Lucene search
K

43 matches found

ATTACKERKB
ATTACKERKB
added 2026/06/30 4:30 a.m.6 views

CVE-2026-12349

The Premium Addons for KingComposer plugin for WordPress is vulnerable to unauthorized modification and loss of data in versions up to, and including, 1.1.1. This is due to missing authorization and capability checks on the addcustomsidebar and removecustomsidebar AJAX handlers, both of which are...

5.3CVSS5.9AI score0.00239EPSS
Exploits0References7
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:0 a.m.6 views

CVE-2026-9822

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data...

5.8AI score0.00201EPSS
Exploits0References1
CVE
CVE
added 2026/06/19 6:0 a.m.23 views

CVE-2026-9822

The CVE-2026-9822 entry concerns the WP Hotel Booking WordPress plugin prior to version 2.3.1. Root cause: missing capability checks in several AJAX handlers. Impact: authenticated users with Subscriber-level access can read other users’ booking line items, enumerate active coupons, and read pric...

6.5CVSS5.8AI score0.00201EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/19 6:0 a.m.12 views

EUVD-2026-37994

The WP Hotel Booking WordPress plugin before 2.3.1 does not enforce capability checks in several of its AJAX handlers, allowing authenticated users with Subscriber-level access to read other users' booking line items, enumerate active coupons, and read pricing data...

5.8AI score0.00201EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/18 3:41 a.m.32 views

CVE-2026-10023 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

4.3CVSS0.0025EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/06/16 9:31 a.m.30 views

CVE-2026-8442 WP Review Slider Pro <= 12.6.8 - Authenticated (Subscriber+) Arbitrary File Deletion via 'myaction' Parameter

The WP Review Slider Pro plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 12.6.8. This is due to missing authorization checks on the wpfbhidereview and wprpsavereviewadmin AJAX handlers combined with insufficient path validation in the wpfbhidereviewaj...

8.1CVSS0.00501EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:35 p.m.9 views

CVE-2026-5488

The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the getadsaccesstoken and resetexperience AJAX handlers. While the mi-admin-nonce is localized...

5.3CVSS5.5AI score0.00258EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/04 8:21 p.m.8 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References1
NVD
NVD
added 2026/05/02 12:16 p.m.11 views

CVE-2026-4100

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS0.00247EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/02 11:16 a.m.4 views

CVE-2026-4100 Paid Memberships Pro <= 3.6.5 - Missing Authorization to Authenticated (Subscriber+) Stripe Webhook Deletion and Payment Processing Disruption

The Paid Memberships Pro plugin for WordPress is vulnerable to unauthorized modification and disruption of Stripe webhook configuration in all versions up to, and including, 3.6.5. This is due to missing capability checks on the wpajaxpmprostripecreatewebhook, wpajaxpmprostripedeletewebhook, and...

7.1CVSS5.8AI score0.00247EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/24 3:27 a.m.7 views

EUVD-2026-25393

The ExactMetrics – Google Analytics Dashboard for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 9.1.2. This is due to missing capability checks in the getadsaccesstoken and resetexperience AJAX handlers. While the mi-admin-nonce is localized...

5.3CVSS5.7AI score0.00258EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/04/24 12:0 a.m.10 views

WordPress plugin ExactMetrics 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

5.3CVSS5.8AI score0.00258EPSS
Exploits0References1
NVD
NVD
added 2026/04/17 8:16 a.m.6 views

CVE-2026-6451

The cms-fuer-motorrad-werkstaetten plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.0.0. This is due to missing nonce validation on all eight AJAX deletion handlers: vehiclescfmwdvehicle, contactscfmwdcontact, supplierscfmwdsupplier,...

4.3CVSS0.00225EPSS
Exploits0References19
CVE
CVE
added 2026/04/17 7:45 a.m.15 views

CVE-2026-6451

CVE-2026-6451 affects the WordPress plugin “cms-fuer-motorrad-werkstaetten” (versions

4.3CVSS5.8AI score0.00225EPSS
Exploits0References19
EUVD
EUVD
added 2026/04/17 3:30 a.m.7 views

EUVD-2026-23337

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including wpstatisticsgetfilters, wpstatisticsgetPrivacyStatus, wpstatisticsupdatePrivacyStatus, and...

6.5CVSS5.8AI score0.00312EPSS
Exploits0References10
Cvelist
Cvelist
added 2026/04/17 1:24 a.m.35 views

CVE-2026-3488 WP Statistics <= 14.16.4 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure and Privacy Audit Manipulation

The WP Statistics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 14.16.4. This is due to missing capability checks on multiple AJAX handlers including wpstatisticsgetfilters, wpstatisticsgetPrivacyStatus, wpstatisticsupdatePrivacyStatus, and...

6.5CVSS0.00312EPSS
Exploits0References9
CVE
CVE
added 2026/04/17 1:24 a.m.13 views

CVE-2026-3488

The WP Statistics plugin for WordPress (vulnerable up to 14.16.4) suffers Missing Authorization due to missing capability checks on multiple AJAX handlers (wp_statistics_get_filters, wp_statistics_getPrivacyStatus, wp_statistics_updatePrivacyStatus, wp_statistics_dismiss_notices). These endpoints...

6.5CVSS5.8AI score0.00312EPSS
Exploits0References9
Vulnrichment
Vulnrichment
added 2026/04/02 1:44 p.m.3 views

CVE-2026-28805 OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from...

8.8CVSS6AI score0.0046EPSS
Exploits1References4
CNNVD
CNNVD
added 2026/04/02 12:0 a.m.11 views

OpenSTAManager SQL注入漏洞

OpenSTAManager is an open-source management software for technical assistance and billing developed by Devcode. Versions of OpenSTAManager prior to 2.10.2 contained a SQL injection vulnerability. This vulnerability stemmed from multiple AJAX handlers not properly cleaning or validating the option...

8.8CVSS5.9AI score0.0046EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:10 p.m.5 views

CVE-2026-1253

The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchatupdateauthajax' and 'atomchatupdatelayoutajax' functions in all versions up to, and including, 1.1.7. This makes it possible for...

5.3CVSS5.8AI score0.00285EPSS
Exploits0References1
Rows per page
Query Builder