Search

Search Results (363061 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-13251 2 Perfmatters, Wordpress 2 Perfmatters, Wordpress 2026-07-02 7.5 High
The Perfmatters plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.6.4 via the 's' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. Exploitation requires the Local Google Fonts feature to be enabled (disabled by default), pretty permalinks to be active, and RSS feed links to remain enabled in the plugin settings.
CVE-2026-9145 2 Crmperks, Wordpress 2 Database For Contact Form 7, Wpforms, Elementor Forms, Wordpress 2026-07-02 6.5 Medium
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to Arbitrary File Copy via the create_entry_el() function in versions up to, and including, 1.5.1. The function reads raw_value from Elementor Pro's Form_Record object for upload-type fields and passes it directly to PHP's copy() without validating that the value corresponds to a legitimately uploaded file — when no file is present in $_FILES, raw_value reflects the attacker-controlled POST string. copy() accepts both local filesystem paths and URL sources, so the attacker can target any file readable by the PHP process or supply an attacker-controlled remote URL. Elementor Pro is a prerequisite for triggering the code path (it owns the elementor_pro/forms/new_record hook and populates the Form_Record object), but the bug itself is entirely in Contact Form Entries' handler. This could allow unauthenticated attackers to disclose arbitrary files on the affected site's server. The file is copied to a directory unknown to the attacker; the hashed directory name provides defense-in-depth but is generated from non-cryptographic sources (uniqid() + rand()) and should not be relied upon as the primary mitigation.
CVE-2025-69133 2 Goodlayers, Wordpress 2 Tour Master, Wordpress 2026-07-02 7.5 High
Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.
CVE-2025-69156 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Kids Zone - Children WordPress Theme <= 5.4 versions.
CVE-2026-27414 2026-07-02 8.8 High
Contributor PHP Object Injection in Werkstatt <= 4.8.3 versions.
CVE-2026-27436 2026-07-02 9.1 Critical
Editor Arbitrary Code Execution in Five Star Business Profile and Schema <= 2.3.19 versions.
CVE-2026-57344 2 Radiustheme, Wordpress 2 Classified Listing, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Classified Listing <= 5.4.2 versions.
CVE-2026-57351 2 Haktansuren, Wordpress 2 Handl Utm Grabber, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in HandL UTM Grabber <= 2.9.2 versions.
CVE-2026-57357 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in Search Atlas SEO <= 2.6.6 versions.
CVE-2026-57366 2 Greg Winiarski, Wordpress 2 Wpadverts, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WPAdverts <= 2.3.1 versions.
CVE-2026-57669 2026-07-02 6.5 Medium
Subscriber Broken Access Control in Advanced Contact form 7 DB <= 2.0.9 versions.
CVE-2026-57675 2 Jacob N. Breetvelt, Wordpress 2 Wp Photo Album Plus, Wordpress 2026-07-02 7.1 High
Unauthenticated Cross Site Scripting (XSS) in WP Photo Album Plus <= 9.2.02.004 versions.
CVE-2026-57683 2026-07-02 9.3 Critical
Unauthenticated SQL Injection in WP Fast Total Search <= 1.80.280 versions.
CVE-2026-57689 2026-07-02 4.3 Medium
Subscriber Broken Access Control in Werkstatt <= 4.7.2 versions.
CVE-2026-57748 2026-07-02 7.5 High
Contributor Local File Inclusion in Shopify <= 1.0.0 versions.
CVE-2026-57754 2026-07-02 6.5 Medium
Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.
CVE-2026-57761 2026-07-02 7.1 High
Unauthenticated Cross Site Request Forgery (CSRF) in SEOWP <= 3.12.2 versions.
CVE-2026-56037 2026-07-02 8.8 High
Deserialization of Untrusted Data vulnerability in Themify Themify Popup allows Object Injection. This issue affects Themify Popup: from n/a through 1.4.3.
CVE-2026-54404 2026-07-02 8.8 High
A malicious actor with access to the network and low privileges could exploit a series of authenticated SQL Injection vulnerabilities found in UniFi OS to escalate privileges within such UniFi OS devices or instances.
CVE-2026-55110 2026-07-02 7.5 High
A malicious actor who lures an authenticated user to a malicious page could exploit a Cross-Origin Resource Sharing (CORS) misconfiguration found in UniFi OS to trigger actions in UniFi OS using that user's session.