Total CVEs

142,398

Critical Severity

3,966

High Severity

14,271

Last 7 Days

1,827
Quick preset (or use dates below)
Clear Filters
Showing 13,021 - 13,040 of 14,713 CVEs
CVE-2026-1075 MEDIUM - 4.3

The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possibl...

Published: Jan 24, 2026
Source: NVD
CVE-2026-1070 MEDIUM - 4.3

The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings v...

Published: Jan 24, 2026
Source: NVD
CVE-2026-0806 MEDIUM - 4.9

The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for a...

Published: Jan 24, 2026
Source: NVD
CVE-2025-14985 MEDIUM - 6.4

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the โ€˜alpha_block_cssโ€™ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level ac...

Vendor: robiulawal40
Product: Alpha Blocks
Published: Jan 24, 2026
Source: NVD
CVE-2025-14941 MEDIUM - 6.4

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_...

Vendor: aminhashemy
Product: GZSEO
Published: Jan 24, 2026
Source: NVD
CVE-2025-14906 MEDIUM - 4.3

The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin sett...

Vendor: waqasvickey0071
Product: WP Youtube Video Gallery
Published: Jan 24, 2026
Source: NVD
CVE-2025-14903 MEDIUM - 4.3

The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged requ...

Vendor: stefanristic
Product: Simple Crypto Shortcodes
Published: Jan 24, 2026
Source: NVD
CVE-2025-14843 MEDIUM - 5.3

The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This ma...

Vendor: wizit
Product: Wizit Gateway for WooCommerce
Published: Jan 24, 2026
Source: NVD
CVE-2025-14797 MEDIUM - 5.4

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entiti...

Vendor: kometschuh
Product: Same Category Posts
Published: Jan 24, 2026
Source: NVD
CVE-2025-14629 MEDIUM - 5.3

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress med...

Vendor: tandubhai
Product: Alchemist Ajax Upload
Published: Jan 24, 2026
Source: NVD
CVE-2025-14609 MEDIUM - 5.3

The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint '/wise-analytics/v1/report'. This makes it possible for unauthenticated attackers to access sensitiv...

Vendor: marcinlawrowski
Product: Wise Analytics
Published: Jan 24, 2026
Source: NVD
CVE-2025-13676 MEDIUM - 6.1

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inj...

Vendor: ostin654
Product: JustClick registration plugin
Published: Jan 24, 2026
Source: NVD
CVE-2025-12836 MEDIUM - 6.4

The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated ...

Vendor: vektor-inc
Product: VK Google Job Posting Manager
Published: Jan 24, 2026
Source: NVD
CVE-2026-24401 MEDIUM - 6.5

Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical n...

Vendor: avahi
Product: avahi
Published: Jan 24, 2026
Source: NVD
CVE-2026-24127 MEDIUM - 5.4

Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when aut...

Vendor: typemill
Product: typemill
Published: Jan 23, 2026
Source: NVD
CVE-2025-70458 MEDIUM - 5.4

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the ...

Vendor: n/a
Product: n/a
Published: Jan 23, 2026
Source: NVD
CVE-2026-1386 MEDIUM - 6.0

A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at ja...

Vendor: amazon
Product: firecracker
Published: Jan 23, 2026
Source: NVD
CVE-2025-52023 MEDIUM - 5.3

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API ...

Vendor: n/a
Product: n/a
Published: Jan 23, 2026
Source: NVD
CVE-2025-52022 MEDIUM - 5.3

A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public ...

Vendor: n/a
Product: n/a
Published: Jan 23, 2026
Source: NVD
CVE-2026-24422 MEDIUM - 5.3

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning r...

Vendor: composer
Product: phpmyfaq/phpmyfaq
Published: Jan 23, 2026
Source: GitHub