Lucene search
+L

9742 matches found

CVE
CVE
added 6 days ago13 views

CVE-2026-10628

The CVE concerns the WordPress plugin Points and Rewards for WooCommerce (affected: all versions up to 2.10.0). It describes an authorization bypass in which authenticated users with subscriber-level access and above can perform arbitrary modifications via multiple AJAX actions. Core implications...

4.3CVSS6.2AI score0.00349EPSS
Exploits0References12
Cvelist
Cvelist
added 6 days ago35 views

CVE-2026-10628 Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via Multiple AJAX Actions

The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

4.3CVSS0.00349EPSS
Exploits0References12
CVE
CVE
added 6 days ago11 views

CVE-2026-8678

The CVE-2026-8678 entry concerns the WordPress MyParcel plugin and its versions up to 4.25.1. Affected component: the MyParcel plugin (WordPress). Root cause: missing authorization verification for certain AJAX actions (wcmp_get_shipment_options and wcmp_save_shipment_options). Impact: authentica...

4.3CVSS6.2AI score0.00232EPSS
Exploits0References8
CVE
CVE
added last week16 views

CVE-2026-15295

CVE-2026-15295 affects the WordPress Infinite Scroll – Ajax Load More plugin for WordPress, vulnerable in all versions up to 7.0.1 due to insufficient input sanitization and output escaping. Stored XSS can be triggered by authenticated attackers with administrator-level permissions (and above) vi...

4.4CVSS6.2AI score0.0019EPSS
Exploits0References2
Cvelist
Cvelist
added last week33 views

CVE-2026-15295 Ajax Load More <= 7.0.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

4.4CVSS0.0019EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/07/10 7:48 a.m.33 views

CVE-2026-1946 GW AI Website Builder <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Deletion

The GW AI Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gwaiwebugravitywritedisconnecthandler function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with...

4.3CVSS0.00222EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/10 6:0 a.m.8 views

EUVD-2026-42829

The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has...

5.3CVSS6AI score0.00182EPSS
Exploits0References1
CVE
CVE
added 2026/07/10 6:0 a.m.11 views

CVE-2026-12276

Affected software: LA-Studio Element Kit for Elementor WordPress plugin

5.3CVSS5.8AI score0.00182EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/07/10 4:31 a.m.6 views

CVE-2026-15299

The Animation Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'weatherstyle' and 'movedirection' parameters of the Weather widget in all versions up to, and including, 2.6.3. This is due to insufficient output escaping in the Weather widget's render...

6.4CVSS6AI score0.00193EPSS
Exploits0References5
CVE
CVE
added 2026/07/09 9:31 a.m.10 views

CVE-2026-9235

The DHL eCommerce (Benelux) for WooCommerce WordPress plugin (up to version 2.2.3) is vulnerable to unauthorized modification and data loss due to missing capability checks and missing nonce verification in create_label() and delete_label(). These functions are tied to wp_ajax_dhlpwc_label_create...

4.3CVSS5.9AI score0.00196EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/09 9:31 a.m.32 views

CVE-2026-9235 DHL eCommerce (Benelux) for WooCommerce <= 2.2.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Shipping Label Creation and Deletion via dhlpwc_label_create and dhlpwc_label_delete AJAX Actions

The DHL eCommerce Benelux for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check and missing nonce verification on the createlabel and deletelabel functions in versions up to, and including, 2.2.3. These functions are wir...

4.3CVSS0.00196EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/07/09 9:31 a.m.7 views

CVE-2026-9240

The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod function registered to the wpajaxlpcorderaffect AJAX action in versions up to, and including, 2.9.0...

4.3CVSS6AI score0.00196EPSS
Exploits0References6
EUVD
EUVD
added 2026/07/09 7:55 a.m.7 views

EUVD-2026-42541

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References5
CVE
CVE
added 2026/07/09 7:55 a.m.10 views

CVE-2026-11359

The CVE-2026-11359 entry relates to the Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress. Affected versions up to 3.4 are vulnerable due to missing capability checks and nonce validation in the pg_install_profilegrid() AJAX handler (wp_ajax_...

4.3CVSS5.9AI score0.00246EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/09 7:55 a.m.33 views

CVE-2026-11359 Memberships and User Profiles for WooCommerce <= 3.4 - Missing Authorization to Authenticated (Subscriber+) ProfileGrid Plugin Installation and Activation

The Memberships and User Profiles for WooCommerce – ProfileGrid WooCommerce Integration plugin for WordPress is vulnerable to unauthorized plugin installation and activation in versions up to, and including, 3.4. This is due to a missing capability check and missing nonce validation on the...

4.3CVSS0.00246EPSS
Exploits0References5
NVD
NVD
added 2026/07/08 10:17 p.m.6 views

CVE-2026-52200

An issue in Generic OEM UZ801v2.1 4G LTE Router V3.4.3 allows a remote attacker to execute arbitrary code via the /ajax web management API endpoint in MifiService.apk...

9.8CVSS0.00515EPSS
Exploits0References2
CVE
CVE
added 2026/07/08 11:35 a.m.12 views

CVE-2026-3688

The CVE concerns the WCFM Membership – WooCommerce Memberships for Multivendor Marketplace plugin for WordPress. Affected: all versions up to 2.11.10. Root cause: the wcfmvm_membership_change AJAX action does not validate a user’s permission to modify other users, enabling an authenticated vendor...

8.1CVSS5.9AI score0.00223EPSS
Exploits0References2
NVD
NVD
added 2026/07/08 6:16 a.m.10 views

CVE-2026-14500

The Bulk Order Update for WooCommerce plugin for WordPress is vulnerable to Arbitrary File Read in versions up to, and including, 1.6. This is due to the bouwfetchcsvdata AJAX handler being registered on the wpajaxnopriv hook with no capability or nonce check, and passing the attacker-supplied...

5.3CVSS0.00333EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/08 4:30 a.m.35 views

CVE-2026-14158 Widget Logic Visual <= 1.52 - Authenticated (Subscriber+) Remote Code Execution via 'nwlv[cod-tag]' Parameter

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widgetlogicvisualcheckvisibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...

8.8CVSS0.00516EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/07/08 4:30 a.m.7 views

CVE-2026-14158

The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widgetlogicvisualcheckvisibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...

8.8CVSS6.3AI score0.00516EPSS
Exploits0References5
Rows per page
Query Builder