Export limit exceeded: 362049 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11525 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-1981 | 2 Winstonai, Wordpress | 2 Humn-1 Ai Website Scanner & Human Certification By Winston Ai, Wordpress | 2026-04-22 | 4.3 Medium |
| The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action. | ||||
| CVE-2026-28071 | 2 Pixfort, Wordpress | 2 Pixfort Core, Wordpress | 2026-04-22 | 6.3 Medium |
| Missing Authorization vulnerability in PixFort pixfort Core pixfort-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects pixfort Core: from n/a through <= 3.2.22. | ||||
| CVE-2026-1650 | 2 Mdjm, Wordpress | 2 Mdjm Event Management, Wordpress | 2026-04-22 | 5.3 Medium |
| The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters. | ||||
| CVE-2026-1336 | 2 Ays Pro, Wordpress | 2 Ai Chatbot With Chatgpt And Content Generator By Ays, Wordpress | 2026-04-22 | 5.3 Medium |
| The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key. The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6 | ||||
| CVE-2026-27374 | 2 Vanquish, Wordpress | 2 Woocommerce Order Details, Wordpress | 2026-04-22 | 7.5 High |
| Missing Authorization vulnerability in vanquish WooCommerce Order Details woocommerce-order-details allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Order Details: from n/a through <= 3.1. | ||||
| CVE-2026-1674 | 2 Saadiqbal, Wordpress | 2 Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, And Custom Form Builder, Wordpress | 2026-04-22 | 6.5 Medium |
| The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values, that would, for example enable site user registration when it is explicitly disabled. | ||||
| CVE-2026-27388 | 2 Designthemes, Wordpress | 2 Designthemes Booking Manager, Wordpress | 2026-04-22 | 7.5 High |
| Missing Authorization vulnerability in designthemes DesignThemes Booking Manager designthemes-booking-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Booking Manager: from n/a through <= 2.0. | ||||
| CVE-2026-27396 | 2 E-plugins, Wordpress | 2 Directory Pro, Wordpress | 2026-04-22 | 7.3 High |
| Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6. | ||||
| CVE-2026-27361 | 2 Webcodingplace, Wordpress | 2 Responsive Posts Carousel Pro, Wordpress | 2026-04-22 | 7.5 High |
| Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1. | ||||
| CVE-2026-3056 | 2 Seraphinitesolutions, Wordpress | 2 Seraphinite Accelerator, Wordpress | 2026-04-22 | 4.3 Medium |
| The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs. | ||||
| CVE-2026-2899 | 2 Techjewel, Wordpress | 2 Fluent Forms Pro Add On Pack, Wordpress | 2026-04-22 | 6.5 Medium |
| The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter. Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for path-based deletion which prevents exploitation. The vulnerability is exploitable via the `attachment_id` parameter instead. | ||||
| CVE-2026-2732 | 2 Shortpixel, Wordpress | 2 Enable Media Replace, Wordpress | 2026-04-22 | 5.4 Medium |
| The Enable Media Replace plugin for WordPress is vulnerable to unauthorized modification of data due to an improper capability check on the 'RemoveBackGroundViewController::load' function in all versions up to, and including, 4.1.7. This makes it possible for authenticated attackers, with Author-level access and above, to replace any attachment with a removed background attachment. | ||||
| CVE-2026-24176 | 1 Nvidia | 1 Kai Scheduler | 2026-04-22 | 4.3 Medium |
| NVIDIA KAI Scheduler contains a vulnerability where an attacker could cause improper authorization through cross-namespace pod references. A successful exploit of this vulnerability might lead to data tampering. | ||||
| CVE-2026-6834 | 1 Aenrich | 1 A+hrd | 2026-04-22 | 6.5 Medium |
| The a+HRD developed by aEnrich has a Missing Authorization vulnerability, allowing authenticated remote attackers to arbitrarily read database contents through a specific API method. | ||||
| CVE-2025-12015 | 2 Sanderkah, Wordpress | 2 Convert Webp & Avif, Wordpress | 2026-04-22 | 4.3 Medium |
| The Convert WebP & AVIF | Quicq | Best image optimizer and compression plugin | Improve your Google Pagespeed plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_wpqai_disconnect_quicq_afosto' AJAX endpoint in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect Afosto | ||||
| CVE-2025-11620 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 7.2 High |
| The Multiple Roles per User plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mrpu_add_multiple_roles_ui' and 'mrpu_save_multiple_user_roles' functions in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, granted the 'edit_users' capability, to edit any user's role, including promoting users to Administrator and demoting Administrators to lower-privileged roles. | ||||
| CVE-2025-11734 | 2 Aioseo, Wordpress | 2 Broken Link Checker, Wordpress | 2026-04-22 | 5.4 Medium |
| The Broken Link Checker by AIOSEO – Easily Fix/Monitor Internal and External links plugin for WordPress is vulnerable to unauthorized post modification due to missing authorization in all versions up to, and including, 1.2.5. This is due to the plugin registering a REST API endpoint that only checks for a broad capability (aioseo_blc_broken_links_page) that is granted to contributor level users, without verifying the user's permission to perform actions on the specific post being targeted. This makes it possible for authenticated attackers, with contributor level access and above, to trash arbitrary posts via the DELETE /wp-json/aioseoBrokenLinkChecker/v1/post endpoint. | ||||
| CVE-2025-12955 | 3 Rajeshsingh520, Woocommerce, Wordpress | 3 Live Sales Notification For Woocommerce, Woocommerce, Wordpress | 2026-04-22 | 7.5 High |
| The Live sales notification for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.39. This is due to the "getOrders" function lacking proper authorization and capability checks when the plugin is configured to display recent order information. This makes it possible for unauthenticated attackers to extract sensitive customer information including buyer first names, city, state, country, purchase time and date, and product details. | ||||
| CVE-2025-12170 | 1 Wordpress | 1 Wordpress | 2026-04-22 | 5.3 Medium |
| The Checkbox plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'wp_ajax_nopriv_checkbox_clean_log' AJAX endpoint in all versions up to, and including, 2.8.10. This makes it possible for unauthenticated attackers to clear log files. | ||||
| CVE-2025-12043 | 2 Autochat, Wordpress | 2 Automatic Conversation, Wordpress | 2026-04-22 | 5.3 Medium |
| The Autochat Automatic Conversation plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_nopriv_auycht_saveCid' AJAX endpoint in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to connect and disconnect the client ID. | ||||