Search Results (14083 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12937 2 Themefic, Wordpress 2 Tourfic – Ai Powered Travel Booking, Hotel Booking & Car Rental Wordpress Plugin, Wordpress 2026-06-26 7.5 High
The Tourfic – AI Powered Travel Booking, Hotel Booking & Car Rental WordPress Plugin plugin for WordPress is vulnerable to generic SQL Injection via the 'post_id' parameter in all versions up to, and including, 2.22.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The AJAX handler is registered for unauthenticated users via wp_ajax_nopriv_tf_room_availability, and the required nonce is emitted on the public single-hotel page template, allowing unauthenticated attackers to freely obtain a valid nonce and reach the vulnerable code path.
CVE-2026-54838 2 Rymera Web Co, Wordpress 2 Wc Vendors Marketplace, Wordpress 2026-06-26 8.5 High
Subscriber SQL Injection in WC Vendors Marketplace <= 2.6.8 versions.
CVE-2026-54843 2 Pluginus.net, Wordpress 2 Mdtf, Wordpress 2026-06-26 9.3 Critical
Unauthenticated SQL Injection in MDTF <= 1.3.7 versions.
CVE-2026-54845 2 Pluginus.net, Wordpress 2 Mdtf, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in MDTF <= 1.3.8 versions.
CVE-2026-57429 2 Elightup, Wordpress 2 Slim Seo, Wordpress 2026-06-26 6.5 Medium
Contributor Broken Access Control in Slim SEO <= 4.6.2 versions.
CVE-2026-54836 2 Wordpress, Ymc 2 Wordpress, Ymc Filter 2026-06-26 9.3 Critical
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5.
CVE-2026-9278 2 Formbuilder Project, Wordpress 2 Formbuilder, Wordpress 2026-06-26 5.4 Medium
The Form Builder CP WordPress plugin before 1.2.47 does not properly sanitize a form configuration value before storing it and using it as part of a client-side script execution, allowing authenticated users with Editor-level access and above to perform Stored Cross-Site Scripting attacks against any visitor of a page rendering the affected form, even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).
CVE-2026-49111 2 Themegrill, Wordpress 2 Masteriyo, Wordpress 2026-06-26 8.8 High
Incorrect Privilege Assignment vulnerability in ThemeGrill Masteriyo - LMS allows Privilege Escalation. This issue affects Masteriyo - LMS: from n/a through 2.2.0.
CVE-2026-48969 2 Really-simple-plugins, Wordpress 2 Really Simple Ssl, Wordpress 2026-06-26 6.5 Medium
Subscriber Broken Access Control in Really Simple SSL <= 9.5.9 versions.
CVE-2025-64215 2 Stylemixthemes, Wordpress 2 Masterstudy Lms, Wordpress 2026-06-26 6.5 Medium
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16.
CVE-2026-9691 2 Crm Perks, Wordpress 2 Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Integration for ActiveCampaign and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 versions.
CVE-2026-24637 2 Blubrry, Wordpress 2 Powerpress Podcasting, Wordpress 2026-06-26 8.5 High
Contributor SQL Injection in PowerPress Podcasting <= 11.15.10 versions.
CVE-2026-27053 2 Videowhisper, Wordpress 2 Broadcast Live Video, Wordpress 2026-06-26 9.8 Critical
Unauthenticated PHP Object Injection in Broadcast Live Video < 7.1.3 versions.
CVE-2026-27407 2 Meowapps, Wordpress 2 Ai Engine, Wordpress 2026-06-26 7.2 High
Editor Privilege Escalation in AI Engine <= 3.4.9 versions.
CVE-2026-39450 2 Funnelkit, Wordpress 2 Funnelkit Automations, Wordpress 2026-06-26 7.1 High
Subscriber Broken Authentication in FunnelKit Automations <= 3.7.3 versions.
CVE-2026-39515 2 Stylemix, Wordpress 2 Motors, Wordpress 2026-06-26 6.5 Medium
Subscriber Broken Access Control in Motors < 1.4.107 versions.
CVE-2026-39518 2 Theeventprime, Wordpress 2 Eventprime, Wordpress 2026-06-26 7.1 High
Subscriber Insecure Direct Object References (IDOR) in EventPrime <= 4.3.0.0 versions.
CVE-2026-39524 2 Themegrill, Wordpress 2 Masteriyo, Wordpress 2026-06-26 7.5 High
Unauthenticated Broken Access Control in Masteriyo - LMS <= 2.1.5 versions.
CVE-2026-39532 2 Stiofansisland, Wordpress 2 Events Calendar For Geodirectory, Wordpress 2026-06-26 8.8 High
Contributor PHP Object Injection in Events Calendar for GeoDirectory <= 2.3.25 versions.
CVE-2026-39534 2 Wordpress, Wpdirectorykit 2 Wordpress, Wp Directory Kit 2026-06-26 7.5 High
Unauthenticated Broken Access Control in WP Directory Kit <= 1.5.0 versions.