Syntax: kev:true severity:critical epss:>0.95 vendor:cisco patch:false
Filters
Severity
Exploitation
Data Source
Data Quality
Vendor
CWE — Weakness Type
Clear all
Top 20 matches Showing top matches — use filters or a more specific query to narrow
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or
The WP Mail Logging plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.15.0 via deserialization of untrusted input from the email log message field. Thi
The coreActivity: Activity Logging for WordPress plugin before 1.8.1 does not escape some request data when outputting it back in the admin dashboard, allowing unauthenticated users to perform Stored
The WP Activity Log plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user_id parameter in all versions up to, and including, 5.2.1 due to insufficient input sanitization and o
The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to SQL Injection via the 'order' and 'orderby' parameters in all versions up to, and including, 2.7 due to insuffici
CVE-2026-54806
CRITICAL CVSS 9.8
Find Similar
Unauthenticated PHP Object Injection in WP Activity Log <= 5.6.3.1 versions.
The Activity Log – Monitor & Record User Changes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the event parameters in all versions up to, and including, 2.11.1 due to insuffic
WP Activity Log 5.3.2 was found to be vulnerable. Unvalidated user input is used directly in an unserialize function in myapp/classes/Writers/class-csv-writer.php.
The Activity Log for WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the winter_activity_log_action() function in all versions up to, a
The Visitor Logic Lite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.3 via deserialization of untrusted input from the `lpblocks` cookie. This is
The Super Stage WP WordPress plugin through 1.0.1 unserializes user input via REQUEST, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on the
The WP eCommerce WordPress plugin through 3.15.1 unserializes user input via ajax actions, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget is present on
CVE-2026-3296
CRITICAL CVSS 9.8
Find Similar
The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.3 via deserialization of untrusted input from form entry metadata. This is due to
The Activity Logs, User Activity Tracking, Multisite Activity Log from Logtivity plugin for WordPress is vulnerable to Authentication Bypass to Information Disclosure in versions up to, and including,
The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP's maybe_unserialize() function on the attac
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Deserialization of Untrusted Data in versions up to, and i
The Backup Migration plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.6 via deserialization of untrusted input in the 'recursive_unserialize_replace
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post_content' of admin_form posts in all versions up to, and including, 3.28.31.
The Admin Columns plugin for WordPress is vulnerable to PHP Object Injection leading to Remote Code Execution in versions up to and including 7.0.18. This is due to the use of `unserialize()` without
The LogDash Activity Log WordPress plugin before 1.1.4 hooks the wp_login_failed function (from src/Hooks/Users.php) in order to log failed login attempts to the database but it doesn't escape the use
Page 1+ Next →