4127 | 2 Charlycharm, Wordpress | 2 Speedup Optimization, Wordpress | 2026-04-16 | 4.3 Medium |
| The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also lacks nonce verification. This is in contrast to other AJAX handlers in the same plugin (e.g., `speedup01_ajax_install_iox` and `speedup01_ajax_delete_cache_file`) which properly check for `install_plugins` and `manage_options` capabilities respectively. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable the site's optimization module by sending a POST request to admin-ajax. | ||||
| CVE-2026-27337 | 2 Ancorathemes, Wordpress | 2 Chronicle - Lifestyle Magazine & Blog Wordpress Theme, Wordpress | 2026-04-16 | 8.1 High |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through <= 1.0. | ||||
| CVE-2026-27354 | 2 Webcodingplace, Wordpress | 2 Woocommerce Coming Soon Product With Countdown, Wordpress | 2026-04-16 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0. | ||||