Lucene search
+L

852 matches found

nuclei
nuclei
added 6 hours ago32 views

WCFM Membership <= 2.10.0 - Broken Access Control

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings. id: CVE-2022-4940 info:...

7.3CVSS6.8AI score0.01084EPSS
Exploits0References3
nuclei
nuclei
added 6 hours ago69 views

Ubigeo de Peru < 3.6.4 - SQL Injection

The plugin does not properly sanitise and escape some parameters before using them in SQL statements via various AJAX actions, some of which are available to unauthenticated users, leading to SQL Injections. id: CVE-2022-0814 info: name: Ubigeo de Peru 3.6.4 - SQL Injection author: r3Y3r53...

9.8CVSS7.1AI score0.09495EPSS
Exploits2References4
nvd
nvd
added 5 days ago7 views

CVE-2026-6803

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...

5.3CVSS0.00297EPSS
Exploits0References12
cvelist
cvelist
added 5 days ago32 views

CVE-2026-6803 AI Chatbot & Workflow Automation by AIWU <= 1.4.12 - Missing Authorization to Unauthenticated Arbitrary Data Deletion via AJAX Actions 'removeGroup' and 'clear'

The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...

5.3CVSS0.00297EPSS
Exploits0References12
cve
cve
added 5 days ago13 views

CVE-2026-10628

The CVE concerns the WordPress plugin Points and Rewards for WooCommerce (affected: all versions up to 2.10.0). It describes an authorization bypass in which authenticated users with subscriber-level access and above can perform arbitrary modifications via multiple AJAX actions. Core implications...

4.3CVSS6.2AI score0.00349EPSS
Exploits0References12
cvelist
cvelist
added 5 days ago35 views

CVE-2026-10628 Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via Multiple AJAX Actions

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS0.00349EPSS
Exploits0References12
cve
cve
added 5 days ago11 views

CVE-2026-8678

The CVE-2026-8678 entry concerns the WordPress MyParcel plugin and its versions up to 4.25.1. Affected component: the MyParcel plugin (WordPress). Root cause: missing authorization verification for certain AJAX actions (wcmp_get_shipment_options and wcmp_save_shipment_options). Impact: authentica...

4.3CVSS6.2AI score0.00232EPSS
Exploits0References8
cvelist
cvelist
added 2026/06/27 6:50 a.m.32 views

CVE-2026-11364 Product Specifications for Woocommerce <= 0.8.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attribute/Group Creation, Modification, and Deletion via 'dwps_modify_groups' and 'dwps_modify_attributes' AJAX Actions

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the invoke methods of the...

4.3CVSS0.00213EPSS
Exploits0References8
euvd
euvd
added 2026/06/27 6:50 a.m.9 views

EUVD-2026-39951

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the invoke methods of the...

4.3CVSS5.9AI score0.00213EPSS
Exploits0References8
cve
cve
added 2026/06/24 5:33 a.m.12 views

CVE-2026-8617

The CVE concerns the WordPress SearchPlus plugin (versions up to and including 1.7.1). The vulnerability arises from a missing capability check and missing nonce validation in two AJAX callback functions, searchplus_save_token_action_callback() and searchplus_reset_token_action_callback(), which ...

5.3CVSS5.9AI score0.00228EPSS
Exploits0References5
cve
cve
added 2026/06/24 5:33 a.m.28 views

CVE-2026-9616

The CVE concerns the WordPress plugin Generate Security.txt (

4.3CVSS5.8AI score0.0024EPSS
Exploits0References7
ptsecurity
ptsecurity
added 2026/06/24 12:0 a.m.11 views

PT-2026-51697

Name of the Vulnerable Software and Affected Versions Generate Security.txt plugin for WordPress versions prior to 1.0.13 Description The plugin fails to properly verify user authorization for specific actions. This allows authenticated attackers with subscriber-level access or higher to delete t...

4.3CVSS5.8AI score0.0024EPSS
Exploits0References13
redhatcve
redhatcve
added 2026/06/10 8:59 a.m.15 views

CVE-2026-9185

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

7.5CVSS5.5AI score0.00403EPSS
Exploits0References1
nvd
nvd
added 2026/06/09 5:16 a.m.17 views

CVE-2026-9185

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

7.5CVSS0.00403EPSS
Exploits0References11
vulnrichment
vulnrichment
added 2026/06/09 3:41 a.m.8 views

CVE-2026-8977 WP GDPR Cookie Consent <= 1.0.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'ninja_gdpr_ajax_actions' AJAX Action

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninjagdprajaxactions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls function, combined with insufficient input...

6.4CVSS5.7AI score0.00188EPSS
Exploits0References5
cvelist
cvelist
added 2026/06/09 3:41 a.m.36 views

CVE-2026-8977 WP GDPR Cookie Consent <= 1.0.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'ninja_gdpr_ajax_actions' AJAX Action

The WP GDPR Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ninjagdprajaxactions' AJAX action in versions up to, and including, 1.0.0. This is due to missing capability and nonce checks on the handleAjaxCalls function, combined with insufficient input...

6.4CVSS0.00188EPSS
Exploits0References5
redhatcve
redhatcve
added 2026/06/05 7:28 p.m.9 views

CVE-2026-4607

The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.8.4. This is due to the plugin not properly verifying that a user is authorized to perform an action via the pmsetgrouporder, pmsetgroupitem...

4.3CVSS5.5AI score0.00234EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:21 p.m.11 views

CVE-2026-3499

The Product Feed PRO for WooCommerce by AdTribes – Product Feeds for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 13.4.6 through 13.5.2.1. This is due to missing or incorrect nonce validation on the ajaxmigratetocustomposttype,...

8.8CVSS5.4AI score0.00165EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:14 p.m.9 views

CVE-2026-4348

The BetterDocs Pro plugin for WordPress is vulnerable to SQL Injection via the getcurrentletterdocs and docssortbyletter AJAX actions in all versions up to, and including, 3.7.0. This is due to the limit POST parameter being interpolated directly into a SQL query string before being passed to...

7.5CVSS5.7AI score0.00395EPSS
Exploits0References1
euvd
euvd
added 2026/06/02 7:48 a.m.12 views

EUVD-2026-33886

The JTL-Connector for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.4.1. This is due to missing capability checks and nonce verification on the adminpostsettingssavewoo-jtl-connector action handled by JtlConnectorAdmin::save and on the...

4.3CVSS5.9AI score0.00198EPSS
Exploits0References6
Rows per page
Query Builder