| CVE-2026-48968 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Master Slider allows DOM-Based XSS.
This issue affects Master Slider: from n/a through 3.… |
| CVE-2026-48877 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
Insertion of Sensitive Information Into Sent Data vulnerability in Tom GenerateBlocks allows Retrieve Embedded Sensitive Data.
This issue affects GenerateBlocks: from n/a through 2.1.0. |
| CVE-2026-2237 |
medium |
6.2 |
6.2 |
|
|
synology |
10d ago |
A use of get request method with sensitive query strings vulnerability in volume encryption of Synology Storage Manager package before 1.0.1-1100 allows local users on Windows to obtain sensitive inf… |
| CVE-2025-66593 |
medium |
5.6 |
5.6 |
|
|
synology |
10d ago |
An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content and conduct denial-of-service during installation. |
| CVE-2025-66592 |
medium |
5.6 |
5.6 |
|
|
synology |
10d ago |
An origin validation error vulnerability in Synology Active Backup for Business Agent before 3.1.0-4967 allows local users to write arbitrary files with restricted content and conduct denial-of-servi… |
| CVE-2025-13593 |
medium |
5.6 |
5.6 |
|
|
synology |
10d ago |
Origin validation error vulnerability in Synology ActiveProtect Agent before 1.1.0-0439 allows local users to write arbitrary files with restricted content and conduct denial-of-service during instal… |
| CVE-2025-12686 |
critical |
9.8 |
9.8 |
|
|
|
10d ago |
Buffer copy without checking size of input ('Classic Buffer Overflow') vulnerability in AdminCenter in Synology BeeStation OS before 1.3.2-65648 allows remote attackers to execute arbitrary code via … |
| CVE-2025-13392 |
critical |
9.8 |
9.8 |
|
|
|
10d ago |
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote atta… |
| CVE-2025-13167 |
medium |
5.4 |
5.4 |
|
|
synology |
10d ago |
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users … |
| CVE-2025-10466 |
medium |
5.9 |
5.9 |
|
|
synology |
10d ago |
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Safe Access in Synology Safe Access before 1.3.1-0329 allows remote authenticated users with admi… |
| CVE-2024-47272 |
low |
2.7 |
2.7 |
|
|
synology |
10d ago |
Incorrect authorization vulnerability in IO Module functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to … |
| CVE-2024-47271 |
medium |
4.9 |
4.9 |
|
|
synology |
10d ago |
Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privi… |
| CVE-2024-47270 |
low |
2.7 |
2.7 |
|
|
synology |
10d ago |
Improper preservation of permissions vulnerability in Archiving Push functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administra… |
| CVE-2024-47269 |
medium |
4.9 |
4.9 |
|
|
synology |
10d ago |
Cleartext transmission of sensitive information vulnerability in Export Key functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with adm… |
| CVE-2024-47268 |
medium |
4.9 |
4.9 |
|
|
synology |
10d ago |
Missing authorization vulnerability in AddOns functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtai… |
| CVE-2024-47267 |
low |
2.7 |
2.7 |
|
|
synology |
10d ago |
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows … |
| CVE-2024-11399 |
medium |
6.8 |
6.8 |
|
|
synology |
10d ago |
Files or directories accessible to external parties vulnerability in redis-server component in Synology BeeDrive for desktop before 1.3.2-13814 allows local users to conduct denial-of-service attacks… |
| CVE-2026-49002 |
critical |
9.1 |
9.1 |
|
|
|
10d ago |
Access control failure means that an application does not effectively check user access permissions, so that unauthorized users can access system data beyond their permissions, such as viewing and mo… |
| CVE-2026-40849 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the user_alarmprofile view due to improper neutralization of special elements in a SQL SELECT command. … |
| CVE-2026-40848 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the tag view due to improper neutralization of special elements in a SQL SELECT command. This can resul… |
| CVE-2026-40847 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system_tag view due to improper neutralization of special elements in a SQL SELECT command. This ca… |
| CVE-2026-40846 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the system view due to improper neutralization of special elements in a SQL SELECT command. This can re… |
| CVE-2026-40845 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the devices_configuration view due to improper neutralization of special elements in a SQL SELECT comma… |
| CVE-2026-40844 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dashboard view due to improper neutralization of special elements in a SQL SELECT command. This can… |
| CVE-2026-40843 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the alarming view due to improper neutralization of special elements in a SQL SELECT command. This can … |
| CVE-2026-40842 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getWidgetTags function due to improper neutralization of special elements in a SQL SELECT command. … |
| CVE-2026-40841 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectTags function due to improper neutralization of special elements in a SQL SELECT command.… |
| CVE-2026-40840 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the VerifyCreateLicences function due to improper neutralization of special elements in a SQL SELECT co… |
| CVE-2026-40839 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getComponentScalings function due to improper neutralization of special elements in a SQL SELECT co… |
| CVE-2026-40838 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDeviceScalings function due to improper neutralization of special elements in a SQL SELECT comma… |
| CVE-2026-40837 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getProjectScalings function due to improper neutralization of special elements in a SQL SELECT comm… |
| CVE-2026-40835 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the saveObjectFromData function due to improper neutralization of special elements in a SQL SELECT comm… |
| CVE-2026-40832 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getDevicegroups function due to improper neutralization of special elements in a SQL SELECT command… |
| CVE-2026-40831 |
medium |
6.5 |
6.5 |
|
|
|
10d ago |
An low privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the Easy View due to improper neutralization of special elements in a SQL SELECT command. This can resu… |
| CVE-2026-40830 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the admin.mbnetj.php files UpdateParam function due to improper neutralization of special elements in a… |
| CVE-2026-40829 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the view.html.php files UpdateParam function due to improper neutralization of special elements in a SQ… |
| CVE-2026-40828 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DeleteSysLogEntry function due to improper neutralization of special elements in a SQL DELETE comma… |
| CVE-2026-40827 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the _RemoveRequest function due to improper neutralization of special elements in a SQL DELETE command … |
| CVE-2026-40826 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the dsgvo_contracts view due to improper neutralization of special elements in a SQL SELECT command. Th… |
| CVE-2026-40825 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view devices parameter due to improper neutralization of special elements in a SQL UP… |
| CVE-2026-40824 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the accountstatus view userid parameter due to improper neutralization of special elements in a SQL UPD… |
| CVE-2026-40823 |
medium |
5.5 |
5.5 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL UPDATE command … |
| CVE-2026-40822 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the DevSerialReset function due to improper neutralization of special elements in a SQL SELECT command.… |
| CVE-2026-40821 |
medium |
4.9 |
4.9 |
|
|
|
10d ago |
A high privileged remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAccountByID function due to improper neutralization of special elements in a SQL SELECT command.… |
| CVE-2026-8042 |
medium |
6.4 |
6.4 |
|
|
|
10d ago |
The Github Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'repo' shortcode attribute in the 'github' shortcode in all versions up to, and including, 0.1 due to in… |
| CVE-2026-8942 |
medium |
4.3 |
4.3 |
|
|
|
10d ago |
The MetaMagic SEO Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the metama… |
| CVE-2026-8906 |
medium |
6.1 |
6.1 |
|
|
|
10d ago |
The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This ma… |
| CVE-2026-3001 |
medium |
6.1 |
6.1 |
|
|
|
10d ago |
The Gutenverse plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 3.4.6 due to insufficient input sanitization and output… |
| CVE-2026-49001 |
medium |
5.3 |
5.3 |
|
|
|
10d ago |
Cross-site request forgery (CSRF) vulnerabilities allow attackers to exploit a user's authenticated session to forge cross-site requests, inducing the execution of unintended operations such as tampe… |
| CVE-2026-41704 |
medium |
5.0 |
5.0 |
|
|
|
11d ago |
AgentClient#handle_method (lines 264-303) processes every NATS reply. It calls inject_compile_log (line 273) on every response, which reads response['value']['result']['compile_log_id'] (line 332-338… |
| CVE-2026-3895 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lvca_admin_ajax` AJAX action in all versions up to, and including, 3.9.4 due to… |
| CVE-2026-2030 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The WPBakery Page Builder Addons by Livemesh plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[lvca_carousel]` and `[lvca_posts_carousel]` shortcode attributes in all versio… |
| CVE-2026-7618 |
medium |
4.9 |
4.9 |
|
|
|
11d ago |
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to in… |
| CVE-2026-3896 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `lsow_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missing auth… |
| CVE-2026-3897 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Livemesh Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `labb_admin_ajax` AJAX action in all versions up to, and including, 3.9.2 due to missi… |
| CVE-2026-3279 |
medium |
6.5 |
6.5 |
|
|
|
11d ago |
The Enable jQuery Migrate Helper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `downgrade_jquery_version()` function in all versions… |
| CVE-2026-41009 |
medium |
5.8 |
5.8 |
|
|
|
11d ago |
When the director sends a long-running request (e.g. compile_package), the agent's reply JSON is consumed by AgentClient. inject_compile_log (line 332-339) reads response['value']['result']['compile_… |
| CVE-2026-8884 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Instant-Quote.co Quotation Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.3.4 due to insufficient input sa… |
| CVE-2026-8867 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Post Category Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'postcategorygallery' shortcode in versions up to, and including, 1.0.0. This is due to in… |
| CVE-2026-8899 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Auto Thumbnail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnails' shortcode in all versions up to, and including, 1.0. This is due to insufficient input saniti… |
| CVE-2026-8040 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The faq shortocde plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in the 'faq' shortcode in all versions up to, and including, 1.0 due to insuffi… |
| CVE-2026-8886 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitizatio… |
| CVE-2026-8708 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The Genzel breadcrumbs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on the _options… |
| CVE-2026-8847 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Dideo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'dideo' shortcode in version 1.0. This is due to insufficient input sanitization and output escaping on th… |
| CVE-2026-8844 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Responsive Check plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rspcheck' shortcode in versions up to, and including, 0.0.3. This is due to insufficient input sanitiza… |
| CVE-2026-8707 |
medium |
6.1 |
6.1 |
|
|
|
11d ago |
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and outp… |
| CVE-2026-9014 |
medium |
5.3 |
5.3 |
|
|
|
11d ago |
The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_stats() function in versions up to, and including, 1.3. The func… |
| CVE-2026-7614 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The Old Posts Highlighter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the OPH… |
| CVE-2026-8760 |
critical |
9.8 |
9.8 |
|
|
|
11d ago |
The Login with OTP plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.6. This is due to an incomplete fix for CVE-2024-11178: the rate-limit/lockout c… |
| CVE-2026-8875 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' (and 'c') shortcode in versions up to, and including, 1.0.2. This is due to… |
| CVE-2026-8894 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The iWR Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `iwrtooltip` shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… |
| CVE-2026-8845 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Islamic Database plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'islamicDB-roqya' shortcode in versions up to, and including, 1.0. This is due to insufficient input san… |
| CVE-2026-8873 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Content Slideshow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 2.4.1 due to insufficient input sanitization and… |
| CVE-2026-8846 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and o… |
| CVE-2026-8891 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The BitForm plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bitform' shortcode in versions up to, and including, 1.1.0. This is due to insufficient input sanitizat… |
| CVE-2026-8871 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Formidable Kinetic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'kinetic_link' shortcode in versions up to, and including, 1.1.01. This is due to insufficient input s… |
| CVE-2026-8048 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The My Email Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subject' shortcode attribute in the 'my-email' shortcode in all versions up to, and including, 0.91 d… |
| CVE-2026-8872 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Animate Your Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'animation-set' shortcode in versions up to, and including, 1.0.0. This is due to insuffici… |
| CVE-2026-8903 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The Two-factor authentication (formerly IP Vault) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce… |
| CVE-2026-8869 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Mutual Funds Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in versions up to, and including, 1.2.1. This is due to insufficient input … |
| CVE-2026-8911 |
medium |
6.1 |
6.1 |
|
|
|
11d ago |
The WP AutoBuzz plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. This is due to missing or incorrect nonce validation on a function. This … |
| CVE-2026-8898 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitizati… |
| CVE-2026-8866 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input… |
| CVE-2026-8943 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The GoStats for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the gosta… |
| CVE-2026-8941 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The CDN Linker lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.1. This is due to missing or incorrect nonce validation on the ossdl_off_opt… |
| CVE-2026-8701 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The GNTT Post Title Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the `title-ticker-slide`, `title-ticker-fade`, and `title-ticker-typing` shortcodes. Th… |
| CVE-2026-8887 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Listen Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'listen' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization… |
| CVE-2026-8897 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Shortcode Buddy plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 0.1.9.5 due to insufficient input sanitization and… |
| CVE-2026-8870 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Team Master – A Modern WordPress Team Showcase plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.1.2 due to insuff… |
| CVE-2026-8702 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The GBI To Print plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0 via the 'div' attribute of the 'gbitoprint' shortcode. This is due to insufficient output escaping in… |
| CVE-2026-8938 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The auto making JSON-LD plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.3. This is due to missing or incorrect nonce validation on the amJL_… |
| CVE-2026-8939 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The Search Simple Fields plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the search_sim… |
| CVE-2026-8842 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Google+ Link Name plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gplusnamelink' shortcode in versions up to, and including, 1.0. This is due to insufficient input sani… |
| CVE-2026-8703 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Endless Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Shortcode Attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and ou… |
| CVE-2026-8868 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient inpu… |
| CVE-2026-8698 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Cryptocurrency Prijsvergelijking Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting in version 1.0. This is due to insufficient output escaping in the as_get_coin_shortcode(… |
| CVE-2026-8837 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The WP Iframe Geo Style for Amazon affiliates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'adid' Shortcode Attribute in all versions up to, and including, 1.1 due to insuffi… |
| CVE-2026-8877 |
medium |
6.4 |
6.4 |
|
|
|
11d ago |
The Responsive Video Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rem_video' shortcode in versions up to, and including, 0.1. This is due to insufficient input … |
| CVE-2026-6287 |
medium |
5.4 |
5.4 |
|
|
|
11d ago |
The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks… |
| CVE-2026-9236 |
medium |
4.3 |
4.3 |
|
|
|
11d ago |
The CM Ad Changer – A simple tool to control and optimize your site's banners plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.7. This is due… |
