Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,781 - 8,800 of 13,828 CVEs
CVE-2026-4509 MEDIUM - 6.3

A security flaw has been discovered in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. The attack may be launched remotely. The exploit has been released t...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4161 MEDIUM - 4.4

The Review Map by RevuKangaroo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4143 MEDIUM - 4.3

The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated atta...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4127 MEDIUM - 5.3

The Speedup Optimization plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.5.9. The `speedup01_ajax_enabled()` function, which handles the `wp_ajax_speedup01_enabled` AJAX action, does not perform any capability check via `current_user_can()` and also ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4087 MEDIUM - 6.5

The Pre* Party Resource Hints plugin for WordPress is vulnerable to SQL Injection via the 'hint_ids' parameter of the pprh_update_hints AJAX action in all versions up to, and including, 1.8.20. This is due to insufficient escaping on the user supplied parameter and lack of sufficient prepa...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4086 MEDIUM - 6.4

The WP Random Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'cat', 'nocat', and 'text' shortcode attributes of the 'wp_random_button' shortcode in all versions up to, and including, 1.0. This is due to insufficient input sani...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4084 MEDIUM - 6.4

The fyyd podcast shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fyyd-podcast', 'fyyd-episode', and 'fyyd' shortcodes in all versions up to, and including, 0.3.1. This is due to insufficient input sanitization and output escaping on...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4077 MEDIUM - 6.4

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied '...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4072 MEDIUM - 6.4

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amou...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4069 MEDIUM - 6.1

The Alfie โ€“ Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_option_page() function combined with insufficient input sanitization and outp...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4067 MEDIUM - 6.4

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attrib...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4022 MEDIUM - 6.4

The Show Posts list โ€“ Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4004 MEDIUM - 6.5

The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3997 MEDIUM - 6.4

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3996 MEDIUM - 6.4

The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height&...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3651 MEDIUM - 5.3

The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability v...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3645 MEDIUM - 5.3

The Punnel โ€“ Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification....

Published: Mar 21, 2026
Source: NVD
CVE-2026-3641 MEDIUM - 5.3

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3619 MEDIUM - 6.4

The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3617 MEDIUM - 6.4

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attribu...

Published: Mar 21, 2026
Source: NVD