Skip to main content
CVE-2026-24420 MEDIUM POC PATCH This Month

Authenticated users in phpMyFAQ 4.0.16 and below can bypass permission checks to download FAQ attachments they should not have access to, due to improper validation of authorization tokens in attachment.php and flawed permission logic. An attacker with valid credentials but without the dlattachment permission can exploit this to retrieve sensitive attachment content. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Phpmyfaq
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24421 MEDIUM POC PATCH This Month

phpMyFAQ versions 4.0.16 and below allow authenticated users to access the backup API endpoint without proper authorization checks, enabling them to download configuration files containing sensitive data. The vulnerability stems from incomplete authorization validation in SetupController.php, which only verifies authentication rather than admin permissions. Public exploit code exists for this issue, and no patch is currently available.

PHP Phpmyfaq
NVD GitHub Exploit-DB VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24128 MEDIUM POC PATCH This Month

Reflected XSS in XWiki Platform versions 7.0 through 17.7.0 enables attackers to craft malicious URLs that execute arbitrary actions with victim privileges, potentially leading to full installation compromise if the victim holds administrative or programming rights. The vulnerability requires user interaction to trigger and affects multiple version branches across the XWiki and XWiki Rendering products. Patches are available for affected versions, and a manual workaround exists that requires modification of a single line in the logging_macros.vm template without requiring a restart.

XSS Xwiki Xwiki Rendering
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-13920 MEDIUM POC This Month

WP Directory Kit (WordPress plugin) versions up to 1.4.9 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure PHP
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24422 MEDIUM POC PATCH This Month

Insufficient access controls in phpMyFAQ 4.0.16 and below expose sensitive information including user email addresses and non-public content through multiple API endpoints, allowing unauthenticated attackers to harvest data for phishing or access private records. Public exploit code exists for this vulnerability, and no patch is currently available. Upgrading to version 4.0.17 or later is required to remediate the exposure.

Information Disclosure Phpmyfaq
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-24401 MEDIUM PATCH This Month

Avahi daemon versions 0.9rc2 and below can be remotely crashed through a denial of service attack by sending a specially crafted mDNS response with a recursive CNAME record pointing to itself, triggering unbounded recursion and stack exhaustion. This vulnerability affects systems using multicast record browsers, including those relying on nss-mdns for service discovery. A patch is available for affected installations.

Denial Of Service Avahi Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24139 MEDIUM PATCH This Month

MyTube versions 1.7.78 and earlier allow authenticated users to bypass authorization controls and export the complete application database without proper permission validation. An attacker with guest-level access can retrieve sensitive data they are not authorized to access through the unprotected database export endpoint. A patch is available to address this authorization bypass vulnerability.

Authentication Bypass Information Disclosure Mytube
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-1189 MEDIUM This Month

Stored XSS in WordPress LeadBI Plugin versions through 1.7 allows authenticated contributors and above to inject malicious scripts through the 'form_id' shortcode parameter due to missing input sanitization, enabling attackers to execute arbitrary code in pages viewed by other users. The vulnerability requires user authentication and currently lacks a vendor patch.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1098 MEDIUM This Month

Stored cross-site scripting in CM CSS Columns plugin for WordPress through version 1.2.1 allows authenticated contributors and higher-privileged users to inject malicious scripts via improperly sanitized shortcode attributes. When other users view pages containing the injected content, the malicious scripts execute in their browsers, potentially compromising their accounts or stealing sensitive information. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1099 MEDIUM This Month

Stored cross-site scripting in WordPress Administrative Shortcodes plugin through version 0.3.4 allows authenticated contributors and higher-privileged users to inject malicious scripts into pages via insufficiently sanitized shortcode attributes, executing arbitrary code when other users visit affected pages. The vulnerability requires user interaction and authenticated access but can impact site visitors through persistent payload injection. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1097 MEDIUM This Month

Stored XSS in the ThemeRuby Multi Authors WordPress plugin through version 1.0.0 allows authenticated contributors and above to inject malicious scripts via unescaped shortcode attributes that execute in other users' browsers. The vulnerability stems from insufficient input sanitization on the 'before' and 'after' parameters, enabling attackers to compromise page content viewed by site visitors. No patch is currently available for this medium-severity vulnerability.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14985 MEDIUM This Month

The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1095 MEDIUM This Month

Stored XSS in the Canto Testimonials WordPress plugin through the 'fx' shortcode attribute allows authenticated users with Contributor access or higher to inject malicious scripts that persist in pages and execute for all visitors. The vulnerability stems from inadequate input sanitization and output escaping in versions up to 1.0, requiring an authenticated attacker but no user interaction. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14941 MEDIUM This Month

The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. [CVSS 6.4 MEDIUM]

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12836 MEDIUM This Month

VK Google Job Posting Manager (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).

WordPress XSS Google
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13676 MEDIUM This Month

The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1127 MEDIUM This Month

Reflected XSS in WordPress Timeline Event History plugin (versions up to 3.2) allows unauthenticated attackers to inject arbitrary JavaScript through the unvalidated `id` parameter. An attacker can craft a malicious link to execute scripts in a victim's browser if they click it, potentially leading to session hijacking or credential theft. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-0862 MEDIUM This Month

Save as PDF Plugin by PDFCrowd (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-14797 MEDIUM This Month

The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. [CVSS 5.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1103 MEDIUM This Month

AIKTP plugin for WordPress versions up to 5.0.04 allows authenticated subscribers to retrieve administrator access tokens through an insufficiently protected REST API endpoint, enabling attackers to create posts, upload files, and access private content with admin privileges. The vulnerability stems from missing authorization checks that only verify user login status rather than administrative capabilities. No patch is currently available.

WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14629 MEDIUM This Month

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete_file' function in all versions up to, and including, 1.1. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14843 MEDIUM This Month

Wizit Gateway for WooCommerce (WordPress plugin) versions up to 1.2.9. is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14609 MEDIUM This Month

Wise Analytics (WordPress plugin) versions up to 1.1.9. is affected by missing authorization (CVSS 5.3).

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0593 MEDIUM This Month

WP Go Maps plugin for WordPress through version 10.0.04 lacks proper capability validation in the processBackgroundAction() function, allowing authenticated Subscriber-level users to modify global map engine settings. This insufficient access control enables low-privileged attackers to alter critical plugin configurations without proper authorization. No patch is currently available for this vulnerability.

WordPress Golang
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-0806 MEDIUM This Month

SQL injection in the WP-ClanWars WordPress plugin through version 2.0.1 allows authenticated administrators to execute arbitrary SQL queries via an unescaped 'orderby' parameter, enabling extraction of sensitive database information. The vulnerability requires high-level administrative privileges and does not allow data modification or system availability impacts. No patch is currently available for this issue.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-1266 MEDIUM This Month

Stored XSS in WordPress Postalicious plugin through version 3.0.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for all users viewing affected pages. The vulnerability requires high privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2026-1300 MEDIUM This Month

Stored XSS in the WordPress Responsive Header plugin through version 1.0 allows authenticated administrators to inject malicious scripts into plugin settings that execute for all users viewing affected pages. This impacts multi-site WordPress installations or those with unfiltered_html disabled, requiring high privilege access and manual user interaction to trigger exploitation. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1191 MEDIUM This Month

Stored cross-site scripting in the JavaScript Notifier WordPress plugin through version 1.2.8 allows administrators to inject malicious scripts into website pages due to improper input sanitization in plugin settings. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. This requires administrator-level access to exploit but affects all website visitors who view the compromised pages.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1302 MEDIUM This Month

Stored XSS in Meta-box GalleryMeta plugin through WordPress admin settings allows authenticated editors and higher-privileged users to inject malicious scripts that execute for site visitors, affecting only multisite installations or those with unfiltered_html disabled. The vulnerability stems from inadequate input sanitization and output escaping in plugin versions up to 3.0.1, with no patch currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-1084 MEDIUM This Month

Cookie consent for developers (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 4.4).

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-15516 MEDIUM This Month

The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0687 MEDIUM This Month

The Meta Box GalleryMeta WordPress plugin through version 3.0.1 fails to enforce proper capability checks on the 'mb_gallery' custom post type, allowing authenticated users with Author-level or higher privileges to create and publish galleries without authorization. This insufficient access control could enable low-privileged attackers to modify gallery content and bypass intended editorial workflows.

WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14907 MEDIUM This Month

Moderate Selected Posts (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13194 MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13139 MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1088 MEDIUM This Month

WordPress Login Page Editor plugin through version 1.2 lacks CSRF protections on its AJAX settings handler, allowing attackers to modify login page configuration by tricking administrators into visiting malicious links. An unauthenticated attacker can exploit this to alter plugin settings without direct authorization, potentially affecting site security or functionality. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14906 MEDIUM This Month

WP Youtube Video Gallery (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1208 MEDIUM This Month

Friendly Functions for Welcart (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14630 MEDIUM This Month

The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the 'saveSettings' and 'renamePost' AJAX actions. [CVSS 4.3 MEDIUM]

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13205 MEDIUM This Month

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. [CVSS 4.3 MEDIUM]

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1081 MEDIUM This Month

Set Bulk Post Categories (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1076 MEDIUM This Month

The Star Review Manager WordPress plugin through version 1.2.2 lacks CSRF protections on its settings page, allowing unauthenticated attackers to modify CSS settings by tricking administrators into clicking a malicious link. Site administrators are at risk of unwanted plugin configuration changes that could alter site appearance or functionality. No patch is currently available for this vulnerability.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1075 MEDIUM This Month

The ZT Captcha plugin for WordPress through version 1.0.4 contains a cross-site request forgery vulnerability due to insufficient nonce validation that can be bypassed with an empty token. An unauthenticated attacker can exploit this to modify plugin settings by tricking an administrator into clicking a malicious link. No patch is currently available.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1070 MEDIUM PATCH This Month

The Alex User Counter WordPress plugin through version 6.0 contains a cross-site request forgery vulnerability in its settings function due to missing nonce validation, allowing unauthenticated attackers to modify plugin configuration if they can socially engineer site administrators into clicking a malicious link. The vulnerability has a low barrier to exploitation since it requires only network access and user interaction, though it cannot directly compromise confidentiality or availability. No patch is currently available for this issue.

WordPress CSRF Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14903 MEDIUM This Month

Simple Crypto Shortcodes (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy