CVE-2026-5464

The ExactMetrics – Google Analytics Dashboard for WordPress Website Stats Plugin plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation and activation in all versions up to, and including, 9.1.2. This is due to the reports page exposing the 'onboardingkey' transient to a...

CVE-2026-4326

The Vertex Addons for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.6.4. This is due to improper authorization enforcement in the activaterequiredplugins function. Specifically, the currentusercan'installplugins' capability check does...

CVE-2023-40201

Cross-Site Request Forgery CSRF vulnerability in FuturioWP Futurio Extra plugin = 1.8.4 versions leads to activation of arbitrary plugin...

WordPress Construction Light theme < 1.6.8 - Subscriber+ Arbitrary Plugin Activation vulnerability

Subscriber+ Arbitrary Plugin Activation vulnerability discovered by Khaled Alenazi Nxploited in WordPress Theme Construction Light versions 1.6.8...

CVE-2023-28619 WordPress Resoto theme <= 1.0.8 - Broken Access Control to Arbitrary Plugin Activation

Missing Authorization vulnerability in bnayawpguy Resoto resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through = 1.0.8...

CVE-2023-28619

CVE-2023-28619 : Resoto WordPress theme (

CVE-2023-28619 WordPress Resoto theme <= 1.0.8 - Broken Access Control to Arbitrary Plugin Activation

Missing Authorization vulnerability in bnayawpguy Resoto allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Resoto: from n/a through 1.0.8...

CVE-2025-10684 Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-10684

CVE-2025-10684 affects the Construction Light WordPress theme prior to version 1.6.8. Multiple sources (NVD, Red Hat, CIRCL, CVE list) describe a lack of authorization and CSRF protection for an AJAX activation action, allowing any authenticated user (e.g., subscribers) to activate arbitrary func...

EUVD-2021-11105

Malware in sbrugna...

EUVD-2023-12549

Malicious code in bioql PyPI...

CVE-2023-1087

The WC Sales Notification WordPress plugin before 1.2.3 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack...

CVE-2021-24356

In the Simple 301 Redirects by BetterLinks WordPress plugin before 2.0.4, a lack of capability checks and insufficient nonce check on the AJAX action, simple301redirects/admin/activateplugin, made it possible for authenticated users to activate arbitrary plugins installed on vulnerable sites...

CVE-2023-28990 WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability

Missing Authorization vulnerability in HashThemes Viral Mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through 1.0.9...

CVE-2023-28990 WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability

Missing Authorization vulnerability in hashthemes Viral Mag viral-mag allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Viral Mag: from n/a through = 1.0.9...

CVE-2023-27456 WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19...

CVE-2023-27456 WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in hashthemes Total total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through = 2.1.19...

CVE-2023-28416 WordPress Chankhe theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation vulnerability

Missing Authorization vulnerability in sparklewpthemes Chankhe chankhe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Chankhe: from n/a through = 1.0.5...

CVE-2023-28532 WordPress Real Estate Directory theme <= 1.0.5 - Authenticated Arbitrary Plugin Activation

Missing Authorization vulnerability in wpdirectorykit.com Real Estate Directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Real Estate Directory: from n/a through 1.0.5...

WordPress One Paze theme <= 2.2.8 - Authenticated Arbitrary Plugin Activation/Deactivation to RCE vulnerability

Authenticated Arbitrary Plugin Activation/Deactivation to RCE vulnerability discovered by Mika Patchstack Alliance in WordPress Theme One Paze versions = 2.2.8...