CVE-2026-42318 GLPI Vulnerable to Arbitrary Item Deletion via Planning Endpoint

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to versions 10.0.25 and 11.0.7, low privilege users with access to planning can delete any object in GLPI. Upgrade to 11.0.7 or 10.0.25 to receive a patch. As a workaround, disable delete rights for User'...

CVE-2026-4290

The WP Travel Pro plugin for WordPress is vulnerable to arbitrary user deletion via the /wp-json/wp-travel/v1/travel-guide/userid REST API endpoint in all versions up to, and including, 10.6.0. This is due to the checkpermission callback unconditionally returning true and the Database::delete...

CVE-2025-58074 Privilege escalation during the installation of Norton Secure VPN via the Microsoft Store

A privilege escalation vulnerability exists during the installation of Norton Secure VPN via the Microsoft Store. A low-privilege user can replace files during the installation process, which may result in deletion of arbitrary files that can lead to elevation of privileges...

CVE-2025-58074

This CVE concerns Norton Secure VPN installation via the Microsoft Store. A privilege-escalation exists when installing Norton Secure VPN, where an unprivileged user can influence the installation by manipulating a writable 7z payload in C:\ProgramData\NortonInstaller\Settings before setup runs. ...

CVE-2026-6832 Nesquena Hermes WebUI Arbitrary File Deletion via Unvalidated session_id

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the sessionid parameter. Attackers can exploit unvalidate...

CVE-2026-29188

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.61.1, a broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create...

CVE-2026-27181 MajorDoMo Unauthenticated Module Uninstall via Market Endpoint

MajorDoMo aka Major Domestic Module allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin method reads gr'mode' from $REQUEST and assigns it to $this-mode at the start of execution, making all mode-gated code paths reachable without...

WordPress Woo File Dropzone plugin <= 1.1.7 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Skalucy in WordPress Plugin Woo File Dropzone versions = 1.1.7...

WordPress Document Embedder plugin <= 2.0.4 - Insecure Direct Object Reference to Authenticated (Author+) Arbitrary Document Library Entry Deletion vulnerability

Insecure Direct Object Reference to Authenticated Author+ Arbitrary Document Library Entry Deletion vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin Document Embedder versions = 2.0.4...

CVE-2025-67963 WordPress Movie Booking plugin <= 1.1.5 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal.This issue affects Movie Booking: from n/a through = 1.1.5...

CVE-2025-68547

CVE-2025-68547 corresponds to a Missing Authorization vulnerability in the WordPress plugin Follow My Blog Post. Wordfence’s vulnerability details describe an unauthenticated path that allows arbitrary content deletion, i.e., an attacker can delete content without auth. The entry indicates affect...

CVE-2025-13440 Premmerce Wishlist for WooCommerce <= 1.1.10 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Wishlist Deletion

The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist function. This makes it possible for authenticated attackers, with Subscriber-level acce...

CVE-2025-67540 WordPress Animation Addons for Elementor plugin <= 2.4.5 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in Wealcoder Animation Addons for Elementor animation-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Animation Addons for Elementor: from n/a through = 2.4.5...

WordPress WP Pipes plugin <= 1.4.3 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by LVT-tholv2k in WordPress Plugin WP Pipes versions = 1.4.3...

WordPress Vikinger plugin <= 1.9.32 - Authenticated (Subscriber+) Arbitrary File Deletion via vikinger_delete_activity_media_ajax Function vulnerability

Authenticated Subscriber+ Arbitrary File Deletion via vikingerdeleteactivitymediaajax Function vulnerability discovered by Foxyyy in WordPress Theme Vikinger versions = 1.9.32...

WordPress plugin CS Framework 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A path traversal...

WordPress plugin Database Backup and check Tables Automated With Scheduler 路径遍历漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress plugin Database Backup and check...

WordPress VideoWhisper Live Streaming Integration plugin <= 6.2 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by muhammad yudha Patchstack Alliance in WordPress Plugin Broadcast Live Video versions = 6.2...

WordPress Paid Videochat Turnkey Site plugin <= 7.2.12 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by muhammad yudha Patchstack Alliance in WordPress Plugin Paid Videochat Turnkey Site versions = 7.2.12...

WordPress WP Cloud plugin <= 1.4.3 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by SOPROBRO in WordPress Plugin WP Cloud versions = 1.4.3...