Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,699
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 11,581 - 11,600 of 14,221 CVEs
CVE-2026-2633 MEDIUM - 4.3

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.6.1. This is due to a missing capability check in the `process_image_data_ajax_callback()` function which handles the `kadence_import_process_image_data` AJA...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2281 MEDIUM - 4.4

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible ...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1857 MEDIUM - 4.3

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the `endpoint` parameter in the `get_items()` function of the GetResponse REST API handler. The endpoint...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1807 MEDIUM - 6.4

The InteractiveCalculator for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'interactivecalculator' shortcode in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping on user supplied attribut...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1666 MEDIUM - 6.1

The Download Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'redirect_to' parameter in all versions up to, and including, 3.3.46. This is due to insufficient input sanitization and output escaping on the 'redirect_to' GET parameter in the log...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1640 MEDIUM - 4.3

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_pro...

Published: Feb 18, 2026
Source: NVD
CVE-2026-2023 MEDIUM - 4.3

The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This ma...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1906 MEDIUM - 4.3

The PDF Invoices & Packing Slips for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.0 via the `wpo_ips_edi_save_order_customer_peppol_identifiers` AJAX action due to missing capability checks and order ownership valida...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1639 MEDIUM - 6.5

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, and including, 5.0.2 due to insufficient escaping on the user supplied paramet...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1304 MEDIUM - 4.4

The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with a...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1072 MEDIUM - 4.3

The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification tex...

Published: Feb 18, 2026
Source: NVD
CVE-2025-12356 MEDIUM - 4.3

The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticat...

Vendor: tickera
Product: Tickera – Sell Tickets & Manage Events
Published: Feb 18, 2026
Source: NVD
CVE-2025-12122 MEDIUM - 6.4

The Popup Box – Easily Create WordPress Popups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'iframeBox' shortcode in all versions up to, and including, 3.2.12 due to insufficient input sanitization and output escaping on user supplied attributes. ...

Vendor: wpcalc
Product: Popup Box – Easily Create WordPress Popups
Published: Feb 18, 2026
Source: NVD
CVE-2025-11737 MEDIUM - 6.4

The VK All in One Expansion Unit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'vkExUnit_sns_title' parameter in all versions up to, and including, 9.112.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attac...

Vendor: kurudrive
Product: VK All in One Expansion Unit
Published: Feb 18, 2026
Source: NVD
CVE-2026-1925 MEDIUM - 4.3

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attac...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1296 MEDIUM - 6.1

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requested_page' POST parameter in the verify_username_password function. This makes it possible for unauthenti...

Published: Feb 18, 2026
Source: NVD
CVE-2026-1277 MEDIUM - 4.7

The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to po...

Published: Feb 18, 2026
Source: NVD
CVE-2025-6460 MEDIUM - 6.4

The Display During Conditional Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜message’ parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contri...

Published: Feb 18, 2026
Source: NVD
CVE-2025-13959 MEDIUM - 6.4

The Filestack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'filepicker' shortcode in all versions up to, and including, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authen...

Vendor: shanaver
Product: Filestack
Published: Feb 18, 2026
Source: NVD
CVE-2025-12075 MEDIUM - 4.3

The Order Splitter for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wos_troubleshooting' AJAX endpoint in all versions up to, and including, 5.3.5. This makes it possible for authenticated attackers, with Subscriber...

Vendor: fahadmahmood
Product: Order Splitter for WooCommerce
Published: Feb 18, 2026
Source: NVD