Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,863
Quick preset (or use dates below)
Clear Filters
Showing 8,781 - 8,800 of 14,204 CVEs
CVE-2026-4077 MEDIUM - 6.4

The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied '...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4072 MEDIUM - 6.4

The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amou...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4069 MEDIUM - 6.1

The Alfie โ€“ Feed Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'naam' parameter in all versions up to, and including, 1.2.1. This is due to missing nonce validation on the alfie_option_page() function combined with insufficient input sanitization and outp...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4067 MEDIUM - 6.4

The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attrib...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4022 MEDIUM - 6.4

The Show Posts list โ€“ Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-4004 MEDIUM - 6.5

The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3997 MEDIUM - 6.4

The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3996 MEDIUM - 6.4

The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height&...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3651 MEDIUM - 5.3

The Build App Online plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.0.23. This is due to the plugin registering the 'build-app-online-update-vendor-product' AJAX action via wp_ajax_nopriv_ without proper authentication checks, capability v...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3645 MEDIUM - 5.3

The Punnel โ€“ Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The save_config() function, which handles the 'punnel_save_config' AJAX action, lacks any capability check (current_user_can()) and nonce verification....

Published: Mar 21, 2026
Source: NVD
CVE-2026-3641 MEDIUM - 5.3

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3619 MEDIUM - 6.4

The Sheets2Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titles' shortcode attribute in the [sheets2table-render-table] shortcode in all versions up to and including 0.4.1. This is due to insufficient input sanitization and output escaping. Specifically, ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3617 MEDIUM - 6.4

The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attribu...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3570 MEDIUM - 5.3

The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for una...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3554 MEDIUM - 6.4

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of th...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3546 MEDIUM - 5.3

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capabili...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3506 MEDIUM - 5.3

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the si...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3460 MEDIUM - 5.3

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corres...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3354 MEDIUM - 4.4

The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Width' setting in all versions up to, and including, 1.1.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administr...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3353 MEDIUM - 4.4

The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Admin...

Published: Mar 21, 2026
Source: NVD