Search Results (12300 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-28112 2 Lambertgroup, Wordpress 2 Allinone - Banner Rotator, Wordpress 2026-04-22 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.
CVE-2026-28052 2 Themerex, Wordpress 2 Peter Mason, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Peter Mason petermason allows PHP Local File Inclusion.This issue affects Peter Mason: from n/a through <= 1.4.5.
CVE-2026-28031 2 Themerex, Wordpress 2 Invetex, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Invetex invetex allows PHP Local File Inclusion.This issue affects Invetex: from n/a through <= 2.18.
CVE-2026-28113 2 Azzaroco, Wordpress 2 Ultimate Learning Pro, Wordpress 2026-04-22 7.1 High
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.1.
CVE-2026-28084 2 Themerex, Wordpress 2 Bazinga, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bazinga bazinga allows PHP Local File Inclusion.This issue affects Bazinga: from n/a through <= 1.1.9.
CVE-2026-28078 2 Stylemixthemes, Wordpress 2 Ulisting, Wordpress 2026-04-22 4.9 Medium
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Stylemix uListing ulisting allows Path Traversal.This issue affects uListing: from n/a through <= 2.2.0.
CVE-2026-28069 2 Themerex, Wordpress 2 Le Truffe, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Le Truffe letruffe allows PHP Local File Inclusion.This issue affects Le Truffe: from n/a through <= 1.1.7.
CVE-2026-28065 2 Themerex, Wordpress 2 Eject, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Eject eject allows PHP Local File Inclusion.This issue affects Eject: from n/a through <= 2.17.
CVE-2026-28077 2 Themerex, Wordpress 2 Vapester, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through <= 1.1.10.
CVE-2026-28060 2 Themerex, Wordpress 2 S.king, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX S.King stephanie-king allows PHP Local File Inclusion.This issue affects S.King: from n/a through <= 1.5.3.
CVE-2026-28055 2 Themerex, Wordpress 2 M.williamson, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX M.Williamson williamson allows PHP Local File Inclusion.This issue affects M.Williamson: from n/a through <= 1.2.11.
CVE-2026-28053 2 Themerex, Wordpress 2 Miller, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Miller christine-miller allows PHP Local File Inclusion.This issue affects Miller: from n/a through <= 1.3.3.
CVE-2026-28045 2 Themerex, Wordpress 2 N7 | Golf Club Sports & Events, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through <= 2.16.0.
CVE-2026-28036 2 Skatdesign, Wordpress 2 Ratatouille, Wordpress 2026-04-22 6.4 Medium
Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.
CVE-2026-3459 2 Glenwpcoder, Wordpress 2 Drag And Drop Multiple File Upload For Contact Form 7, Wordpress 2026-04-22 8.1 High
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
CVE-2026-3228 2 Nextscripts, Wordpress 2 Social Networks Auto Poster, Wordpress 2026-04-22 6.4 Medium
The NextScripts: Social Networks Auto-Poster plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `[nxs_fbembed]` shortcode in all versions up to, and including, 4.4.6. This is due to insufficient input sanitization and output escaping on the `snapFB` post meta value. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-28081 2 Themerex, Wordpress 2 Windsor, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0.
CVE-2026-28105 2 Themerex, Wordpress 2 Good Energy, Wordpress 2026-04-22 9.8 Critical
Deserialization of Untrusted Data vulnerability in ThemeREX Good Energy goodenergy allows Object Injection.This issue affects Good Energy: from n/a through <= 1.7.7.
CVE-2026-3585 2 Stellarwp, Wordpress 2 The Events Calendar, Wordpress 2026-04-22 7.5 High
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
CVE-2026-3072 2 Davidlingren, Wordpress 2 Media Library Assistant, Wordpress 2026-04-22 4.3 Medium
The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.