Skip to main content

Bear

3 CVEs product

Monthly

CVE-2026-57320 HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.

XSS Bear
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2026-45213 HIGH This Week

Blind SQL injection in BEAR woo-bulk-editor plugin for WordPress up to version 1.1.7.1 allows high-privilege authenticated administrators to extract database contents through specially crafted SQL queries. The scope change in CVSS (S:C) indicates potential impact beyond the plugin itself, enabling access to other WordPress data or resources. No public exploit code or active exploitation indicators identified at time of analysis, but Patchstack public disclosure increases weaponization risk.

SQLi Bear
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-27415 MEDIUM This Month

Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.

CSRF Bear
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the WordPress plugin BEAR (realmag777's WooCommerce Bulk Editor and Products Manager, woo-bulk-editor) version 1.1.8 and earlier allows an unauthenticated remote attacker to inject malicious script that executes in a victim's browser when the victim is lured to interact with a crafted request. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) indicates network-reachable, no-authentication exploitation that requires user interaction and crosses a security scope boundary. No public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported by Patchstack.

XSS Bear
NVD
EPSS 0% CVSS 7.6
HIGH This Week

Blind SQL injection in BEAR woo-bulk-editor plugin for WordPress up to version 1.1.7.1 allows high-privilege authenticated administrators to extract database contents through specially crafted SQL queries. The scope change in CVSS (S:C) indicates potential impact beyond the plugin itself, enabling access to other WordPress data or resources. No public exploit code or active exploitation indicators identified at time of analysis, but Patchstack public disclosure increases weaponization risk.

SQLi Bear
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in PluginUs.Net BEAR plugin versions up to 1.1.5 allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted web requests. The vulnerability requires user interaction (clicking a malicious link) but can modify application state without the user's knowledge or consent. No active exploitation has been publicly confirmed at the time of analysis.

CSRF Bear
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy