Total CVEs

142,250

Critical Severity

3,947

High Severity

14,209

Last 7 Days

1,911
Quick preset (or use dates below)
Clear Filters
Showing 12,021 - 12,040 of 14,674 CVEs
CVE-2026-1827 MEDIUM - 6.4

The Flask Micro code-editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's codeflask shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authe...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1826 MEDIUM - 6.4

The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it pos...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1821 MEDIUM - 6.4

The Microtango plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'restkey' parameter of the mt_reservation shortcode in all versions up to, and including, 0.9.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated att...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1809 MEDIUM - 6.4

The HTML Tag Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attack...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1804 MEDIUM - 6.4

The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it p...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1786 MEDIUM - 6.5

The Twitter posts to Blog plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'dg_tw_options' function in all versions up to, and including, 1.11.25. This makes it possible for unauthenticated attackers to update plugin settings ...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1748 MEDIUM - 4.3

The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level acces...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1215 MEDIUM - 4.3

The MMA Call Tracking plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.3.15. This is due to missing nonce validation when saving plugin configuration on the `mma_call_tracking_menu` admin page. This makes it possible for unauthenticated attacke...

Published: Feb 11, 2026
Source: NVD
CVE-2026-0815 MEDIUM - 4.4

The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level acc...

Published: Feb 11, 2026
Source: NVD
CVE-2026-0724 MEDIUM - 4.4

The WPlyr Media Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_wplyr_accent_color' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for aut...

Published: Feb 11, 2026
Source: NVD
CVE-2025-10912 MEDIUM - 5.4

Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables.This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not respo...

Vendor: Saastech Cleaning and Internet Services Inc.
Product: TemizlikYolda
Published: Feb 11, 2026
Source: NVD
CVE-2026-1235 MEDIUM - 6.5

The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the blog.

Published: Feb 11, 2026
Source: NVD
CVE-2025-15400 MEDIUM - 6.5

The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, ...

Vendor: Unknown
Product: Pix para Woocommerce
Published: Feb 11, 2026
Source: NVD
CVE-2026-26079 MEDIUM - 4.7

Roundcube Webmail before 1.5.13 and 1.6 before 1.6.13 allows Cascading Style Sheets (CSS) injection, e.g., because comments are mishandled.

Vendor: Roundcube
Product: Webmail
Published: Feb 11, 2026
Source: NVD
CVE-2026-1893 MEDIUM - 6.4

The Orbisius Random Name Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_label' parameter in the 'orbisius_random_name_generator' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escap...

Published: Feb 11, 2026
Source: NVD
CVE-2026-1231 MEDIUM - 6.4

The Beaver Builder Page Builder – Drag and Drop Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `js` Global Settings parameter in all versions up to, and including, 2.10.0.5 due to missing capability checks on save_global_settings() function and insufficient...

Published: Feb 11, 2026
Source: NVD
CVE-2025-15524 MEDIUM - 4.3

The Gallery by FooGallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the ajax_get_gallery_info() function in all versions up to, and including, 3.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

Vendor: fooplugins
Product: Gallery by FooGallery
Published: Feb 11, 2026
Source: NVD
CVE-2025-13431 MEDIUM - 6.5

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the β€˜args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible...

Vendor: veronalabs
Product: SlimStat Analytics
Published: Feb 11, 2026
Source: NVD
CVE-2026-25872 MEDIUM - 5.3

JUNG Smart Panel KNX firmware version L1.12.22 and prior contain an unauthenticated path traversal vulnerability in the embedded web interface. The application fails to properly validate file path input, allowing remote, unauthenticated attackers to access arbitrary files on the underlying filesyste...

Vendor: ALBRECHT JUNG GMBH & CO. KG
Product: JUNG Smart Panel 5.1 KNX
Published: Feb 10, 2026
Source: NVD
CVE-2026-25870 MEDIUM - 5.8

DoraCMS version 3.1 and prior contains a server-side request forgery (SSRF) vulnerability in its UEditor remote image fetch functionality. The application accepts user-supplied URLs and performs server-side HTTP or HTTPS requests without sufficient validation or destination restrictions. The impleme...

Vendor: doramart
Product: DoraCMS
Published: Feb 10, 2026
Source: NVD