Lucene search
+L

525 matches found

cve
cve
added 5 hours ago6 views

CVE-2026-12525

CVE-2026-12525 affects the Redux Framework WordPress plugin prior to 4.5.13. The vulnerability arises because the plugin does not restrict which user meta keys can be written when saving custom profile fields, allowing a user with at least the Subscriber role to escalate to Administrator by submi...

6.1AI score
Exploits0References1
nvd
nvd
added yesterday7 views

CVE-2026-12281

The Shibboleth WordPress plugin before 2.5.4 does not fail closed when its HTTP header identity mode is enabled without an anti-spoofing key, treating any request that carries identity headers as an authenticated session without verifying them. On a deployment where untrusted client headers reach...

8.1CVSS0.00149EPSS
Exploits0References1
ptsecurity
ptsecurity
added 5 days ago8 views

PT-2026-57423

Name of the Vulnerable Software and Affected Versions Genolve – AI image AI video generation plugin for WordPress versions prior to 5.0.6 Description Authenticated attackers with Contributor-level access and above can perform unauthorized modification of data. This is caused by a missing capabili...

8.8CVSS6.2AI score0.00308EPSS
Exploits0References7
osv
osv
added 2026/07/07 3:26 p.m.5 views

GO-2026-5906 Coder: User-admin role can reset owner account password in github.com/coder/coder

Coder: User-admin role can reset owner account password in github.com/coder/coder...

7.2CVSS5.9AI score0.00615EPSS
Exploits0References2
cve
cve
added 2026/07/06 6:0 a.m.14 views

CVE-2026-12083

The CVE-2026-12083 issue affects the Admin and Site Enhancements (ASE) WordPress plugin and the admin-site-enhancements-pro plugin prior to version 8.8.4. The vulnerability arises from missing authentication, authorization, and nonce checks on a role-restoration request handler, enabling unauthen...

8.1CVSS6AI score0.00295EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/07/06 12:0 a.m.7 views

PT-2026-56067

Name of the Vulnerable Software and Affected Versions Coder versions prior to 2.34.2 Coder versions prior to 2.33.8 Coder versions prior to 2.32.7 Coder versions prior to 2.29.17 Description An issue exists where the PUT /api/v2/users/user/password endpoint only authorized the ActionUpdatePersona...

7.2CVSS6AI score0.00615EPSS
Exploits0References16
euvd
euvd
added 2026/07/01 4:32 a.m.7 views

EUVD-2026-40906

The LearnPress – WordPress LMS Plugin for Create and Sell Online Courses plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.9.1 via the 'userId' parameter due to missing validation on a user controlled key. This makes it possible for...

6.5CVSS5.8AI score0.00275EPSS
Exploits0References8
ptsecurity
ptsecurity
added 2026/07/01 12:0 a.m.11 views

PT-2026-54786

Name of the Vulnerable Software and Affected Versions Foreman affected versions not specified satellite-capsule:el8/foreman affected versions not specified Description The Usergroup model fails to properly validate role assignments against the permissions of the calling user. This improper...

8.8CVSS5.9AI score0.00297EPSS
Exploits0References11
nvd
nvd
added 2026/06/11 7:16 p.m.14 views

CVE-2026-47169

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the select...

7.5CVSS0.00238EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2026/06/11 12:0 a.m.20 views

PT-2026-48708

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, a user with Manage Server / ManageGuild, but without Manage Roles or Administrator, can configure the bot’s AutoRole feature to assign an arbitrary role to new members. If the select...

7.5CVSS5.5AI score0.00238EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/06/05 7:30 p.m.16 views

CVE-2026-42063

A vulnerability exists in iControl SOAP where an authenticated attacker with the Resource Administrator or Administrator role can download sensitive files. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

6.9CVSS5.5AI score0.0029EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:30 p.m.11 views

CVE-2026-42185

People is an application to handle users and teams, and distribute permissions across La Suite. Prior to version 1.25.0, a user holding the Administrator role on a mail domain could send a crafted invitation request to promote any existing user including users with no current domain access to the...

5.5CVSS5.4AI score0.00263EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:22 p.m.9 views

CVE-2026-7284

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyelhandleregister' function not restricting what user roles a user can register with...

9.8CVSS5.4AI score0.00494EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:19 p.m.12 views

CVE-2026-5387

The vulnerability, if exploited, could allow an unauthenticated miscreant to perform operations intended only for Simulator Instructor or Simulator Developer Administrator roles, resulting in privilege escalation with potential for modification of simulation parameters, training configuration, an...

9.3CVSS5.4AI score0.00388EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:17 p.m.8 views

CVE-2026-6228

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 3.28.36. This is due to insufficient authorization checks in the role field update mechanism combined with overly permissive capabilities for the adminform post type. The...

8.8CVSS5.5AI score0.00325EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:17 p.m.13 views

CVE-2026-42924

An authenticated attacker with the Resource Administrator or Administrator role can create SNMP configuration objects through iControl SOAP resulting in privilege escalation. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

8.7CVSS5.5AI score0.00248EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:16 p.m.13 views

CVE-2026-42930

When running in Appliance mode, an authenticated attacker assigned the 'Administrator' role may be able to bypass Appliance mode restrictions on a BIG-IP system. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

8.7CVSS5.5AI score0.0048EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/06/04 1:22 p.m.11 views

CVE-2019-25738 WordPress Hybrid Composer 1.4.6 Unauthenticated Settings Change

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hcajaxsaveoption action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set to...

9.8CVSS5.8AI score0.00347EPSS
Exploits0References5
ptsecurity
ptsecurity
added 2026/06/04 12:0 a.m.18 views

PT-2026-46208

WordPress Hybrid Composer 1.4.6 contains an unauthenticated settings change vulnerability that allows unauthenticated attackers to modify WordPress options by exploiting the hc ajax save option action. Attackers can send POST requests to the admin-ajax.php endpoint with the action parameter set t...

9.8CVSS5.8AI score0.00347EPSS
Exploits0References6
attackerkb
attackerkb
added 2026/05/23 4:27 a.m.14 views

CVE-2026-6895

The WishList Member plugin for WordPress is vulnerable to Missing Authorization leading to Sensitive Information Disclosure and Privilege Escalation in versions up to and including 3.30.1. This is due to the missing capability checks in the 'exportsettings' function. This function returns the RES...

8.8CVSS5.8AI score0.00248EPSS
Exploits0References3
Rows per page
Query Builder