Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-26
CVE-2025-14348 - And Automation Plugin
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII…
PLUGIN
And Automation
CVE-2025-14348
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14798 - Wordpress Lms Plugin
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included.
PLUGIN
Wordpress Lms
CVE-2025-14798
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14351 - Custom Fonts Plugin
The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'BCF_Google_Fonts_Compatibility' class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file.
PLUGIN
Custom Fonts
CVE-2025-14351
Risk Score
Threat Entry
Updated 2026-04-15
CVE-2026-1051 - For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To Plugin
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
PLUGIN
For Wordpress Is Vulnerable To Cross Site Request Forgery In All Versions Up To
CVE-2026-1051
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-14978 - Peachpay For Woocommerce Plugin
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
PLUGIN
Peachpay For Woocommerce
CVE-2025-14978
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2025-15466 - Image Photo Gallery Final Tiles Grid Plugin
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators.
PLUGIN
Image Photo Gallery Final Tiles Grid
CVE-2025-15466
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-1133 - KSOA Plugin
A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1133
Risk Score
Threat Entry
Updated 2026-02-06
CVE-2026-1132 - KSOA Plugin
A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1132
Risk Score
Threat Entry
Updated 2026-02-10
CVE-2026-1131 - KSOA Plugin
A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1131
Risk Score
Threat Entry
Updated 2026-02-10
CVE-2026-1130 - KSOA Plugin
A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1130
Risk Score
Threat Entry
Updated 2026-02-10
CVE-2026-1129 - KSOA Plugin
A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1129
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-23829 - Mailpit Plugin
Mailpit is an email testing tool and API for developers. Prior to version 1.28.3, Mailpit's SMTP server is vulnerable to Header Injection due to an insufficient Regular Expression used to validate `RCPT TO` and `MAIL FROM` addresses. An attacker can inject arbitrary SMTP headers (or corrupt existing ones) by including carriage return characters (`\r`) in the email address. This header injection occurs because the regex intended to filter control characters fails to exclude `\r` and `\n` when used inside a character class. Version 1.28.3 fixes this issue.
PLUGIN
Mailpit
CVE-2026-23829
Risk Score
Threat Entry
Updated 2026-02-18
CVE-2026-23626 - Kimai Plugin
Kimai is a web-based multi-user time-tracking application. Prior to version 2.46.0, Kimai's export functionality uses a Twig sandbox with an overly permissive security policy (`DefaultPolicy`) that allows arbitrary method calls on objects available in the template context. An authenticated user with export permissions can deploy a malicious Twig template that extracts sensitive information including environment variables, all user password hashes, serialized session tokens, and CSRF tokens. Version 2.46.0 patches this issue.
PLUGIN
Kimai
CVE-2026-23626
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-23733 - Lobe Chat Plugin
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.
PLUGIN
Lobe Chat
CVE-2026-23733
Risk Score
Threat Entry
Updated 2026-01-26
CVE-2026-23525 - 1Panel Plugin
1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting (XSS) vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data or sensitive system interfaces. All versions of 1Panel up to and including v1.10.33-lts and v2.0.16 are affected. An attacker could publish a malicious application that, when loaded by users (locally or remotely), can execute arbitrary scripts. This may result in theft of user cookies, unauthorized access to system…
PLUGIN
1Panel
CVE-2026-23525
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-1126 - Flow Plugin
A security vulnerability has been detected in lwj flow up to a3d2fe8133db9d3b50fda4f66f68634640344641. This affects the function uploadFile of the file \flow-master\flow-front-rest\src\main\java\com\dragon\flow\web\resource\flow\FormResource.java of the component SVG File Handler. The manipulation of the argument File leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report…
PLUGIN
Flow
CVE-2026-1126
Risk Score
Threat Entry
Updated 2026-02-23
CVE-2026-1125 - DIR-823X Plugin
A weakness has been identified in D-Link DIR-823X 250416. Affected by this issue is the function sub_412E7C of the file /goform/set_wifidog_settings. Executing a manipulation of the argument wd_enable can lead to command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.
PLUGIN
DIR-823X
CVE-2026-1125
Risk Score
Threat Entry
Updated 2026-02-10
CVE-2026-1124 - KSOA Plugin
A security flaw has been discovered in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /worksheet/work_report.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1124
Risk Score
Threat Entry
Updated 2026-02-09
CVE-2026-1123 - KSOA Plugin
A vulnerability was identified in Yonyou KSOA 9.0. Affected is an unknown function of the file /worksheet/work_mod.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1123
Risk Score
Threat Entry
Updated 2026-02-09
CVE-2026-1122 - KSOA Plugin
A vulnerability was determined in Yonyou KSOA 9.0. This impacts an unknown function of the file /worksheet/work_info.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
PLUGIN
KSOA
CVE-2026-1122
Risk Score