WordPress Image Hover Ultimate - Unauthenticated Settings Update

Unauthenticated Arbitrary Options Update vulnerability leading to full website compromise discovered in Image Hover Effects Ultimate versions = 9.6.1 WordPress plugin. id: CVE-2021-36888 info: name: WordPress Image Hover Ultimate - Unauthenticated Settings Update author: riteshs4hu severity:...

WordPress BackWPup plugin <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update vulnerability

Authenticated BackWPup Helper+ Privilege Escalation via Arbitrary Options Update vulnerability discovered by 0N0ise - cert.pl in WordPress Plugin BackWPup versions = 5.6.2...

WordPress Toret Manager plugin <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Options Update via AJAX actions vulnerability

Authenticated Subscriber+ Arbitrary Options Update via AJAX actions vulnerability discovered by vgo0 in WordPress Plugin Toret Manager versions = 1.2.7...

WordPress WCFM - WooCommerce Frontend Manager plugin <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update vulnerability

WordPress WCFM - WooCommerce Frontend Manager plugin = 6.7.24 - Authenticated Shop Manager+ Arbitrary Options Update vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - cyberdogzmarketing.com | krei.dev | ogbuilders.io in WordPress Plugin WCFM – Frontend Manager for WooCommerce versions...

CVE-2026-0845 WCFM - WooCommerce Frontend Manager <= 6.7.24 - Authenticated (Shop Manager+) Arbitrary Options Update

The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'WCFMSettingsController::processing' function in...

CVE-2025-14370 Quote Comments <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Settings Update

The Quote Comments plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.0.0. This is due to missing authorization checks in the quotecommentsaddadmin function. This makes it possible for authenticated attackers, with Subscriber-level access and above...

WordPress Email Notifications for Updates plugin <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Options Update vulnerability discovered by kr0d in WordPress Plugin Email Notifications for Updates versions = 1.1.6...

WordPress Apus Framework plugin <= 2.3 - Authenticated (Subscriber+) Arbitrary Options Update in import_page_options vulnerability

Authenticated Subscriber+ Arbitrary Options Update in importpageoptions vulnerability discovered by Tonn in WordPress Plugin Apus Framework versions = 2.3...

WordPress Media Manager for UserPro plugin <= 3.12.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Options Update vulnerability discovered by Lucio Sá in WordPress Plugin Media Manager for UserPro versions = 3.12.0...

WordPress SMS Alert Order Notifications – WooCommerce plugin <= 3.7.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Options Update vulnerability discovered by 1337Wannabe in WordPress Plugin SMS Alert Order Notifications versions = 3.7.6...

WordPress HQ Rental Software plugin <= 1.5.29 - Cross-Site Request Forgery to Arbitrary Options Update vulnerability

Cross-Site Request Forgery to Arbitrary Options Update vulnerability discovered by vgo0 in WordPress Plugin HQ Rental Software versions = 1.5.29...

WordPress Stream plugin <= 4.0.1 - Cross-Site Request Forgery to Arbitrary Options Update vulnerability

Cross-Site Request Forgery to Arbitrary Options Update vulnerability discovered by vgo0 in WordPress Plugin Stream versions = 4.0.1...

WordPress InstaWP Connect plugin <= 0.1.0.38 - Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability

Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation vulnerability discovered by Truoc Phan in WordPress Plugin InstaWP Connect versions = 0.1.0.38...