Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,863
Quick preset (or use dates below)
Clear Filters
Showing 8,801 - 8,820 of 14,204 CVEs
CVE-2026-3347 MEDIUM - 5.5

The Multi Functional Flexi Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `arv_lb[message]` parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This is due to the `arv_lb_options_val()` sanitize callback ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3335 MEDIUM - 5.3

The Canto plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.1.1 via the `/wp-content/plugins/canto/includes/lib/copy-media.php` file. This is due to the file being directly accessible without any authentication, authorization, or nonce checks, and th...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3333 MEDIUM - 6.4

The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3332 MEDIUM - 4.3

The Xhanch - My Advanced Settings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing nonce validation in the `xms_setting()` function on the settings update handler. This makes it possible for unauthenticated attackers...

Published: Mar 21, 2026
Source: NVD
CVE-2026-3331 MEDIUM - 4.3

The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourty_slider_options_page function. This makes it possible for unauthenticated attackers to modify plu...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2837 MEDIUM - 4.4

The Ricerca โ€“ advanced search plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's settings in all versions up to, and including, 1.1.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-l...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2723 MEDIUM - 6.1

The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to modif...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2720 MEDIUM - 6.5

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level acc...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2503 MEDIUM - 6.5

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL o...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2501 MEDIUM - 6.4

The Ed's Social Share plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `social_share` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2496 MEDIUM - 6.4

The Ed's Font Awesome plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `eds_font_awesome` shortcode in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it pos...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2427 MEDIUM - 6.1

The itsukaita plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'day_from' and 'day_to' parameters in all versions up to, and including, 0.1.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacke...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2424 MEDIUM - 4.4

The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message be...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2375 MEDIUM - 6.5

The App Builder โ€“ Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subs...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2351 MEDIUM - 6.5

The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2294 MEDIUM - 4.3

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2290 MEDIUM - 6.5

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the applicatio...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2277 MEDIUM - 6.1

The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possib...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2121 MEDIUM - 4.4

The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1935 MEDIUM - 4.3

The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it ...

Published: Mar 21, 2026
Source: NVD