Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,801 - 8,820 of 13,828 CVEs
CVE-2026-3570 MEDIUM - 5.3

The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for una...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3554 MEDIUM - 6.4

The Sherk Custom Post Type Displays plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping on the 'title' attribute of th...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3546 MEDIUM - 5.3

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capabili...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3506 MEDIUM - 5.3

The WP-Chatbot for Messenger plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to overwrite the si...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3460 MEDIUM - 5.3

The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corres...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3354 MEDIUM - 4.4

The Wikilookup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Popup Width' setting in all versions up to, and including, 1.1.5. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administr...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3353 MEDIUM - 4.4

The Comment SPAM Wiper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'API Key' setting in all versions up to, and including, 1.2.1. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Admin...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3347 MEDIUM - 5.5

The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3335 MEDIUM - 5.3

The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and th...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3333 MEDIUM - 6.4

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3332 MEDIUM - 4.3

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_setting()` function on the settings update handler. This makes it possible for unauthenticated attackers...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3331 MEDIUM - 4.3

The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourty_slider_options_page function. This makes it possible for unauthenticated attackers to modify plu...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2837 MEDIUM - 4.4

The Ricerca โ€“ advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-l...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2723 MEDIUM - 6.1

The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to modif...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2720 MEDIUM - 6.5

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level acc...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2503 MEDIUM - 6.5

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL o...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2501 MEDIUM - 6.4

The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2496 MEDIUM - 6.4

The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it pos...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2427 MEDIUM - 6.1

The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2424 MEDIUM - 4.4

The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message be...

Published: Mar 21, 2026
Source: NVD