Total CVEs

141,292

Critical Severity

3,799

High Severity

13,738

Last 7 Days

1,830
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 8,821 - 8,840 of 13,828 CVEs
CVE-2026-2375 MEDIUM - 6.5

The App Builder โ€“ Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 5.5.10. This is due to the `verify_role()` function in `AuthTrails.php` explicitly whitelisting the `wcfm_vendor` role alongside `subs...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2351 MEDIUM - 6.5

The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2294 MEDIUM - 4.3

The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2290 MEDIUM - 6.5

The Post Affiliate Pro plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.28.0. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to initiate arbitrary outbound requests from the applicatio...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2277 MEDIUM - 6.1

The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possib...

Published: Mar 21, 2026
Source: NVD
CVE-2026-2121 MEDIUM - 4.4

The Weaver Show Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'add_class' parameter in all versions up to, and including, 1.8.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for auth...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1935 MEDIUM - 4.3

The Company Posts for LinkedIn plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.0. This is due to a missing capability check on the `linkedin_company_post_reset_handler()` function hooked to `admin_post_reset_linkedin_company_post`. This makes it ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1914 MEDIUM - 6.4

The FuseDesk plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fusedesk_newcase shortcode in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping on the 'emailtext' attribute. This makes it possible for auth...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1911 MEDIUM - 6.4

The Twitter Feeds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tweet_title' parameter in the 'TwitterFeeds' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for a...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1908 MEDIUM - 6.4

The Integration with Hubspot Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hubspotform' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible fo...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1899 MEDIUM - 6.4

The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for a...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1891 MEDIUM - 6.4

The Simple Football Scoreboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ytmr_fb_scoreboard' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible f...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1889 MEDIUM - 6.4

The Outgrow plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' attribute of the 'outgrow' shortcode in all versions up to, and including, 2.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1886 MEDIUM - 6.4

The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1854 MEDIUM - 6.4

The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1851 MEDIUM - 6.4

The iVysilani Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' shortcode attribute in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contr...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1822 MEDIUM - 6.4

The WP NG Weather plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ng-weather' shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for au...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1806 MEDIUM - 6.4

The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This ma...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1647 MEDIUM - 6.1

The Comment Genius plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to i...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1575 MEDIUM - 6.4

The Schema Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `itemscope` shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Published: Mar 21, 2026
Source: NVD