Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,712
Quick preset (or use dates below)
Clear Filters
Showing 11,441 - 11,460 of 14,604 CVEs
CVE-2026-1646 MEDIUM - 6.4

The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authent...

Published: Feb 19, 2026
Source: NVD
CVE-2026-1455 MEDIUM - 4.3

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthentic...

Published: Feb 19, 2026
Source: NVD
CVE-2026-1373 MEDIUM - 6.4

The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, w...

Published: Feb 19, 2026
Source: NVD
CVE-2026-1055 MEDIUM - 4.4

The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above,...

Published: Feb 19, 2026
Source: NVD
CVE-2026-1047 MEDIUM - 4.4

The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_url' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admini...

Published: Feb 19, 2026
Source: NVD
CVE-2026-1044 MEDIUM - 4.4

The Tennis Court Bookings plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissi...

Published: Feb 19, 2026
Source: NVD
CVE-2026-1043 MEDIUM - 4.4

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pma_api_key and pma_sender_address parameters. This makes it pos...

Published: Feb 19, 2026
Source: NVD
CVE-2026-0722 MEDIUM - 6.5

The Shield Security plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 21.0.8. This is due to the plugin allowing nonce verification to be bypassed via user-supplied parameter in the 'isNonceVerifyRequired' function. This makes it possibl...

Published: Feb 19, 2026
Source: NVD
CVE-2026-0561 MEDIUM - 6.1

The Shield Security plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'message' parameter in all versions up to, and including, 21.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbit...

Published: Feb 19, 2026
Source: NVD
CVE-2026-0556 MEDIUM - 6.4

The XO Event Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xo_event_field' shortcode in all versions up to, and including, 3.2.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possib...

Published: Feb 19, 2026
Source: NVD
CVE-2026-0549 MEDIUM - 6.4

The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for a...

Published: Feb 19, 2026
Source: NVD
CVE-2025-14983 MEDIUM - 6.4

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above...

Vendor: mattkeys
Product: Advanced Custom Fields: Font Awesome Field
Published: Feb 19, 2026
Source: NVD
CVE-2025-14864 MEDIUM - 4.3

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible fo...

Vendor: virusdie
Product: Virusdie โ€“ One-click website security
Published: Feb 19, 2026
Source: NVD
CVE-2025-14851 MEDIUM - 6.4

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

Vendor: yhunter
Product: YaMaps for WordPress Plugin
Published: Feb 19, 2026
Source: NVD
CVE-2025-14445 MEDIUM - 6.4

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attacker...

Vendor: levantoan
Product: Image Hotspot by DevVN
Published: Feb 19, 2026
Source: NVD
CVE-2025-14427 MEDIUM - 4.3

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. This makes it possible for authenti...

Vendor: paultgoodchild
Product: Shield: Blocks Bots, Protects Users, and Prevents Security Breaches
Published: Feb 19, 2026
Source: NVD
CVE-2025-14357 MEDIUM - 5.3

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...

Vendor: misbahwp
Product: Mega Store Woocommerce
Published: Feb 19, 2026
Source: NVD
CVE-2025-14342 MEDIUM - 4.3

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and including, 12.4.14. This makes it possible for authenticated attackers, with Subscriber-level access a...

Vendor: cifi
Product: SEO Plugin by Squirrly SEO
Published: Feb 19, 2026
Source: NVD
CVE-2025-14294 MEDIUM - 5.3

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, pro...

Vendor: razorpay
Product: Razorpay for WooCommerce
Published: Feb 19, 2026
Source: NVD
CVE-2025-14167 MEDIUM - 4.3

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR w...

Vendor: akshayshah5189
Product: Remove Post Type Slug
Published: Feb 19, 2026
Source: NVD