Vulnerabilidades CVE
Base de datos de vulnerabilidades CVE enriquecida con datos de CISA KEV y NVD
| CVE ID | CVSS | Severidad | KEV | Avistamientos |
|---|---|---|---|---|
| CVE-2025-12500 The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to unauthenticated limited file upload in all versions up to, and including, 7.8.1. This is due to the ... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-12707 The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied ... | 7.5 | HIGH | β | 0 |
| CVE-2025-12821 The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 0.2.5.6 to 0.2.6.1. This is due to missing or incorrect nonce validation on the newsblogger_install_and_act... | 8.8 | HIGH | β | 0 |
| CVE-2025-12845 The Tablesome Table β Contact Form DB β WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to unauthorized access of data that leads to privilege escalation due to a missing ... | 8.8 | HIGH | β | 0 |
| CVE-2025-13438 The Page Title, Description & Open Graph Updater plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.02. This is due to missing nonce validation on... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-13563 The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restri... | 9.8 | CRITICAL | β | 0 |
| CVE-2025-13587 The Two Factor (2FA) Authentication via Email plugin for WordPress is vulnerable to Two-Factor Authentication Bypass in versions up to, and including, 1.9.8. This is because the SS88_2FAVE::wp_login()... | 6.5 | MEDIUM | β | 0 |
| CVE-2025-13603 The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2.0. This is due to insufficient capability checks and lack of nonce v... | 8.8 | HIGH | β | 0 |
| CVE-2025-13612 The Album and Image Gallery plus Lightbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `aigpl-gallery-album` shortcode in all versions up to, and including, 2.1.7... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-13617 The Apollo13 Framework Extensions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the βa13_alt_linkβ parameter in all versions up to, and including, 1.9.8 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2025-14076 The iXML β Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficien... | 6.1 | MEDIUM | β | 0 |
| CVE-2025-14167 The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14270 The OneClick Chat to Order plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.0.9. This is due to the plugin not properly verifying that a user is authorize... | 2.7 | LOW | β | 0 |
| CVE-2025-14294 The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and includ... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-14342 The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and in... | 4.3 | MEDIUM | β | 0 |
| CVE-2025-14357 The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.ph... | 5.3 | MEDIUM | β | 0 |
| CVE-2025-15041 The BackWPup β WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the ... | 7.2 | HIGH | β | 0 |
| CVE-2025-15586 OGP-Website installs prior git commit 52f865a4fba763594453068acf8fa9e3fc38d663 are affected by a type juggling flaw which if exploited can result in authentication bypass without knowledge of the vict... | N/A | NONE | β | 0 |
| CVE-2025-4521 The IDonate β Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function i... | 8.8 | HIGH | β | 0 |
| CVE-2025-4960 The com.epson.InstallNavi.helper tool, deployed with the EPSON printer driver installer, contains a local privilege escalation vulnerability due to multiple flaws in its implementation. It fails to pr... | 7.8 | HIGH | β | 0 |
| CVE-2026-0549 The Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'groups_group_info' shortcode in all versions up to, and including, 3.10.0 due to insufficient input sanit... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-0556 The XO Event Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xo_event_field' shortcode in all versions up to, and including, 3.2.10 due to insufficient inp... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-25338 Missing Authorization vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This i... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-1646 The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, ... | 6.4 | MEDIUM | β | 0 |
| CVE-2026-1994 The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's id... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-24764 OpenClaw (formerly Clawdbot) is a personal AI assistant users run on their own devices. In versions 2026.2.2 and below, when the Slack integration is enabled, channel metadata (topic/description) can ... | 3.7 | LOW | β | 0 |
| CVE-2026-25120 Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that the comment belongs to the repository specified in the URL. This allows a repos... | 2.7 | LOW | β | 0 |
| CVE-2026-25229 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labe... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-25232 Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have an access control bypass vulnerability which allows any repository collaborator with Write permissions to delete protecte... | 8.8 | HIGH | β | 0 |
| CVE-2026-2681 A flaw was found in the blst cryptographic library. This out-of-bounds stack write vulnerability, specifically in the blst_sha256_bcopy assembly routine, occurs due to a missing zero-length guard. A r... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-2711 A vulnerability has been found in zhutoutoutousan worldquant-miner up to 1.0.9. The impacted element is an unknown function of the file worldquant-miner-master/agent-dify-api/core/helper/ssrf_proxy.py... | 5.6 | MEDIUM | β | 0 |
| CVE-2026-2733 A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that t... | 3.8 | LOW | β | 0 |
| CVE-2025-40697 Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter. This vulnerability can be e... | N/A | NONE | β | 0 |
| CVE-2025-41023 An authentication bypass vulnerability has been found in Thesamur's AutoGPT. This vulnerability allows an attacker to bypass authentication mechanisms. Once inside the web application, the attacker ca... | N/A | NONE | β | 0 |
| CVE-2026-22269 Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remot... | 4.7 | MEDIUM | β | 0 |
| CVE-2026-22333 Deserialization of Untrusted Data vulnerability in YITHEMES YITH WooCommerce Compare yith-woocommerce-compare allows Object Injection.This issue affects YITH WooCommerce Compare: from n/a through <= 3... | 7.2 | HIGH | β | 0 |
| CVE-2026-22422 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a th... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-23542 Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10. | 9.8 | CRITICAL | β | 0 |
| CVE-2026-25389 Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25391 Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-25393 Missing Authorization vulnerability in sparklewpthemes Hello FSE hello-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hello FSE: from n/a through <= 1.0... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25394 Missing Authorization vulnerability in sparklewpthemes Fitness FSE fitness-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fitness FSE: from n/a through ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25395 Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25399 Missing Authorization vulnerability in CryoutCreations Serious Slider cryout-serious-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serious Slider: f... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25402 Missing Authorization vulnerability in echoplugins Knowledge Base for Documentation, FAQs with AI Assistance echo-knowledge-base allows Exploiting Incorrectly Configured Access Control Security Levels... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25404 Missing Authorization vulnerability in Automattic WP Job Manager wp-job-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Manager: from n/a thro... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-25407 Missing Authorization vulnerability in cookiebot Cookiebot cookiebot allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cookiebot: from n/a through <= 4.6.4. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-25408 Missing Authorization vulnerability in PluginRx Broken Link Notifier broken-link-notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Broken Link Notifie... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-26361 Dell Unisphere for PowerMax, version(s) 10.2, contain(s) an External Control of File Name or Path vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerabili... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-26362 Dell Unisphere for PowerMax, version(s) 10.2, contain(s) a Relative Path Traversal vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to ... | 8.1 | HIGH | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.