Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,702
Quick preset (or use dates below)
Clear Filters
Showing 11,761 - 11,780 of 14,604 CVEs
CVE-2026-0557 MEDIUM - 6.4

The WP Data Access plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpda_app' shortcode in all versions up to, and including, 5.5.63 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for au...

Published: Feb 14, 2026
Source: NVD
CVE-2025-6792 MEDIUM - 5.3

The One to one user Chat by WPGuppy plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the /wp-json/guppylite/v2/channel-authorize rest endpoint in all versions up to, and including, 1.1.4. This makes it possible for unauthenticated attackers to in...

Published: Feb 14, 2026
Source: NVD
CVE-2025-15483 MEDIUM - 4.4

The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to...

Vendor: ajferg
Product: Link Hopper
Published: Feb 14, 2026
Source: NVD
CVE-2025-14873 MEDIUM - 4.3

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without ...

Vendor: latepoint
Product: LatePoint – Calendar Booking Plugin for Appointments and Events
Published: Feb 14, 2026
Source: NVD
CVE-2025-14852 MEDIUM - 4.3

The MDirector Newsletter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.5.8. This is due to missing nonce verification on the mdirectorNewsletterSave function. This makes it possible for unauthenticated attackers to update the plugin's s...

Vendor: antevenio
Product: MDirector Newsletter
Published: Feb 14, 2026
Source: NVD
CVE-2026-1932 MEDIUM - 5.3

The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to m...

Published: Feb 14, 2026
Source: NVD
CVE-2026-2027 MEDIUM - 4.4

The AMP Enhancer – Compatibility Layer for Official AMP Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the AMP Custom CSS setting in all versions up to, and including, 1.0.49 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it ...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1983 MEDIUM - 4.3

The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary event...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1912 MEDIUM - 6.4

The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes i...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1904 MEDIUM - 6.4

The Simple Wp colorfull Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in the 'accordion' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible ...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1754 MEDIUM - 6.1

The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scrip...

Published: Feb 14, 2026
Source: NVD
CVE-2026-1164 MEDIUM - 6.1

The Easy Voice Mail plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜message’ parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level acces...

Published: Feb 14, 2026
Source: NVD
CVE-2025-14608 MEDIUM - 5.3

The WP Last Modified Info plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.9.5. This is due to the plugin not validating a user's access to a post before modifying its metadata in the 'bulk_save' AJAX action. This makes it ...

Vendor: infosatech
Product: WP Last Modified Info
Published: Feb 14, 2026
Source: NVD
CVE-2025-14067 MEDIUM - 5.3

The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sens...

Vendor: hassantafreshi
Product: Easy Form Builder by WhiteStudio β€” Drag & Drop Form Builder
Published: Feb 14, 2026
Source: NVD
CVE-2025-13973 MEDIUM - 5.3

The StickEasy Protected Contact Form plugin for WordPress is vulnerable to Sensitive Information Disclosure in all versions up to, and including, 1.0.2. The plugin stores spam detection logs at a predictable publicly accessible location (wp-content/uploads/stickeasy-protected-contact-form/spcf-log.t...

Vendor: kasuga16
Product: StickEasy Protected Contact Form
Published: Feb 14, 2026
Source: NVD
CVE-2025-13681 MEDIUM - 4.9

The BFG Tools – Extension Zipper plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0.7. This is due to insufficient input validation on the user-supplied `first_file` parameter in the `zip()` function. This makes it possible for authenticated attackers, wit...

Vendor: thebaldfatguy
Product: BFG Tools – Extension Zipper
Published: Feb 14, 2026
Source: NVD
CVE-2026-26269 MEDIUM - 5.4

Vim is an open source, command line text editor. Prior to 9.1.2148, a stack buffer overflow vulnerability exists in Vim's NetBeans integration when processing the specialKeys command, affecting Vim builds that enable and use the NetBeans feature. The Stack buffer overflow exists in special_keys...

Vendor: vim
Product: vim
Published: Feb 13, 2026
Source: NVD
CVE-2026-25964 MEDIUM - 4.9

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.5.1, a Path Traversal vulnerability in the RecipeImport workflow of Tandoor Recipes allows authenticated users with import permissions to read arbitrary files on the server. This vulnerabi...

Vendor: TandoorRecipes
Product: recipes
Published: Feb 13, 2026
Source: NVD
CVE-2026-21870 MEDIUM - 5.5

BACnet Protocol Stack library provides a BACnet application layer, network layer and media access (MAC) layer communications services. In 1.4.2, 1.5.0.rc2, and earlier, an off-by-one stack-based buffer overflow in the ubasic interpreter causes a crash (SIGABRT) when processing string literals longer...

Vendor: bacnet-stack
Product: bacnet-stack
Published: Feb 13, 2026
Source: NVD
CVE-2025-66676 MEDIUM - 6.2

An issue in IObit Unlocker v1.3.0.11 allows attackers to cause a Denial of Service (DoS) via a crafted request.

Published: Feb 13, 2026
Source: NVD