Export limit exceeded: 335598 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (9505 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-22486 | 2 Hakob, Wordpress | 2 Re Gallery Responsive Photo Gallery Plugin, Wordpress | 2026-01-09 | 5.3 Medium |
| Missing Authorization vulnerability in Hakob Re Gallery & Responsive Photo Gallery Plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Re Gallery & Responsive Photo Gallery Plugin: from n/a through 1.17.18. | ||||
| CVE-2026-22492 | 1 Wordpress | 1 Wordpress | 2026-01-09 | 4.3 Medium |
| Missing Authorization vulnerability in Nawawi Jamili Docket Cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Docket Cache: from n/a through 24.07.04. | ||||
| CVE-2026-22490 | 2 Niklaslindemann, Wordpress | 2 Bulk Landing Page Creator For Wordpress Lpagery, Wordpress | 2026-01-09 | 5.4 Medium |
| Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through 2.4.9. | ||||
| CVE-2025-9294 | 2 Expresstech, Wordpress | 2 Quiz And Survey Master, Wordpress | 2026-01-09 | 4.3 Medium |
| The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the qsm_dashboard_delete_result function in all versions up to, and including, 10.3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete quiz results. | ||||
| CVE-2025-12449 | 2 Kodezen, Wordpress | 2 Ablocks, Wordpress | 2026-01-08 | 5.4 Medium |
| The aBlocks – WordPress Gutenberg Blocks plugin for WordPress is vulnerable to unauthorized modification of data and disclosure of sensitive information due to missing capability checks on multiple AJAX actions in all versions up to, and including, 2.4.0. This makes it possible for authenticated attackers, with subscriber level access and above, to read plugin settings including block visibility, maintenance mode configuration, and third-party email marketing API keys, as well as read sensitive configuration data including API keys for email marketing services. | ||||
| CVE-2025-11370 | 2 Averta, Wordpress | 3 Depicter Slider, Slider And Popup Builder By Depicter, Wordpress | 2026-01-08 | 5.3 Medium |
| The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings. | ||||
| CVE-2025-11877 | 2 Solwininfotech, Wordpress | 2 User Activity Log, Wordpress | 2026-01-08 | 7.5 High |
| The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2.2. The failed-login handler 'ual_shook_wp_login_failed' lacks a capability check and writes failed usernames directly into update_option() calls. This makes it possible for unauthenticated attackers to push select site options from 0 to a non-zero value, allowing them to reopen registration or corrupt options like 'wp_user_roles', breaking wp-admin access. | ||||
| CVE-2025-13812 | 2 Gamipress, Wordpress | 2 Gamipress, Wordpress | 2026-01-08 | 4.3 Medium |
| The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the gamipress_ajax_get_posts and gamipress_ajax_get_users functions in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate users, including their email addresses and to retrieve titles of private posts. | ||||
| CVE-2025-13766 | 2 Stylemix, Wordpress | 2 Masterstudy Lms Wordpress Plugin, Wordpress | 2026-01-08 | 5.4 Medium |
| The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates | ||||
| CVE-2025-14441 | 2 Roxnor, Wordpress | 2 Popup Builder, Wordpress | 2026-01-08 | 5.3 Medium |
| The Popupkit plugin for WordPress is vulnerable to arbitrary subscriber data deletion due to missing authorization on the DELETE `/subscribers` REST API endpoint in all versions up to, and including, 2.2.0. This is due to the `permission_callback` only validating wp_rest nonce without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary subscriber records. | ||||
| CVE-2025-14034 | 3 Ilghera, Woocommerce, Wordpress | 3 Woocommerce Support System, Woocommerce, Wordpress | 2026-01-08 | 5.3 Medium |
| The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status. | ||||
| CVE-2020-36920 | 2026-01-08 | 8.8 High | ||
| iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by exploiting insecure direct object references. | ||||
| CVE-2025-39477 | 2 Sfwebservice, Wordpress | 2 Injob, Wordpress | 2026-01-08 | 9.8 Critical |
| Missing Authorization vulnerability in Sfwebservice InWave Jobs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InWave Jobs: from n/a through 3.5.8. | ||||
| CVE-2025-13964 | 2 Thimpress, Wordpress | 2 Learnpress, Wordpress | 2026-01-08 | 5.3 Medium |
| The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the catch_lp_ajax function in all versions up to, and including, 4.3.2. This makes it possible for unauthenticated attackers to modify course contents by adding/removing/updating/re-ordering sections or modifying section items. | ||||
| CVE-2025-14371 | 2 Taxopress, Wordpress | 2 Taxopress, Wordpress | 2026-01-08 | 4.3 Medium |
| The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own. | ||||
| CVE-2025-5919 | 2 Arraytics, Wordpress | 2 Appointment Booking Calendar, Wordpress | 2026-01-08 | 6.5 Medium |
| The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details. | ||||
| CVE-2025-46434 | 3 Elementor, Posimyth, Wordpress | 3 Elementor, The Plus Addons For Elementor, Wordpress | 2026-01-08 | 6.5 Medium |
| Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | ||||
| CVE-2025-13419 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.3 Medium |
| The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments. | ||||
| CVE-2025-13722 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.3 Medium |
| The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.7. This is due to missing capability checks on the `fluentform_ai_create_form` AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary forms via the publicly exposed AI builder. | ||||
| CVE-2025-13529 | 1 Wordpress | 1 Wordpress | 2026-01-08 | 5.3 Medium |
| The Unify plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'init' action in all versions up to, and including, 3.4.9. This makes it possible for unauthenticated attackers to delete specific plugin options via the 'unify_plugin_downgrade' parameter. | ||||