Total CVEs

142,432

Critical Severity

3,972

High Severity

14,286

Last 7 Days

1,839
Quick preset (or use dates below)
Clear Filters
πŸ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years β†’
Showing 13,021 - 13,040 of 14,345 CVEs
CVE-2026-0687 MEDIUM - 4.3

The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mb_gallery' custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access ...

Published: Jan 24, 2026
Source: NVD
CVE-2025-15516 MEDIUM - 4.3

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and abov...

Vendor: plugins360
Product: All-in-One Video Gallery
Published: Jan 24, 2026
Source: NVD
CVE-2025-14907 MEDIUM - 4.3

The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a for...

Vendor: hallsofmontezuma
Product: Moderate Selected Posts
Published: Jan 24, 2026
Source: NVD
CVE-2025-14630 MEDIUM - 4.3

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. This makes it possible for unauthenticated att...

Vendor: rtowebsites
Product: AdminQuickbar
Published: Jan 24, 2026
Source: NVD
CVE-2025-13205 MEDIUM - 4.3

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_Clone...

Vendor: devsoftbaltic
Product: SurveyJS: Drag & Drop Form Builder
Published: Jan 24, 2026
Source: NVD
CVE-2025-13194 MEDIUM - 4.3

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurve...

Vendor: devsoftbaltic
Product: SurveyJS: Drag & Drop Form Builder
Published: Jan 24, 2026
Source: NVD
CVE-2025-13139 MEDIUM - 4.3

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to ...

Vendor: devsoftbaltic
Product: SurveyJS: Drag & Drop Form Builder
Published: Jan 24, 2026
Source: NVD
CVE-2026-1103 MEDIUM - 5.4

The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only ch...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1099 MEDIUM - 6.4

The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'login' and 'logout' shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for aut...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1097 MEDIUM - 6.4

The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'before' and 'after' shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escapin...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1095 MEDIUM - 6.4

The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1088 MEDIUM - 4.3

The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin's ...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1084 MEDIUM - 4.4

The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administra...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1081 MEDIUM - 4.3

The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories i...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1076 MEDIUM - 4.3

The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin's CSS settings via a forg...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1075 MEDIUM - 4.3

The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possibl...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1070 MEDIUM - 4.3

The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings v...

Published: Jan 24, 2026
Source: NVD
CVE-2026-0806 MEDIUM - 4.9

The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for a...

Published: Jan 24, 2026
Source: NVD
CVE-2025-14985 MEDIUM - 6.4

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the β€˜alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level ac...

Vendor: robiulawal40
Product: Alpha Blocks
Published: Jan 24, 2026
Source: NVD
CVE-2025-14941 MEDIUM - 6.4

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_...

Vendor: aminhashemy
Product: GZSEO
Published: Jan 24, 2026
Source: NVD