CVE-2026-2515

The Hostinger Reach – AI-Powered Email Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'handleajaxaction' function in all versions up to, and including, 1.3.8. This makes it possible for authenticated...

CVE-2026-6709

CVE-2026-6709 affects the WordPress plugin Coinbase Commerce for Contact Form 7 in versions up to and including 1.1.2. Root cause: missing capability check and nonce verification in the save_settings() function registered on the admin_post_cccf7_save_settings hook. Impact: authenticated attackers...

CVE-2026-4117

CVE-2026-4117 affects the WordPress CalJ plugin (≤ v1.5). The vulnerability is caused by a missing authorization check in the CalJSettingsPage constructor that processes the POST operation 'save-obtained-key' without verifying the user’s capability or nonce, allowing authenticated users (Subscrib...

PT-2026-34285

Name of the Vulnerable Software and Affected Versions CalJ versions prior to 1.6 Description The CalJ plugin for WordPress contains a missing authorization flaw. The CalJSettingsPage class constructor processes the 'save-obtained-key' operation from POST data without verifying if the user possess...

WordPress AI ChatBot with ChatGPT and Content Generator by AYS plugin <= 2.7.5 - Missing Authorization to Unauthenticated API Key Modification vulnerability

Missing Authorization to Unauthenticated API Key Modification vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin AI ChatBot with ChatGPT and Content Generator by AYS versions = 2.7.5...

CVE-2025-61928 Better Auth: Unauthenticated API key creation through api-key plugin

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route. session?.user ?? authRequired ? null : i...

EUVD-2024-31867

Malicious code in bioql PyPI...

EUVD-2024-47663

Malicious code in bioql PyPI...

PT-2025-24033 · WordPress · Hive Support

Name of the Vulnerable Software and Affected Versions: Hive Support plugin for WordPress affected versions not specified Description: The issue concerns unauthorized access and modification of data due to a missing capability check. This allows for an authentication bypass, enabling unauthorized...

CVE-2024-6599

The Meks Video Importer plugin for WordPress is vulnerable to unauthorized API key modification due to a missing capability check on the ajaxsavesettings function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2024-12559 ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal

The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...

CVE-2024-12559 ClickDesigns <= 1.8.0 - Missing Authorization to API Key Modification or Removal

The ClickDesigns plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clickdesignsaddapi' and the 'clickdesignsremoveapi' functions in all versions up to, and including, 1.8.0. This makes it possible for unauthenticated attackers to...

CVE-2024-6599

The CVE affects Meks Video Importer for WordPress. Root cause: missing capability check in ajax_save_settings allows authenticated users with Subscriber+ to modify plugin API keys in all versions up to 1.0.11. Impact: unauthorized API key modification could enable misuse of the plugin’s API keys....

CVE-2024-3277 Yumpu ePaper publishing <= 2.0.24 - Missing Authorization to PDF Upload, Publishing, and API Key Modification

The Yumpu ePaper publishing plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxhandler function in all versions up to, and including, 2.0.24. This makes it possible for authenticated attackers, with subscriber-level access and abov...

PT-2024-24841 · WordPress · Yumpu Epaper Publishing Plugin

Name of the Vulnerable Software and Affected Versions: Yumpu ePaper publishing plugin for WordPress version 2.0.24 and earlier Description: The issue allows authenticated attackers with subscriber-level access and above to upload PDF files, publish them, and modify the API key due to a missing...